Solved

Can a asp.net page use more than one codebehind page?

Posted on 2004-09-10
16
361 Views
Last Modified: 2008-03-10
Heres the issue.

I'm about to build an intranet which uses the username variable as a lookup in an Oracle table.  It uses the username to see what access he/she has.  My existing intranet does this by inserting the following code at the top of every page that needs these access checks:

<% v_APPNAME = "BILLING"  %>
<!--#include virtual="/shared/CHECK_ACCESS.asp" -->

The CHECK_ACCESS.asp uses the v_APPNAME value and the username which is stored in a session variable to query the table.  If a record is returned, then the person has access... if not they are redirected to a friendly access denied.

Every page that needs to have the access checked has the v_APPNAME = "????" line and the CHECK_ACCESS.asp include line at the very top.

How would I emulate this in ASP.NET?  My old asp brain is telling me to build this asp.net codebehind and attach it as I already do.  But I can't find anything written that suggests it's an option to have multple codebehinds.

I really don't want to add code to each codebehind that belongs to other pages...  

What do you think?  Keith
0
Comment
Question by:westbergk
  • 5
  • 4
  • 3
  • +1
16 Comments
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12031803
Visual Studio 2005 introduces "partial classes", which allow you to separate chunks of the code-behind into another file, but a page can only have one code-behind.

That said, you can still implement solution-wide role-based authentication. To implement the functionality yourself from scatch, you can create a  subclassed "Page" class which contains the identity check (based on a Session variable or something), which is tied to the page permission however you want (perhaps through a protected roles array that the base class checks or something).

You can also use an HttpModule.

What you REALLY want to look into, however is ASP.NET's built-in Forms Authentication. It handles all of this for you (redirects to login page, role-based security based on whatever you define i.e. you can use Oracle DB, etc.).
0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12031812
Here's a good overview of Forms Authentication:

http://www.15seconds.com/issue/020220.htm

Basically what you do is define the login page, and the roles for each directory based on entries in various web.config files in each directory. If you have specific questions about it, please let me know.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12031864
in short you can inherit another class, but only one codebehind is allowed in v1.1

Regards,

Aeros
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12032226
In ASP.NET, you can access the username like this:

string userid = User.Identity.Name;

Let's say you are using Windows authentication in a Windows network where users auth to a domain or Active Directory.  This will return the full DOMAIN\USERNAME value.  So if your user names in the database are just the user's logon account name, you'll have have parse it out:

string userid = User.Identity.Name;
idx = userid.IndexOf("\");
userid = userid.Substring(idx, userid.Length - idx);

Query the database with this and your "Billing" literal to see if they have access.

John

0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12032230
Correction:

string userid = User.Identity.Name;
int idx = userid.IndexOf("\");
userid = userid.Substring(idx, userid.Length - idx);

John
0
 
LVL 1

Author Comment

by:westbergk
ID: 12033340
Thanks folks for the quick response...

boulder_bum:
I read the article you posted, and I think I understand the direction/purpose.  What I don't see is how I could impliment this in a (none physical) login page fashion.  My enviornment is completely Intranet were I should know everyone coming in.  They have already logged into the workstation on our intranet.  Keeping there names posted on a web.config is deffinatly not an option.

Most of the tools they will be using need to know if they have the access to to make changes... and some will need to know if they have access at all.  I don't see how I could accomplish this using the non physical login page method.  Again, I already know the username... I just need to run a query and check for there existance, and if yes... then check there level. ie: 1,2 or 3.

jnhorst:
I think you helped me earlier (Q_21103085.html) when i was looking to authenticate users coming in... thank you by the way.  So I understand the consept of getting the username.   But now that I have the username, how could I use it in a way that boulder_bum is suggesting?

Again, most applications will allow the user to open the application.  But when they attempt to make changes, I want to check there access and either send them away, or process there request.  At the same time, I would like to keep it modular like the way I had it, so that when I build another app, all I need to do is drop a variable or somthing into the new codebehind.. or somthing like that.

So I guess from what you both have said, I'm looking for:

1) A way to capture who you are = (jnhorst solution works)
2) A way to run this username against a db, to aquire there access. (Still open)
3) How to keep this somewhat modular like my existing asp method. (Still open)



0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12033613
"They have already logged into the workstation on our intranet.  Keeping there names posted on a web.config is deffinatly not an option."

