Solved

ASP .Net Windows Authorization

Posted on 2011-02-17
5
346 Views
Last Modified: 2012-05-11
Greetings Experts,

I am working on a small intranet project to make some simple gridview reports available to specific users.

I would like to limit access based on whether or not the windows username appears in a SQL table I will maintain separately. (ie not role based or active directory style authorization, simply a list of discrete user names).

Windows authentication is running fine and I can show the user name via <asp: LoginName

I was hoping it might be as easy as replacing "Kim" in the example below with some thing like a SQL statement Select * from Tbl_Approved_Users

<authorization>
  <allow users="Kim"/>
 </authorization>

I would have thought this answer would be easy to google but I've made no progress, perhaps I am looking at the problem incorrectly.

Your thoughts greatly appreciated!








 


0
Comment
Question by:Split_Pin
  • 3
  • 2
5 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
Comment Utility
That <allow /> stuff in the config isn't going to work unless you add all of those users to an AD Group and only allow that group access to the site.

You will probably find it easier to handle authentication in your app itself. You can retrieve the user name from the ServerVariables collection and check it off against your database table yourself, probably redirecting to an error page if the user isn't allowed.
0
 

Author Comment

by:Split_Pin
Comment Utility
Many thanks Carl_Tawn,

So I was on the wrong track there!
To follow your solution, should I be looking at coding in the code behind page for each page that holds a report, or is there some elegant way.

IE: What would this look like in real terms "retrieve the user name from the ServerVariables collection and check it off against your database table yourself" (a sub routine in page load? something else).

Kind Regards
Split_Pin
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 125 total points
Comment Utility
You could use sesison_start or, as I tend to do for simple apps, use the Page_Load of your master page. Although I tend to wrap the user as part of a seperate ApplicationData class to hide the mechanics of actually checking the user.

Below is a modified and stripped down version of the sort of thing I use (not sure what language you are using so this is C#):
// in master page
protected void Page_Load(object sender, EventArgs e)
{
        if (!Request.Url.AbsoluteUri.Contains("AccessDenied.aspx"))
        {
            // check that user exists and is valid
            if (UserIsValid())
            {
                string message = "The specified account does not exist or is currently disabled.";
                Response.Redirect("AccessDenied.aspx?e=" + HttpUtility.UrlEncode(message));
            }
      }
}

private bool UserIsValid()
{
      HttpContext context = HttpContext.Current;
      bool valid = false;

                try
                {
                    if (context != null)
                    {
                        string user = context.Session["ActiveUser"].ToString();
                        if (user == null)
                        {
                            string loginName = context.User.Identity.Name;

                            int idx = loginName.IndexOf('\\');
                            if (idx > 0)
                                loginName = loginName.Substring(idx + 1);

                            user = Data.UserManager.GetByLoginName(loginName);     // check the user against the database
                            if (user != null)
                            {
                                   context.Session["ActiveUser"] = user; 
                                   valid = true;
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    lastException = ex;
                }
      return valid;
}

Open in new window

0
 

Author Comment

by:Split_Pin
Comment Utility
Hi Carl_Tawn,
This is awesome, thank you!
I am working in VB as my background is VBA, but I reckon I better dive in and get wet with C# sooner or later.

I will take it from here, thanks again - invaluable!
0
 

Author Closing Comment

by:Split_Pin
Comment Utility
Just great!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now