tags:

views:

80

answers:

4
+1  Q: 

How do I implement page authorizaton in ASP.NET using a SQL store instead of web.config?

For instance, the way we're doing it now is like thus: (in the web.config)

<location path="somePath">
 <system.web>
  <authorization>
   <allow roles="approvedRoles"/>
   <deny users="*"/>
  </authorization>
 </system.web>
</location>

And what I would like to do instead is to store this information in SQL somewhere so that we can manipulate the information more easily. But we want to keep the same functionality that having the information in web.config provides, just like we can use a SqlRoleProvider instead of hardcoding roles in the app. So in other words, if a user currently tries to goto "somePath" and they're not a member of "approvedRoles" then they get redirected back to default.aspx, and if they are a member of "approvedRoles" then they get the page. I want to do the same thing, but without using web.config as the authorization mechanism.

So what I'm NOT asking is how do I go about defining roles, or how do I handle logging in to the database, but specifically how do I store the above information in SQL instead of web.config. Actually, I'll take "anywhere but web.config" for now.

Any ideas? Is this possible using a "Provider" class? I'm just looking for pointers on what to inherit and maybe some technet documentation. In this regard my googlefoo is lacking since I don't really know where to point. Am I really only looking for AzMan? Is this location-authorization-via-SQL already defined in the default aspnetdb somewhere and I'm missing it?

For that matter, has this question already been asked on SO and I've missed it? What would you google?

+1  A: 

You could write your own authorization control that manually checks what roles the current user is in and compares this to a list of pages and their respective role allowances, then embed this control in all your pages.

Daniel Coffman  2010-02-12 00:28:14
Yeah I'm trying to avoid something along this vein. I would even prefer not to create a wrapper for the default Page just to get this since it's obviously possible to work with the auth stack before I get to the page.Adding something to every page is currently out of the question. It may not be in the future, but isn't it easier to redirect before we get there?
drachenstern  2010-02-12 00:51:20
+1  A: 

The best thing to do is handle the HttpApplication.AuthorizeRequest event. At this point, the HttpContext.User object is set and you can do whatever analysis you want, such as checking a database table against HttpContext.User.IsInRole and the current request path.

BC  2010-02-12 00:30:36
Ok, where would I go about doing this? In global.asax? In web.config? Would I be creating a custom HttpModule to handle this? Have you seen any examples that you would point out as noteworthy?
drachenstern  2010-02-12 00:48:31
In the global.asax codebehind.Just create a method like:private void Application_AuthorizeRequest(object sender, EventArgs args) { }
BC  2010-02-12 00:55:48
A: 

Does anyone else have any ideas on this? I'm still looking for ideas, because I would like to catch an automated part of the stack (a-la XmlSiteMap) rather than manually check each page...

In retrospect, that request for additional ideas sounds malformed. grrr @ languages...

drachenstern  2010-02-13 00:29:45
+1  A: 

Azman can have SQL database as a data store since Windows Server 2008 and SQL Sever 2008. I would go with Azman if I don't have any attach to legacy applications which need to migrate to new servers.

See here: http://technet.microsoft.com/en-us/library/cc770467(WS.10).aspx

RiverWay  2010-05-16 03:46:30
I can't install new stuff on the servers outside of IIS/SQL and my app. But thanks for the suggestion!
drachenstern  2010-05-16 05:03:48

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP