Solved

Programatically manage .net authorization rules

Posted on 2009-07-07
4
874 Views
Last Modified: 2012-05-07
Hi,
I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
http://aspnet.4guysfromrolla.com/articles/053007-1.aspx
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenticateRequest ??
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!
0
Comment
Question by:dbyra
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
Rahul Goel earned 250 total points
ID: 24801199
Hey you can write the membershipproviders and use that while authentication and role managements

Custom MembershipProviders
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx
http://www.devx.com/asp/Article/29256
 
0
 
LVL 2

Assisted Solution

by:kbac
kbac earned 250 total points
ID: 24802931
If you are just considering a configurable authorization at application level, you can define all possible authorization items in your database as a start:

AuthItId       AuthName                                      
1                  Products                                        
2                  Orders                                          
3                  Customers                                    

Then authorization actions (you can add these on the first table as well)

AuthAcID    FK_AuthItID          AuthAcName    
1                       1                      View Products
2                       2                      View Orders
3                       2                      Update Orders
4                       2                      Delete Orders
5                       3                      View Customers

You can directly assign the actions to your users, that you keep in the user table. Or you can add one more table (except the action - user relation table) for grouping those actions (such as roles), which are overriden by the user-actions relation table. I'll pass the roles table, go directly to the user-actions

FK_userID       FK_AuthActionID
1                                 2
2                                 2
2                                 3
2                                 4
2                                 5

You can make a stored procedure, and dynamically create relations between these actions and the related stored procedures

If you keep the userID in your session, and if you assign these AuthAcID values to the functionalities in your site, when each page is visited, each button is clicked, you can call the same function (having a logic like that:)

public boolean UserAuthorized (int vintUserID, int vintActionID)
{
.......
"select * where userID = " & vintUserID.ToString() & " and AuthAcID = " & vintActionID.ToString()

.....
return (#of records>0)
}

You are now doing the authorization depending on the database values (can be changed by the users) and the fixed functionality of the application (you have to change this when you change the code).

If you keep the authorization rights in your cache or session, then this won't be real time, and you'll have to put flags to follow if any change is made affecting that user and update authorization information in that situation.

You won't need the first table, unless you want to group the authorization actions by pages or subject in authorization editing pages.
0
 
LVL 2

Expert Comment

by:kbac
ID: 24802979
Forgot to tell you;

you can use the UserAuthorized function like that:

If you put the AuthAcID values as constant values or variable values in your application:
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), CONST_UpdateOrders)

Or you can declare the same variable in every function:
Private void CmdUpdateOrders_Click (......)
{
int lintFunctionID = 13;
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), lintFunctionID)
...
}
and paste the 2 lines in every function, and only change the function id value according to the action values in db.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSRS ReportViewer report timeout 7 101
Server Error 11 47
Variable Event ? 3 22
C# guarantee sql connection close 6 13
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now