Solved

ASP .Net Windows Authorization

Posted on 2011-02-17
5
352 Views
Last Modified: 2012-05-11
Greetings Experts,

I am working on a small intranet project to make some simple gridview reports available to specific users.

I would like to limit access based on whether or not the windows username appears in a SQL table I will maintain separately. (ie not role based or active directory style authorization, simply a list of discrete user names).

Windows authentication is running fine and I can show the user name via <asp: LoginName

I was hoping it might be as easy as replacing "Kim" in the example below with some thing like a SQL statement Select * from Tbl_Approved_Users

<authorization>
  <allow users="Kim"/>
 </authorization>

I would have thought this answer would be easy to google but I've made no progress, perhaps I am looking at the problem incorrectly.

Your thoughts greatly appreciated!








 


0
Comment
Question by:Split_Pin
  • 3
  • 2
5 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 34923908
That <allow /> stuff in the config isn't going to work unless you add all of those users to an AD Group and only allow that group access to the site.

You will probably find it easier to handle authentication in your app itself. You can retrieve the user name from the ServerVariables collection and check it off against your database table yourself, probably redirecting to an error page if the user isn't allowed.
0
 

Author Comment

by:Split_Pin
ID: 34923926
Many thanks Carl_Tawn,

So I was on the wrong track there!
To follow your solution, should I be looking at coding in the code behind page for each page that holds a report, or is there some elegant way.

IE: What would this look like in real terms "retrieve the user name from the ServerVariables collection and check it off against your database table yourself" (a sub routine in page load? something else).

Kind Regards
Split_Pin
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 125 total points
ID: 34923983
You could use sesison_start or, as I tend to do for simple apps, use the Page_Load of your master page. Although I tend to wrap the user as part of a seperate ApplicationData class to hide the mechanics of actually checking the user.

Below is a modified and stripped down version of the sort of thing I use (not sure what language you are using so this is C#):
// in master page
protected void Page_Load(object sender, EventArgs e)
{
        if (!Request.Url.AbsoluteUri.Contains("AccessDenied.aspx"))
        {
            // check that user exists and is valid
            if (UserIsValid())
            {
                string message = "The specified account does not exist or is currently disabled.";
                Response.Redirect("AccessDenied.aspx?e=" + HttpUtility.UrlEncode(message));
            }
      }
}

private bool UserIsValid()
{
      HttpContext context = HttpContext.Current;
      bool valid = false;

                try
                {
                    if (context != null)
                    {
                        string user = context.Session["ActiveUser"].ToString();
                        if (user == null)
                        {
                            string loginName = context.User.Identity.Name;

                            int idx = loginName.IndexOf('\\');
                            if (idx > 0)
                                loginName = loginName.Substring(idx + 1);

                            user = Data.UserManager.GetByLoginName(loginName);     // check the user against the database
                            if (user != null)
                            {
                                   context.Session["ActiveUser"] = user; 
                                   valid = true;
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    lastException = ex;
                }
      return valid;
}

Open in new window

0
 

Author Comment

by:Split_Pin
ID: 34924011
Hi Carl_Tawn,
This is awesome, thank you!
I am working in VB as my background is VBA, but I reckon I better dive in and get wet with C# sooner or later.

I will take it from here, thanks again - invaluable!
0
 

Author Closing Comment

by:Split_Pin
ID: 34924015
Just great!
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question