Solved

ASP .Net Windows Authorization

Posted on 2011-02-17
5
355 Views
Last Modified: 2012-05-11
Greetings Experts,

I am working on a small intranet project to make some simple gridview reports available to specific users.

I would like to limit access based on whether or not the windows username appears in a SQL table I will maintain separately. (ie not role based or active directory style authorization, simply a list of discrete user names).

Windows authentication is running fine and I can show the user name via <asp: LoginName

I was hoping it might be as easy as replacing "Kim" in the example below with some thing like a SQL statement Select * from Tbl_Approved_Users

<authorization>
  <allow users="Kim"/>
 </authorization>

I would have thought this answer would be easy to google but I've made no progress, perhaps I am looking at the problem incorrectly.

Your thoughts greatly appreciated!








 


0
Comment
Question by:Split_Pin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 34923908
That <allow /> stuff in the config isn't going to work unless you add all of those users to an AD Group and only allow that group access to the site.

You will probably find it easier to handle authentication in your app itself. You can retrieve the user name from the ServerVariables collection and check it off against your database table yourself, probably redirecting to an error page if the user isn't allowed.
0
 

Author Comment

by:Split_Pin
ID: 34923926
Many thanks Carl_Tawn,

So I was on the wrong track there!
To follow your solution, should I be looking at coding in the code behind page for each page that holds a report, or is there some elegant way.

IE: What would this look like in real terms "retrieve the user name from the ServerVariables collection and check it off against your database table yourself" (a sub routine in page load? something else).

Kind Regards
Split_Pin
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 125 total points
ID: 34923983
You could use sesison_start or, as I tend to do for simple apps, use the Page_Load of your master page. Although I tend to wrap the user as part of a seperate ApplicationData class to hide the mechanics of actually checking the user.

Below is a modified and stripped down version of the sort of thing I use (not sure what language you are using so this is C#):
// in master page
protected void Page_Load(object sender, EventArgs e)
{
        if (!Request.Url.AbsoluteUri.Contains("AccessDenied.aspx"))
        {
            // check that user exists and is valid
            if (UserIsValid())
            {
                string message = "The specified account does not exist or is currently disabled.";
                Response.Redirect("AccessDenied.aspx?e=" + HttpUtility.UrlEncode(message));
            }
      }
}

private bool UserIsValid()
{
      HttpContext context = HttpContext.Current;
      bool valid = false;

                try
                {
                    if (context != null)
                    {
                        string user = context.Session["ActiveUser"].ToString();
                        if (user == null)
                        {
                            string loginName = context.User.Identity.Name;

                            int idx = loginName.IndexOf('\\');
                            if (idx > 0)
                                loginName = loginName.Substring(idx + 1);

                            user = Data.UserManager.GetByLoginName(loginName);     // check the user against the database
                            if (user != null)
                            {
                                   context.Session["ActiveUser"] = user; 
                                   valid = true;
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    lastException = ex;
                }
      return valid;
}

Open in new window

0
 

Author Comment

by:Split_Pin
ID: 34924011
Hi Carl_Tawn,
This is awesome, thank you!
I am working in VB as my background is VBA, but I reckon I better dive in and get wet with C# sooner or later.

I will take it from here, thanks again - invaluable!
0
 

Author Closing Comment

by:Split_Pin
ID: 34924015
Just great!
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASP Focus problem 3 72
document.getElementById not worj with 2 IDs with the same name 10 57
asp classic find word in string and get its value 7 34
GitHub 1 10
I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question