URL Authorization
These links should be of some help to you.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
com:80/support/kb/articles/q306/5/90.asp&NoWebContent=1 gives an
overview of .Net security in general including authentication and
authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide
/html/cpconaspnetauthorization.asp gives an overview of authorization in
particular.
I have used Forms Authentication with UrlAuthorization on a number of
occasions and have never found any cons to it and find it much easier to
implement than more conventional methods.
The immediately obvious advantages are
You can control which users are allowed to access which urls or sub-urls
in one single place, the web.config file which is a great help.
All unauthorized users are taken to the login page (form) also specified
in the web.config
The login form is also provided with the originally requested Url so
that the user will automatically be re-directed on authorization
Yes, there are some disadvantages that come to mind now but they can be
easily overcome.
For one thing, you are allowed only one Login form per application,
sometime you need multiple login forms for multiple modules.
You can overcome that by having a common page which redirects the user
(from the backed) to the relevant login form by seeing which module’s
url he tried to access.
This is a piece of working code I am showing you, the web.cofing file
would have entries like this to restrict access to certain modules and
at the same to to allow access to the login pages within them.
$lt;location path="Admin"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="admin" /$gt;
$lt;deny users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Admin/Login.aspx"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Member"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="member" /$gt;
$lt;deny users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Member/Login.aspx"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
As you can see it’s very easy to define but the web.config file tends to
get a bit long if you have lot of Urls to specifically authorize, not
just folder-wise.
The backend code on the common login page would redirect to the relavant
login page something like this
if (Request.QueryString["ReturnUrl"] != "")
{
string ReturnUrl = Request.QueryString["ReturnUrl"];
string[] UrlParts = ReturnUrl.Split(new char[] {'/'});
int Number = UrlParts.Length;
if (UrlParts[Number - 2].ToLower() == "admin")
Response.Redirect("../Admin/Login.aspx?ReturnUrl=" +
ReturnUrl);
else if (UrlParts[Number - 2].ToLower() == "member")
Response.Redirect("../Member/Login.aspx?ReturnUrl=" +
ReturnUrl);
}
Also, on direct login (when you come straight to the login page, not by
requesting another Url), the application always expects to find a
default.aspx page to which to redirect the user, you may not want that.
Sometime you may want him redirected to home.aspx or some such page.
That can be overcome by issuing the authentication ticket manually and
redirecting the user manually instead of using the formsuthentication’s
redirect method.
The code is given below
private void CustomValidator1_ServerValidate(object source,
System.Web.UI.WebControls.ServerValidateEventArgs args)
{
DataComponent DataComponent1 = new DataComponent();
SqlParameter[] Parameters =
{
new SqlParameter( "@MemberName" ,
SqlDbType.VarChar , 50 ),
new SqlParameter( "@MemberPassword" ,
SqlDbType.VarChar , 50 )
};
Parameters[0].Value=TextBox1.Text;
Parameters[1].Value=TextBox2.Text;
string Status = "";
DataTable ReturnedTable = new DataTable();
ReturnedTable = DataComponent1.ExecuteTable("MemberLogin",
Parameters, out Status);
if (ReturnedTable.Rows.Count $gt; 0)
{
MemberId = int.Parse(ReturnedTable.Rows[0][0].ToString());
args.IsValid = true;
}
else
{
MemberId = 0;
args.IsValid = false;
}
}
This authenticates the user from his details in the Database, this can
be done from within the button1_click event too.
private void Button1_Click(object sender, System.EventArgs e)
{
if (IsValid)
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket("member", false, 30);
FormsAuthentication.SetAuthCookie("member",true);
HttpCookie MemberIdCookie = new HttpCookie("MemberId",
MemberId.ToString());
Response.Cookies.Add(MemberIdCookie);
if (Request.QueryString["ReturnUrl"] != null)
Response.Redirect(Request.QueryString["ReturnUrl"]);
else
Response.Redirect("Default.aspx");
}
}
This issues the ticket if he was authenticated. Here as you can see, he
is issued the ‘member’ ticket. Depending on what kind of user he is, you
can issue him any ticket you have defined in the authorization section
of the web.config, admin, member etc. Since you are not using the
formsauthentication module to authenticate him, it is not necessary to
have the user defined in the authentication module either.
There is also a common belief that forms authentication cannot be
database based which is also not true. You can authenticate your user
from the DB and then issue him the appropriate ticket to let him have
access to the relevant Url as shown above.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
com:80/support/kb/articles/q306/5/90.asp&NoWebContent=1 gives an
overview of .Net security in general including authentication and
authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide
/html/cpconaspnetauthorization.asp gives an overview of authorization in
particular.
