page level authorization

[ultraman]

Hi ! I just red the thread started by niall29 on intranet site authorization. Pretty interesting, but I have a different issue with authorization. I need to limit access only to specific pages of my intranet site.

What I did is change the file properties (in IIS admin) so that the authentification method is now "Basic authentification" instead of anonymous access. The problem is that once an authorised user is logged on, the server assumes it's always the same user for the present session and it can navigate to every page allowed for this user.

I'm looking for a way to force the server to ask for identity every time a user request the page. Is it possible ?

 

[bri189a]

People usually handle this by having groups and then doing:

Context.User.IsMemberOf(group name);

and if they're not redirect them to another page. That's the most popular, and to be honest, easiest to implement and maintain way, IMHO

 

[ultraman]

The problem if that this appliation will always be open and there is a lot of users that will use it. So the application needs to allow Anonymous user for most of it, just control access on some pages with administrative stuff (to fix errors, modify data, etc...). So the application will use the generic IUSR_<machinename> windows user wich will never be a member of any group. Maybe I'll have to create and manage my own user (in a SQL Server table).

 

[ultraman]

As a matter of fact, what I need to do is reset the HttpContext.Current.User so that the server doesn't assume it's the same user who comes back on this page everytime.