Hi Betty,
From your description, my understanding is that you want to use the
Membership Database to store your users and want unauthenticated users to
access some resources. The resources are scattered as you said, so it is
not reasonable to list all files in web.config using <Location> tags. There
are many files to restrict and they might be changed. If I have
misunderstood you, please feel free to let me know.
It is easy to use location tags in web.config for specific files or
directories. Because we don't need to write code and just need to
configure it in web.config, and then ASP.NET will handle authorization. For
more information, see
http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx.
I want to confirm which authentication type you are using? I assume that
you are using forms authentication. In this case, we can put multiple
web.config files in subdirectory and use its web.config's Location tags to
control access permission in current directory. For example, we can use
root web.config's Location tags for root unprotected files of your
application and use a web.config in another folder for unprotected files
that are in this subdirectory. For more information about using Location
tags to configure specific file and subdirectory, see
http://msdn.microsoft.com/en-us/library/6hbkh9s7.aspx.
It also would be better to re-organize the website and put unprotected
resources in a separate directory, and then use Location tags to this
directory. Because it is easy to manage files.
If you don't want to re-organize your website, you can use custom
authentication with Membership APIs instead of forms authentication. This
needs us to write our own code to implement authentication and
authorization. We will use an XML file to store unprotected resources
paths and access it while authorizing user. Every user can access the file
without validation when request path is in this XML file. The following
demo is just used to demonstrate the process of custom authorization and it
doesn't use Roles. If you need to use Roles, the section 1 and 3 will be
modified correspondingly.
To do so, we need to implement the following aspects:
1. The XML file used to store unprotected files should look similar to the
following. We can modify it in future.
XML content:
=================================
<ControlList>
<allow>
<path>help.html</path>
<path>information.aspx</path>
<path>product/newProduct.aspx</path>
....
....
</allow>
</ControlList>
================================
We can put this XML file in root directory of your web application.
2. Use Membership APIs to validate user and use Cookies to indicate whether
user is authenticated or not. The Cookies will be used to determine whether
user is authentication in section 3.
================================
protected void Login_Click(object sender, EventArgs e)
{
if (Membership.ValidateUser(txtUserName.Text, TxtPsw.Text))
{
Response.Cookies["userName"].Value = txtUserName.Text;
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1);
}
}
=================================
With Membership APIs, we can directly work with Membership provider.
For more information about Membership APIs, see
http://msdn.microsoft.com/en-us/library/system.web.security.membership_metho
ds.aspx
3. Check whether requested file is protected in Application_BeginRequest of
Global.asax. If the file is in unprotected, we don't need to validate
whether user is authenticated.
=================================
void Application_BeginRequest(object sender, EventArgs e)
{
bool blnUnprotectedFile = false;
///
///TO DO: Access XML file to see whether we need to validate user.
/// If the file is unprotected, we don't need to validate
user.
/// Custom your AccessControlXML code and set
blnUnprotectedFile value.
//AccessControlXML
string strRequestFile = Request.FilePath;
//...
//...
//...
// Set blnUnprotectedFile value to true if the file is unprotected;
if (!blnUnprotectedFile)
{
//the file is protected
if (Response.Cookies["userName"].Value == "")
{
//the file is protected and user is not logging in.
Response.Write("You don't have permission to access
protected resource. Please log in and try again.");
Response.Write(" <a href=\"Login.aspx\">Return Login
Page</a>");
Response.End();
}
}
}
================================
We can use XmlDocument Class to load the XML file and access unprotected
files. For more information about XmlDocument Class, see
http://msdn.microsoft.com/en-us/library/system.xml.xmldocument.aspx
Note:
We need to make sure this XML file is protected. We can map the .xml
extension to ASP.NET in IIS and file path to the HttpForbiddenHandler
handler in ASP.NET to protect it. For more information about
HttpForbiddenHandler, see
http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx
I look forward to receiving your test results.
Best Regards,
Thomas Sun
Microsoft Online Partner Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.