tags:

views:

108

answers:

1

I'm workng on a new, green-field ASP.Net application. We're implementing a base page which all pages will be, er, based on. The application will be running under Integrate Windows Auth, so I'll have the user's account details. With these, I'll be going to several databases (in which the user will exist) to find out what roles they are assigned to in each db. I'll be holding the role yay/nay in a bool array, and key into it via an enum.

There will be a session object that will hold a few things, and the roles assigned for that user. I'm thinking of making the session object available as a property of the base page, as the code would be something like this:

public SessionObject MasterSessionObject
{
    get
    {
        if (Session["SessionObject"] == null)
        {
            // Create session object, assign user name, etc.
            // Do something with roles...
            Session["SessionObject"] = sessionObject;
        }
        return (SessionObject)Session["SessionObject"]
    }        
}

In order to control what happens on the (sub-classed) page, I want to provide a CheckSecurity method - e.g. if the user is not authorised to a certain part of a page, it can be hidden / disabled, or they could be booted back to a "not yours" page. The logical place for it is the base page, but seeing as the base page is already exposing the SessionObject that holds the roles permissions, would it not make more sense to Create a DatabaseSecurity type object and have the check on that?

Dealing with the latter approach, I've used abstract base classes to get me so far: I have a DatabaseRoles abstract class which contains the bool array, and a method to retrieve the roles for the user. The concrete implementation holds an Enum (as previously mentioned) to key into the array (in the base class). The abstract class also has the CheckRole method which takes in an int, to which I'm intending use a cast of the enum...

The SessionObject contains several of these DatabaseRoles implementations, and essentially does away with the need for a CheckSecurity in the base page class, leading to code like this in the actual page:

if (MasterSessionObject.SampleDatabaseRoles.Check((int)SampleDatabaseRolesEnum.RoleView))
{
    // Do something
}

But, I'm sure you'll agree, it looks sucky...

If there was a CheckSecurity method on the base page, it would have to take a concrete DatabaseRoles object, but also an enum of which role to check, which would also look sucky. And finally, there would be a requirement at a later date to add more databases and their security settings...

I'll add code tomorrow if required... :-s

I dunno, I'm not that thick, but I do have a hard time sometimes binding all this together...

Thank you,

Mike K.

A: 

IF you happen to use ASP.Net / ASP.Net MVC, I would say the best place to do this would be via a custom HTTP Module by handling the AuthenticateRequest method & continuing with the request only if the request has been authenticated. There are tons of excellent articles online for this code.

Also - have a look at the Roles & Memberships of ASP.Net - it is pretty good & generally satisfies most requirements or you are always free to extend it. Again - tons of articles on custom membership providers...

unless I am missing something - HTH.

Sunny
Thank you Sunny for the http module tip, hadn't considered that... As for the ASP.Net Roles and Memberships, I'm a nut for those but they're not up for consideration this time :-s
Mike Kingscott
Also, I should say that rather than bounce people off to another page (as the HTTP module may do), I would use the CheckSecurity base page method to alter the subclassed page, e.g. disable a button, hide a panel, etc. I'll update my question with that...
Mike Kingscott