?
Solved

ASP .Net Windows Authorization

Posted on 2011-02-17
5
Medium Priority
?
361 Views
Last Modified: 2012-05-11
Greetings Experts,

I am working on a small intranet project to make some simple gridview reports available to specific users.

I would like to limit access based on whether or not the windows username appears in a SQL table I will maintain separately. (ie not role based or active directory style authorization, simply a list of discrete user names).

Windows authentication is running fine and I can show the user name via <asp: LoginName

I was hoping it might be as easy as replacing "Kim" in the example below with some thing like a SQL statement Select * from Tbl_Approved_Users

<authorization>
  <allow users="Kim"/>
 </authorization>

I would have thought this answer would be easy to google but I've made no progress, perhaps I am looking at the problem incorrectly.

Your thoughts greatly appreciated!








 


0
Comment
Question by:Split_Pin
  • 3
  • 2
5 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 34923908
That <allow /> stuff in the config isn't going to work unless you add all of those users to an AD Group and only allow that group access to the site.

You will probably find it easier to handle authentication in your app itself. You can retrieve the user name from the ServerVariables collection and check it off against your database table yourself, probably redirecting to an error page if the user isn't allowed.
0
 

Author Comment

by:Split_Pin
ID: 34923926
Many thanks Carl_Tawn,

So I was on the wrong track there!
To follow your solution, should I be looking at coding in the code behind page for each page that holds a report, or is there some elegant way.

IE: What would this look like in real terms "retrieve the user name from the ServerVariables collection and check it off against your database table yourself" (a sub routine in page load? something else).

Kind Regards
Split_Pin
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 500 total points
ID: 34923983
You could use sesison_start or, as I tend to do for simple apps, use the Page_Load of your master page. Although I tend to wrap the user as part of a seperate ApplicationData class to hide the mechanics of actually checking the user.

Below is a modified and stripped down version of the sort of thing I use (not sure what language you are using so this is C#):
// in master page
protected void Page_Load(object sender, EventArgs e)
{
        if (!Request.Url.AbsoluteUri.Contains("AccessDenied.aspx"))
        {
            // check that user exists and is valid
            if (UserIsValid())
            {
                string message = "The specified account does not exist or is currently disabled.";
                Response.Redirect("AccessDenied.aspx?e=" + HttpUtility.UrlEncode(message));
            }
      }
}

private bool UserIsValid()
{
      HttpContext context = HttpContext.Current;
      bool valid = false;

                try
                {
                    if (context != null)
                    {
                        string user = context.Session["ActiveUser"].ToString();
                        if (user == null)
                        {
                            string loginName = context.User.Identity.Name;

                            int idx = loginName.IndexOf('\\');
                            if (idx > 0)
                                loginName = loginName.Substring(idx + 1);

                            user = Data.UserManager.GetByLoginName(loginName);     // check the user against the database
                            if (user != null)
                            {
                                   context.Session["ActiveUser"] = user; 
                                   valid = true;
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    lastException = ex;
                }
      return valid;
}

Open in new window

0
 

Author Comment

by:Split_Pin
ID: 34924011
Hi Carl_Tawn,
This is awesome, thank you!
I am working in VB as my background is VBA, but I reckon I better dive in and get wet with C# sooner or later.

I will take it from here, thanks again - invaluable!
0
 

Author Closing Comment

by:Split_Pin
ID: 34924015
Just great!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question