I have used Forms Authentication with UrlAuthorization on a number of
occasions and have never found any cons to it and find it much easier to
implement than more conventional methods.
The immediately obvious advantages are
You can control which users are allowed to access which urls or sub-urls
in one single place, the web.config file which is a great help.
All unauthorized users are taken to the login page (form) also specified
in the web.config
The login form is also provided with the originally requested Url so
that the user will automatically be re-directed on authorization
Yes, there are some disadvantages that come to mind now but they can be
easily overcome.
For one thing, you are allowed only one Login form per application,
sometime you need multiple login forms for multiple modules.
You can overcome that by having a common page which redirects the user
(from the backed) to the relevant login form by seeing which module’s
url he tried to access.
This is a piece of working code I am showing you, the web.cofing file
would have entries like this to restrict access to certain modules and
at the same to to allow access to the login pages within them.
$lt;location path="Admin"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="admin" /$gt;
$lt;deny users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Admin/Login.aspx"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Member"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="member" /$gt;
$lt;deny users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
$lt;location path="Member/Login.aspx"$gt;
$lt;system.web$gt;
$lt;authorization$gt;
$lt;allow users="*" /$gt;
$lt;/authorization$gt;
$lt;/system.web$gt;
$lt;/location$gt;
As you can see it’s very easy to define but the web.config file tends to
get a bit long if you have lot of Urls to specifically authorize, not
just folder-wise.
The backend code on the common login page would redirect to the relavant
login page something like this
if (Request.QueryString["ReturnUrl"] != "")
{
string ReturnUrl = Request.QueryString["ReturnUrl"];
string[] UrlParts = ReturnUrl.Split(new char[] {'/'});
int Number = UrlParts.Length;
if (UrlParts[Number - 2].ToLower() == "admin")
Response.Redirect("../Admin/Login.aspx?ReturnUrl=" +
ReturnUrl);
else if (UrlParts[Number - 2].ToLower() == "member")
Response.Redirect("../Member/Login.aspx?ReturnUrl=" +
ReturnUrl);
}
Also, on direct login (when you come straight to the login page, not by
requesting another Url), the application always expects to find a
default.aspx page to which to redirect the user, you may not want that.
Sometime you may want him redirected to home.aspx or some such page.
That can be overcome by issuing the authentication ticket manually and
redirecting the user manually instead of using the formsuthentication’s
redirect method.
The code is given below
private void CustomValidator1_ServerValidate(object source,
System.Web.UI.WebControls.ServerValidateEventArgs args)
{
DataComponent DataComponent1 = new DataComponent();
SqlParameter[] Parameters =
{
new SqlParameter( "@MemberName" ,
SqlDbType.VarChar , 50 ),
new SqlParameter( "@MemberPassword" ,
SqlDbType.VarChar , 50 )
};
Parameters[0].Value=TextBox1.Text;
Parameters[1].Value=TextBox2.Text;
string Status = "";
DataTable ReturnedTable = new DataTable();
ReturnedTable = DataComponent1.ExecuteTable("MemberLogin",
Parameters, out Status);
if (ReturnedTable.Rows.Count $gt; 0)
{
MemberId = int.Parse(ReturnedTable.Rows[0][0].ToString());
args.IsValid = true;
}
else
{
MemberId = 0;
args.IsValid = false;
}
}
This authenticates the user from his details in the Database, this can
be done from within the button1_click event too.
private void Button1_Click(object sender, System.EventArgs e)
{
if (IsValid)
{
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket("member", false, 30);
FormsAuthentication.SetAuthCookie("member",true);
HttpCookie MemberIdCookie = new HttpCookie("MemberId",
MemberId.ToString());
Response.Cookies.Add(MemberIdCookie);
if (Request.QueryString["ReturnUrl"] != null)
Response.Redirect(Request.QueryString["ReturnUrl"]);
else
Response.Redirect("Default.aspx");
}
}
This issues the ticket if he was authenticated. Here as you can see, he
is issued the ‘member’ ticket. Depending on what kind of user he is, you
can issue him any ticket you have defined in the authorization section
of the web.config, admin, member etc. Since you are not using the
formsauthentication module to authenticate him, it is not necessary to
have the user defined in the authentication module either.
There is also a common belief that forms authentication cannot be
database based which is also not true. You can authenticate your user
from the DB and then issue him the appropriate ticket to let him have
access to the relevant Url as shown above.
Comments
Post a Comment