Need advice for implementing User Role based access to aspx pages.

I am new to ASP.Net and have inherited a large web application that contains many pages and user roles/permissions.


Example:
Role1 = Read only access - all pages - deny access to finance & administration
Role2 = Read only access - all pages including finance - deny access to administration.
Role3 = Read/Write access - deny access to finance & admin pages
etc..

All pages are in the app's root directory and use the same master page.

The app is menu based and each area of functionality has a main page with links to more detailed pages.

The current setup is that user roles are checked in a main page's Page_Load event.
If the user role is 'access denied' - all controls are hidden and an access denied message is displayed (the message is not consistent).
If the user role is read only access - all input controls are disabled.

The problem is:
A. only the main pages of each functional area are checked to see if the user role denies access, no checks are
done on any detail pages.
B. checks for read only access and disabling of controls is performed within each individual page.

What I would like to do is programatically redirect the user to a custom 'Access Denied' page or
disable controls for read only access based on the user role in VB.Net.

I was planning to write some functions like:

Public Sub SetUserAccess(ByRef wPage as Page)
      userRole = GetRole()
      Select Case UserRole
        Case Admin
          Exit sub 'admin has access to everything
        Case Role1
          if isFinancePage(wPage) or isAdminPage(wPage)
            redirect to AccessDeniedPage
          else
            DisablePageControls(wPage) /iterate thru the page controls and disable for read only
          endif
          .
          .
        Case Else
            redirect to login page if can't determine user role
        End Select
end sub

Is this a good approach given that the app's owner doesn't want major changes to the app structure?

where would be the best place to call this function from ?

What's the best way to keep track of Finance or Admin related pages? Most of the files related to Finance include the words 'Finance' or 'Accounts' so is there a way to use this rather than list each aspx file separately?
 
Thanks.
      
 

lmgreggAsked:
Who is Participating?
 
lmgreggAuthor Commented:
Looks like a custom base class for the pages is what I need.


MlandaT,

Thanks  for pointing me to 4GuysFromRolla - excellent info on that site.
0
 
MlandaTCommented:
this will help: http://www.4guysfromrolla.com/webtech/121901-1.shtml, http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

main benefit is that you will be able to just use the syntax:
If User.IsInRole("SysAdmin") OrElse User.IsInRole("Moderator") Then
	' User is OK
Else
	' Redirect to unauthorized access page
End If

Open in new window

or even use some declarative security attributes such as PrincipalPermissionAttribute:
<PrincipalPermissionAttribute(SecurityAction.Demand, Role:="Accounts")> _
Public Function Hello(ByVal strText As String)
	Return strText + " was run under permitted user:" & User.Name & vbCrLf
End Function

Open in new window

0
 
lmgreggAuthor Commented:
Thanks for the link - it did clarify role based security in ASP.Net.   Correct me if I'm wrong but:
 
Configuratively
since all the forms reside in the app root directory and there are dozens of forms that are restricted to one or more roles I think this method of authorization would become a nightmare to maintain when new forms and user roles are added to the app.

Programmatically & Imperatively
"The downside is that if you are calling a method several times from different parts of
the application, you need to repeat this logic all over the place. " 

Exactly what I'm trying to avoid.

Declaratively - looks like my best choice - I will have to do more research on this.

None of these choices seem to cover the case where a role has read only access, which is why I want to find the most efficient way to:
a) get the user role - I've already implemented this part
b) somehow keep lists of forms that are in a functional area ie Admin or Finance since there are no subdirectories in the app
c) determine whether the user role allows no access, read only access or full access

without repeating the same code in dozens of places.

0
 
lmgreggAuthor Commented:
found the answer myself from info on website provided.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.