Solved

Programatically manage .net authorization rules

Posted on 2009-07-07
4
879 Views
Last Modified: 2012-05-07
Hi,
I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
http://aspnet.4guysfromrolla.com/articles/053007-1.aspx
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenticateRequest ??
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!
0
Comment
Question by:dbyra
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
Rahul Goel ITIL earned 250 total points
ID: 24801199
Hey you can write the membershipproviders and use that while authentication and role managements

Custom MembershipProviders
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx
http://www.devx.com/asp/Article/29256
 
0
 
LVL 2

Assisted Solution

by:kbac
kbac earned 250 total points
ID: 24802931
If you are just considering a configurable authorization at application level, you can define all possible authorization items in your database as a start:

AuthItId       AuthName                                      
1                  Products                                        
2                  Orders                                          
3                  Customers                                    

Then authorization actions (you can add these on the first table as well)

AuthAcID    FK_AuthItID          AuthAcName    
1                       1                      View Products
2                       2                      View Orders
3                       2                      Update Orders
4                       2                      Delete Orders
5                       3                      View Customers

You can directly assign the actions to your users, that you keep in the user table. Or you can add one more table (except the action - user relation table) for grouping those actions (such as roles), which are overriden by the user-actions relation table. I'll pass the roles table, go directly to the user-actions

FK_userID       FK_AuthActionID
1                                 2
2                                 2
2                                 3
2                                 4
2                                 5

You can make a stored procedure, and dynamically create relations between these actions and the related stored procedures

If you keep the userID in your session, and if you assign these AuthAcID values to the functionalities in your site, when each page is visited, each button is clicked, you can call the same function (having a logic like that:)

public boolean UserAuthorized (int vintUserID, int vintActionID)
{
.......
"select * where userID = " & vintUserID.ToString() & " and AuthAcID = " & vintActionID.ToString()

.....
return (#of records>0)
}

You are now doing the authorization depending on the database values (can be changed by the users) and the fixed functionality of the application (you have to change this when you change the code).

If you keep the authorization rights in your cache or session, then this won't be real time, and you'll have to put flags to follow if any change is made affecting that user and update authorization information in that situation.

You won't need the first table, unless you want to group the authorization actions by pages or subject in authorization editing pages.
0
 
LVL 2

Expert Comment

by:kbac
ID: 24802979
Forgot to tell you;

you can use the UserAuthorized function like that:

If you put the AuthAcID values as constant values or variable values in your application:
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), CONST_UpdateOrders)

Or you can declare the same variable in every function:
Private void CmdUpdateOrders_Click (......)
{
int lintFunctionID = 13;
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), lintFunctionID)
...
}
and paste the 2 lines in every function, and only change the function id value according to the action values in db.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question