?
Solved

ASP .Net Windows Authorization

Posted on 2011-02-17
5
Medium Priority
?
359 Views
Last Modified: 2012-05-11
Greetings Experts,

I am working on a small intranet project to make some simple gridview reports available to specific users.

I would like to limit access based on whether or not the windows username appears in a SQL table I will maintain separately. (ie not role based or active directory style authorization, simply a list of discrete user names).

Windows authentication is running fine and I can show the user name via <asp: LoginName

I was hoping it might be as easy as replacing "Kim" in the example below with some thing like a SQL statement Select * from Tbl_Approved_Users

<authorization>
  <allow users="Kim"/>
 </authorization>

I would have thought this answer would be easy to google but I've made no progress, perhaps I am looking at the problem incorrectly.

Your thoughts greatly appreciated!








 


0
Comment
Question by:Split_Pin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 34923908
That <allow /> stuff in the config isn't going to work unless you add all of those users to an AD Group and only allow that group access to the site.

You will probably find it easier to handle authentication in your app itself. You can retrieve the user name from the ServerVariables collection and check it off against your database table yourself, probably redirecting to an error page if the user isn't allowed.
0
 

Author Comment

by:Split_Pin
ID: 34923926
Many thanks Carl_Tawn,

So I was on the wrong track there!
To follow your solution, should I be looking at coding in the code behind page for each page that holds a report, or is there some elegant way.

IE: What would this look like in real terms "retrieve the user name from the ServerVariables collection and check it off against your database table yourself" (a sub routine in page load? something else).

Kind Regards
Split_Pin
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 500 total points
ID: 34923983
You could use sesison_start or, as I tend to do for simple apps, use the Page_Load of your master page. Although I tend to wrap the user as part of a seperate ApplicationData class to hide the mechanics of actually checking the user.

Below is a modified and stripped down version of the sort of thing I use (not sure what language you are using so this is C#):
// in master page
protected void Page_Load(object sender, EventArgs e)
{
        if (!Request.Url.AbsoluteUri.Contains("AccessDenied.aspx"))
        {
            // check that user exists and is valid
            if (UserIsValid())
            {
                string message = "The specified account does not exist or is currently disabled.";
                Response.Redirect("AccessDenied.aspx?e=" + HttpUtility.UrlEncode(message));
            }
      }
}

private bool UserIsValid()
{
      HttpContext context = HttpContext.Current;
      bool valid = false;

                try
                {
                    if (context != null)
                    {
                        string user = context.Session["ActiveUser"].ToString();
                        if (user == null)
                        {
                            string loginName = context.User.Identity.Name;

                            int idx = loginName.IndexOf('\\');
                            if (idx > 0)
                                loginName = loginName.Substring(idx + 1);

                            user = Data.UserManager.GetByLoginName(loginName);     // check the user against the database
                            if (user != null)
                            {
                                   context.Session["ActiveUser"] = user; 
                                   valid = true;
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    lastException = ex;
                }
      return valid;
}

Open in new window

0
 

Author Comment

by:Split_Pin
ID: 34924011
Hi Carl_Tawn,
This is awesome, thank you!
I am working in VB as my background is VBA, but I reckon I better dive in and get wet with C# sooner or later.

I will take it from here, thanks again - invaluable!
0
 

Author Closing Comment

by:Split_Pin
ID: 34924015
Just great!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question