C
charles
Hi,
I am trying to port my ASP application to ASP.Net 2.0
My application is sold to large corporations that have many thousands
of users. So I do not use Forms authentication. To make it more
convenient for them I developed a custom hybrid model of authentication
and authorization.
You see, the site administrator is often a non-technical person and
doesn't have the rights to create Windows Groups or Windows Accounts
or assign Windows Users to Windows Groups.
For this reason, I created a web interface that allows an administrator
to create and edit "Site Roles" (as I call them). All he must do is
associate an existing Windows User Group with the Site Role, and then
decide which security contexts that Site Role may access.
When a user accesses the site, he's authenticated using Windows
Authentication (Integrated). Then in the Session_OnStart event I have
code that determines which Roles that user belongs to and which
Security Contexts that user has permission to. I store these in Session
variables for that user.
If a Windows User is not a member of any Windows Group associated to a
Site Role, they do not get access.
Each page that has security contexts has code that checks the session
variable to make sure that user has access or not to that context. If
not, they are presented with an error message popup after being
redirected to the page they came from (or the default page if no
referrer was found).
What I want to do is build a similar method of authorization in my .Net
application. I know there are many new security features in .Net; I
just haven't learned them all so I can't make an informed decision
as to how to proceed.
Anyone have any suggestions or examples of Windows Authentication but
using custom Role based authorization?
I am trying to port my ASP application to ASP.Net 2.0
My application is sold to large corporations that have many thousands
of users. So I do not use Forms authentication. To make it more
convenient for them I developed a custom hybrid model of authentication
and authorization.
You see, the site administrator is often a non-technical person and
doesn't have the rights to create Windows Groups or Windows Accounts
or assign Windows Users to Windows Groups.
For this reason, I created a web interface that allows an administrator
to create and edit "Site Roles" (as I call them). All he must do is
associate an existing Windows User Group with the Site Role, and then
decide which security contexts that Site Role may access.
When a user accesses the site, he's authenticated using Windows
Authentication (Integrated). Then in the Session_OnStart event I have
code that determines which Roles that user belongs to and which
Security Contexts that user has permission to. I store these in Session
variables for that user.
If a Windows User is not a member of any Windows Group associated to a
Site Role, they do not get access.
Each page that has security contexts has code that checks the session
variable to make sure that user has access or not to that context. If
not, they are presented with an error message popup after being
redirected to the page they came from (or the default page if no
referrer was found).
What I want to do is build a similar method of authorization in my .Net
application. I know there are many new security features in .Net; I
just haven't learned them all so I can't make an informed decision
as to how to proceed.
Anyone have any suggestions or examples of Windows Authentication but
using custom Role based authorization?