tags:

views:

462

answers:

2
Q: 

Enabling FormsAuthentication for multiple subfolders in a site

We're trying to implement formsAuthentication on our site, but in a scenario that we haven't been able to find a solution for yet - other than creating our own HttpModule and doing the custom logic ourselves - so I thought I'd toss the question out there to see if this was indeed the only solution.

We'd like to use formsAuthentication on top of custom Membership providers, but would like to use a different provider for different folders. Our site partitions these sections with subfolders (eg: ~/Admin, ~/GoldCustomer, ~/SilverCustomer, ~/BronzeCustomer), so we'd like to use different Membership providers for each section/subfolder. Using the framework to support this, we'd implement our web.config like:

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"&gt;
<location path="Admin">
<system.web>
  <authentication mode="Forms">
    <forms name="AdminAuth" loginUrl="~/AdminLogin.aspx" />
  </authentication>
  <membership defaultProvider="AdminProvider" >
    <providers >
      <add connectionStringName="ConnString" name="AdminProvider" type="Assembly.AdminMembershipProvider" ... />
    </providers>
  </membership>
</system.web>
</location>
<location path="GoldCustomer">
  <system.web>
  <authentication mode="Forms">
    <forms name="GoldCustomerAuth" loginUrl="~/GoldCustomerLogin.aspx" />
  </authentication>
  <membership defaultProvider="GoldCustomerProvider" >
    <providers >
      <add connectionStringName="ConnString" name="GoldCustomerProvider" type="Assembly.GoldCustomerMembershipProvider" ...="" />
    </providers>
  </membership>
</system.web>
</location>
<system.web>
  <compilation debug="true" />
  <authentication mode="Forms" />
</system.web>
</configuration>

Doing this though results in the runtime error:

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

Line 11:   <location path="Admin">
Line 12:     <system.web>
Line 13:       <authentication mode="Forms">
Line 14:         <forms name="FormsAdmin" loginUrl="~/login.aspx" />
Line 15:       </authentication>

It seems that the only way to accomplish what we're trying is with a custom HttpModule - or change our approach (like breaking the folders up into different web apps in IIS). Is this correct, or am I missing something? Or are there other alternatives I'm not aware of?

Thanks for your help!

+1  A: 

First of all, I think role-based security makes perfect sense for your application if you have control over the databases. But if you can't change it, it's a no-go.

The alternative solution can be a gateway login forms that redirects user to folder specific login form based on ReturnUrl querystring variable and that form will use the provider it wants to validate the user. Then it uses the FormsAuthentication.RedirectFromLoginPage to set an authentication cookie and redirect to the previous page. You can set the roles and use role based security to control access to each folder with <authorization> tag in web.config.

Mehrdad Afshari  2009-05-04 18:11:51
I have done exactly what he is trying to do many time using roles - and you are correct - this is exactly what roles are meant to do - to authorize access at different levels.
Jim Evans  2009-05-04 18:48:52
Ah yes - RBS - duh! I guess the reason that didn't come to mind is that we're also trying to represent the user with different IIdentity implementations. Our AdminIdentiy will have properties like: Name, CompanyExtensionNumber, IsGod, etc. while our GoldCustomerIdentity will have properties like NumberOfDaysBeenCustomer, etc. So each type of IIdentity is unique properties/behavior. Is the best answer to this problem that we should have a factory that downcasts IIdentity if the User.IsInRole("Admin") - and throw SecurityException if not?
mallio  2009-05-05 20:49:59
@mallo: If you really want to issue IIdentity objects yourself, I guess HttpModule is your best bet.
Mehrdad Afshari  2009-05-06 03:42:44
A: 

I'm not sure what you're trying to do but how about Roles for each of these customer types? Limit access by a role for each sub folder but you'd still have 1 membership provider and 1 role provider.

typemismatch  2009-05-04 18:15:57

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision