Jump to content
Xtreme .Net Talk

Problem with implementing role-based security.

mike55

By mike55
in ASP.NET

 Share

Recommended Posts

mike55 Newbie

mike55

Posted
Posted

Hi all

 

I am trying to use role-base security with forms authentication on a web app. I have a database with a login table that has a username, employeeId, password and role. Role can be either "admin", "superAdmin" or "staff".

 

In my proj. I have two sub-directories one is Admin and the other is All. I want to allow only the users with the "admin" and "superAdmin" role access to the Admin folder and let users with all three roles access to the All folder.

 

Here is the web config for the Admin folder:

<configuration>
 <appSettings/>
 <connectionStrings/>
 <system.web>
   <authorization>
     <allow roles="admin"/>
     <deny roles="staff"/>
     <deny users="?"/>
   </authorization>
 </system.web>
</configuration>

 

Here is the web config for the All folder:

<configuration>
 <appSettings/>
 <connectionStrings/>
 <system.web>
   <authorization>
     <allow users="*"/>
     <deny users="?"/>
   </authorization>
 </system.web>
</configuration>

 

Here is the main section from my main web config file:

<system.web>
	<siteMap defaultProvider="default">
		<providers>
			<clear/>
			<add name="default" type="System.Web.XmlSiteMapProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
		</providers>
	</siteMap>
	<roleManager enabled="true"/>
	<authentication mode="Forms">
		<forms name="MYWEBAPP.ASPXAUTH" loginUrl="index.aspx" protection="All" path="/"/>
	</authentication>
</system.web>

 

Once I get a reply back from the database indicating that the user is valid and their role (employeeRole), I use the following code to create the authentication ticket:

FormsAuthentication.Initialize()
       Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
                       txtUsername.Text, DateTime.Now, _
                           DateTime.Now.AddMinutes(30), True, _
                               employeeRole, _
                                   FormsAuthentication.FormsCookiePath)

       Dim hash As String = FormsAuthentication.Encrypt(ticket)
       Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)

       If ticket.IsPersistent Then
           cookie.Expires = ticket.Expiration
       End If

       Response.Cookies.Add(cookie)

 

I then redirect the user to the default start page using Response.Redirect("abc.aspx")

 

As you will notice from the section from my main web config file, I am using a sitemap to provide my menu functionality. I have set the "SecurityTrimmingEnabled" to True.

 

Finally, here is the entry in my global.asax file:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
       If (Not HttpContext.Current.User Is Nothing) Then
           If (HttpContext.Current.User.Identity.IsAuthenticated = True) Then
               If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
                   Dim id As FormsIdentity = CType(HttpContext.Current.User.Identity, FormsIdentity)
                   Dim ticket As FormsAuthenticationTicket = id.Ticket
               
                   Dim userData As String = ticket.UserData
                   Dim roles() As String = userData.Split(",")
                   HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles)
               End If
           End If
       End If
   End Sub

 

My problem is that the role based security doesn't seem to work, in that a user with the "staff" role seems to be able to log into the admin pages. And that the site map is not working correctly i.e. displaying the correct options based on the users role.

 

Any suggestions?

 

Mike55

A Client refers to the person who incurs the development cost.

A Customer refers to the person that pays to use the product.

------

My software never has bugs. It just develops random features. (Mosabama vbforums.com)

  • Administrators
PlausiblyDamp Newbie

PlausiblyDamp

Posted
  • Administrators
Posted
Not had time to properly look at your code (or check if it will work with the .Net 2 security mechanisms) - however have you considered creating your own membership / role providers. This route definitely integrates with the control / security architecture provided in .Net 2

Posting Guidelines FAQ Post Formatting

 

Intellectuals solve problems; geniuses prevent them.

-- Albert Einstein

mike55 Newbie

mike55

Posted
  • Author
Posted

Hi PlausiblyDamp

 

Many thanks for the reply. Solved the problem, in my main web.config file I had said: 

"<roleManager enabled="true" cacheRolesInCookie="true"/>"

 

Once I removed this line and changed to web.config file in each folder to: 

<authorization>
     <allow roles="admin,manager"/>
     <deny users="*"/>
   </authorization>

 

The code worked correctly.

 

As you als suggested, I have previously used the control/security architecture supplied by .Net 2.0 but on this occasion I am unable to apply this due to user requirements.

 

Mike55.

A Client refers to the person who incurs the development cost.

A Customer refers to the person that pays to use the product.

------

My software never has bugs. It just develops random features. (Mosabama vbforums.com)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...