tags:

views:

458

answers:

3
Q: 

Prevent Access to Custom Web Application Pages by Non-Admin Users in SharePoint

Hi,

I have a custom web application that integrates with a SharePoint (MOSS 2007) solution. I would like to add role-based access to pages in this custom web application, with only users in a specified SharePoint group or with a specific role being able to access them. Other users being sent to the default OOTB web page, giving the message "You Are Not Authorized to View This Page".

Can anyone point me towards tutorials on how to implement this, and how to control access on each custom page?

Please note, these pages are part of the custom web application, and are NOT created via the SharePoint API or interface.

Thanks, MagicAndi.

Update

Just to make you aware, I am hoping for a solution where we can make use of the SharePoint functionality to extend security trimming or item permissions to limit access to the custom web application pages. I already have code to check a user's SPGroup on page load, and to redirect if required. Thanks.

+1  A: 

You will have to implement the ItemLevel security to the pages. Go to the Pages Library and select the Pages Property and Say Item Permissions,break the Permission in it and add only the users who you want to give the access to. In case if you want to add this to multiple files, you can group them in to a seperate folders and apply the permission those folders alone.

And When some try to see the page that he is not supposed to see, SharePoint automatically sends hime the Access Denied Page.

If you apply item level permission on the page, SharePOint automatically applies the Security Trimmings so that only the Pages to which he has access can been seen not others.

Kusek  2009-11-26 18:11:38
Kusek, thanks for taking the time to answer. +1.
MagicAndi  2009-11-26 23:42:51
Kusek, Unfortunately, my custom web application pages are not visible in the Pages document library, so this method doesn't answer my question.
MagicAndi  2009-12-04 13:43:27
A: 

Take a look at Users and Groups Web Service exposed by Sharepoint. Your custom web app can call its methods to obtain information about current user profile.

For example the UserGroup.GetUserInfo() method returns IsSiteAdmin flag which can answer your question.

http://msdn.microsoft.com/en-us/library/ms774637.aspx

Leonidius  2009-12-04 22:21:34
+1  A: 
F.Aquino  2009-12-07 20:49:36
to clarify, the SPWeb in the context will be the one you are accessing your custom page from, the recommended way is using the _layouts folder to achieve that, so the context will be the one under http://portal/site/_layouts/customapp/custompage.aspx. If you use the inetpub folder or any other mapping to access your pages, you might have to open the web based on the request.
F.Aquino  2009-12-07 20:55:35
F. Aquino, many thanks for your answer. A worthy winner to the bounty!
MagicAndi  2009-12-07 21:10:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security