tags:

views:

160

answers:

3
+1  Q: 

ASP.Net Roles: Page-Level Security Question

We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to.

We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access.

A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.

+2  A: 

Have you looked at ASP.Net Membership for this yet? It takes care of all of the scenarios you listed above (trimming menus, page security,) and in a very easy to use manner.

See here for more information about membership - http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx.

Scott Ivey  2010-05-10 16:54:22
I suppose rolling our own role provider and calling a User.IsInRole function of the role on the page would suffice if I was referencing the session'ed Arraylist of Roles that the user has. That'd basically be the same thing as calling a Base Page class function.
jlrolin  2010-05-10 17:01:00
If you were to use the Membership RoleProvider along with the Location/Authorization section of your web config to specify which roles can see which pages, you shouldn't have to ever reference your list of roles from the page.
Scott Ivey  2010-05-10 18:36:06
+1  A: 

Are you using built-in membership?

If so, you can use the location section of your web.config file to restrict access to individual pages or entire directories. From MSDN:

The following example allows an anonymous user to access the Logon.aspx page:

<configuration>
   <location path="Logon.aspx">
      <system.web>
         <authorization>
            <allow users="?"/>
         </authorization>
      </system.web>
   </location>
</configuration>
John Rasch  2010-05-10 16:56:03
The problem is that this is based on every user. There are roughly 10,000+ users, and each may or may not have a completely different set of rules. Adding all those distinctions into the web.config seems like a rather large and lengthy task.
jlrolin  2010-05-10 17:00:09
@jlrolin - you can use `<allow roles="Admins"/>` or similar as well
John Rasch  2010-05-10 17:23:54
A: 

Iam pretty new to Membership and Role Management in ASP.Net, hope you will be right person in helping me out.

As per my knowledge, assigning permissions to roles can be done at folder level.

I have to build a custom Website administrator tool which uses the ASPNetDB database(available with .net framework), it should have an option to create roles and edit them in such a way that the users should be able to assign permissions to the roles at page level and also at functionality level within that Page for each role.

Pls mail me at [email protected]

Ganesh  2010-05-22 10:29:19

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps