Solved

Programatically manage .net authorization rules

Posted on 2009-07-07
4
876 Views
Last Modified: 2012-05-07
Hi,
I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
http://aspnet.4guysfromrolla.com/articles/053007-1.aspx
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenticateRequest ??
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!
0
Comment
Question by:dbyra
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
Rahul Goel ITIL earned 250 total points
ID: 24801199
Hey you can write the membershipproviders and use that while authentication and role managements

Custom MembershipProviders
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx
http://www.devx.com/asp/Article/29256
 
0
 
LVL 2

Assisted Solution

by:kbac
kbac earned 250 total points
ID: 24802931
If you are just considering a configurable authorization at application level, you can define all possible authorization items in your database as a start:

AuthItId       AuthName                                      
1                  Products                                        
2                  Orders                                          
3                  Customers                                    

Then authorization actions (you can add these on the first table as well)

AuthAcID    FK_AuthItID          AuthAcName    
1                       1                      View Products
2                       2                      View Orders
3                       2                      Update Orders
4                       2                      Delete Orders
5                       3                      View Customers

You can directly assign the actions to your users, that you keep in the user table. Or you can add one more table (except the action - user relation table) for grouping those actions (such as roles), which are overriden by the user-actions relation table. I'll pass the roles table, go directly to the user-actions

FK_userID       FK_AuthActionID
1                                 2
2                                 2
2                                 3
2                                 4
2                                 5

You can make a stored procedure, and dynamically create relations between these actions and the related stored procedures

If you keep the userID in your session, and if you assign these AuthAcID values to the functionalities in your site, when each page is visited, each button is clicked, you can call the same function (having a logic like that:)

public boolean UserAuthorized (int vintUserID, int vintActionID)
{
.......
"select * where userID = " & vintUserID.ToString() & " and AuthAcID = " & vintActionID.ToString()

.....
return (#of records>0)
}

You are now doing the authorization depending on the database values (can be changed by the users) and the fixed functionality of the application (you have to change this when you change the code).

If you keep the authorization rights in your cache or session, then this won't be real time, and you'll have to put flags to follow if any change is made affecting that user and update authorization information in that situation.

You won't need the first table, unless you want to group the authorization actions by pages or subject in authorization editing pages.
0
 
LVL 2

Expert Comment

by:kbac
ID: 24802979
Forgot to tell you;

you can use the UserAuthorized function like that:

If you put the AuthAcID values as constant values or variable values in your application:
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), CONST_UpdateOrders)

Or you can declare the same variable in every function:
Private void CmdUpdateOrders_Click (......)
{
int lintFunctionID = 13;
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), lintFunctionID)
...
}
and paste the 2 lines in every function, and only change the function id value according to the action values in db.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question