hi all
I have to secure an internet application to only allow certain users
and have come up with the following page load and web.config code.
basically I allow all users access then catch their user name in the
page load and allow/deny access based on <add key="allowed"
value="user1"/> in web config (this could be a database call).

I did not use <allow users="user"/> <deny users="*"></deny> because I
want to redirect users to an error page.

Also, I do not have the option of making users sign in so using forms
based security will not work.

my question: given all that I have said, what are the flaws with my
approach?

my page load includes the following:

using System.Security.Principal;

string[] allowed =
ConfigurationManager.AppSettings["allowed"].ToString().Split(Convert.ToChar(','));
bool b = false;
string us=WindowsIdentity.GetCurrent().ToString();
WindowsPrincipal winPrincipal =
(WindowsPrincipal)HttpContext.Current.User;
us = winPrincipal.Identity.Name;

// remove domain from domain/user
string[] split=us.Split(Convert.ToChar('\\'));

foreach (string s in allowed)
{
if (split[1].ToLower().Equals(s.ToLower()))
{
b = true;
break;
}
}
if (!b)
{
Response.Redirect("http://xxx.html");
}


web.config:

<add key="allowed" value="user1"/>

<authentication mode="Windows"> </authentication>
<authorization> <allow users="*"/> </authorization>

Nothing wrong inherently. Oh, you have now exposed the user list in the
config file. To sleep soundly at night, I would just encrypt it instead of
having it plain text, something .NET supports out of the box. Slight
performance hit but sure zzzz at nights.

You are also in a bit of hot water with the domain portion since Jenny from
the config file will match with MAPLE\Jenny and/or PINE\Jenny.

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99

<(E-Mail Removed)> wrote in message
news:ab5c7c26-b6a9-41fd-8e22-(E-Mail Removed)...
> hi all
> I have to secure an internet application to only allow certain users
> and have come up with the following page load and web.config code.
> basically I allow all users access then catch their user name in the
> page load and allow/deny access based on <add key="allowed"
> value="user1"/> in web config (this could be a database call).
>
> I did not use <allow users="user"/> <deny users="*"></deny> because I
> want to redirect users to an error page.
>
> Also, I do not have the option of making users sign in so using forms
> based security will not work.
>
> my question: given all that I have said, what are the flaws with my
> approach?
>
> my page load includes the following:
>
> using System.Security.Principal;
>
> string[] allowed =
> ConfigurationManager.AppSettings["allowed"].ToString().Split(Convert.ToChar(','));
> bool b = false;
> string us=WindowsIdentity.GetCurrent().ToString();
> WindowsPrincipal winPrincipal =
> (WindowsPrincipal)HttpContext.Current.User;
> us = winPrincipal.Identity.Name;
>
> // remove domain from domain/user
> string[] split=us.Split(Convert.ToChar('\\'));
>
> foreach (string s in allowed)
> {
> if (split[1].ToLower().Equals(s.ToLower()))
> {
> b = true;
> break;
> }
> }
> if (!b)
> {
> Response.Redirect("http://xxx.html");
> }
>
>
> web.config:
>
> <add key="allowed" value="user1"/>
>
> <authentication mode="Windows"> </authentication>
> <authorization> <allow users="*"/> </authorization>

thanks for the suggestions - I will use encryption!

On Nov 20, 7:41 pm, "Vapordan" <a...@youkidding.com> wrote:
> Nothing wrong inherently. Oh, you have now exposed the user list in the
> config file. To sleep soundly at night, I would just encrypt it instead of
> having it plain text, something .NET supports out of the box. Slight
> performance hit but sure zzzz at nights.
>
> You are also in a bit of hot water with the domain portion since Jenny from
> the config file will match with MAPLE\Jenny and/or PINE\Jenny.
>
> --
> Regards,
> Alvin Bruney [MVP ASP.NET]
>
> [Shameless Author plug]
> The O.W.C. Black Book, 2nd Edition
> Exclusively onwww.lulu.com/owc$19.99
>
> <ireallyneedtoknow2...@yahoo.com> wrote in message
>
> news:ab5c7c26-b6a9-41fd-8e22-(E-Mail Removed)...
>
>
>
> > hi all
> > I have to secure an internet application to only allow certain users
> > and have come up with the following page load and web.config code.
> > basically I allow all users access then catch their user name in the
> > page load and allow/deny access based on <add key="allowed"
> > value="user1"/> in web config (this could be a database call).
>
> > I did not use <allow users="user"/> <deny users="*"></deny> because I
> > want to redirect users to an error page.
>
> > Also, I do not have the option of making users sign in so using forms
> > based security will not work.
>
> > my question: given all that I have said, what are the flaws with my
> > approach?
>
> > my page load includes the following:
>
> > using System.Security.Principal;
>
> > string[] allowed =
> > ConfigurationManager.AppSettings["allowed"].ToString().Split(Convert.ToChar-(','));
> > bool b = false;
> > string us=WindowsIdentity.GetCurrent().ToString();
> > WindowsPrincipal winPrincipal =
> > (WindowsPrincipal)HttpContext.Current.User;
> > us = winPrincipal.Identity.Name;
>
> > // remove domain from domain/user
> > string[] split=us.Split(Convert.ToChar('\\'));
>
> > foreach (string s in allowed)
> > {
> > if (split[1].ToLower().Equals(s.ToLower()))
> > {
> > b = true;
> > break;
> > }
> > }
> > if (!b)
> > {
> > Response.Redirect("http://xxx.html");
> > }
>
> > web.config:
>
> > <add key="allowed" value="user1"/>
>
> > <authentication mode="Windows"> </authentication>
> > <authorization> <allow users="*"/> </authorization>- Hide quoted text -
>
> - Show quoted text -