views:

47

answers:

1

My company has several web applications written in ASP.NET. We need to make these applications available to Intranet users as well as authenticated external users. Most of the features are the same for the two groups, though there are some extra features available to the Internal users. The two different sets of users would use a slightly different security setup... our internal people will be authenticated using LDAP against Exchange, whereas the external users will have accounts in SQL Server.

What is the best approach for deploying our web apps? Should we deploy 2 copies to different servers, one configured for an Intranet and one for outside users? Or is there a better way to share the code between the 2 servers, yet have the flexibility to use different web.config settings for security??

+2  A: 

This is what you are after: http://msdn.microsoft.com/en-us/library/ms972958.aspx

It is specifically about mixed windows and forms authentication.

You can secure folders by adding an additional web.config file to that folder:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="admin" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

What this does is allows anyone with the role "admin" and denies every other user from accessing resources in the folder. There are lots of combinations and possibilities available. Note that the order of declaring permissions here is important. It is worth experimenting with so that you fully understand how this works.

Page-specific settings can be handled like this:

<location path="page.aspx">
    <system.web>
      <authorization>
         <allow roles="Administrators" />
      </authorization>
     </system.web>
 </location>
Daniel Dyson