Luckily, web.config is not for names alone, you can also store roles. Nevertheless, if you want to restrict SECTIONS of a page, you'll need a little extra code. If using Forms Authentication where you already know a user's info, you can have the "login page" automatically look at this info and authenticate the user with no interaction required. You can also store the user's role information in a "FormsAuthenticationTicket" for later reference (using Windows Principals and IsInRole() ). If you must use the database, this is definately the way to go.

This will give a broad overview of your options.
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetch03.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

That said, you may also use role-based authentication using Windows Authentication. Instead of DB security, you'd do things according to network roles and Impersonation.

"How to keep this somewhat modular like my existing asp method. "

In ASP.NET, the focus has shifted from encapsulation in SSIs to encapsulation through class files and Server/User Controls. For instance, instead of relying on an SSI for a header file, you'd use a User Control which you can drag-and-drop onto the page. This control model is not only easy to use and design, but also allows for things like an event model to program against.

For authentication, this: <!--#include virtual="/shared/CHECK_ACCESS.asp" --> can be replaced by a common class file which all of the code-behinds check, but I suspect your needs will be met with the built-in authentication framework.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:westbergk
ID: 12044522
boulder_bum...

Could you possibly provide an example view of a user control that takes network username and queries for there access.  Then once the control has the values, either redirects or allows access.  I don't expect you to write the application, but give a vague overview of how the logic works.  My enviornment/needs look like this

1. I can build "local groups" on the server, but there will be many many applications that will need there own access control, and with each app there probably should be at least 3 levels... read, write & admin full.  I'm not sure if I want 60 local groups to manage.

2. User control looks to be a good direction.  I can spit one out in short order, but what I am not very versed in is building classes.  An example of how a class would look for this instance would be a real help.

Keith...
0
 
LVL 1

Author Comment

by:westbergk
ID: 12048089
This .Net stuff is really kicking my butt...

In asp I could pass a username and any other variable to an include in my sleep.  But how in the world do I pass the request.servervariable(REMOTE_USER) and a string variable ("TEST_STRING") to a user_control.

I feel like an idiot with these simple tasks, but I don't believe .Net makes it any easier.

If I need to make this another question... please let me know.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12244290
I suggest a split on this question between all.

Aeros
0
 
LVL 8

Accepted Solution

by:
boulder_bum earned 500 total points
ID: 12245177
Oops. I didn't get a chance to follow up on this one. Did you figure everything out westbergk? The user control should be able to reference session variables via Session["var"] or Context.Session["var"] and you can set the "permissions" for the control based on the session variable in the OnLoad event handler of the control.

For FormsAuthenticationTicket and IsInRole info, see here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/f_and_m/html/vxconRoleBasedSecurity.asp

From the doc:

//make ticket
FormsAuthenticationTicket ticket = new    FormsAuthenticationTicket(
         1,                                    // version
         UserId,                              // user name
         DateTime.Now,                        // issue time
         DateTime.Now.AddMinutes(30),         // expires
         false,                              // persistent
         userRoles.ToString()                  // user data
   );
// Get the encrypted representation suitable for placing in a HTTP cookie.
formsCookieStr = FormsAuthentication.Encrypt(ticket);
HttpCookie FormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
currentContext.Response.Cookies.Add(FormsCookie);



You assign the ticket when the user gets authenticated, and you can check roles to determine privilages by calling IsInRole() to see if they are, for example, in the AccountingManager role or something.
0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12245180
PS- I'm with Aeros.
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12245224
Wahhhhhh, I want the points....

Oh, I'm supposed to be a grown up... rats.

I'm with Aeros too.

John
0
 
LVL 1

Author Comment

by:westbergk
ID: 12271464
I apologize for not responding sooner.

I thank all of you for adding your thoughts.  Of all contributers, boulder_bum got me close to a solution that my enviornment could use.  The current method is using a combination of checks.

UserControl = Access.vb.ascx: (public [ApplicationID])

A page makes a call to this control and passes it an application ID that is listed in an application table in oracle.  The (APPLICATIONS) schema looks like: (ID, APP_ID, APP_NAME, APP_OWNER).  There is another table called (APPLICATION_ACCESS) which contains (ID, USER_ID, APP_ID, ACCESS_CD).  The control checks to see if the current users id is listed, and if so what level.  If at any time the user does not meet a required check, he/she gets redirected.  The control sets a session variable explaining the purpose of the redirect, and the error page is populated with the session variable.

For pages that require higher access... admin type, I'm using the IsInRole method and placing these folks in a local group.

Thank you again for all your help.  Keith
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now