asp.net security: I'm looking for a provider or some type of programmatic access to beable to
map which URL's in my website need authentication. Using the web.config does
not give me a real time way to say which URL's are authorized. Many of the
URL's in our website are dynamic and allow dynamic authorization schemes.

It seems like there should be an easier way to manage this with 2.0. The
SiteMap provider seems to be a very logical place for me to add roles and
security. I noticed that there is some role use but I believe this is only
for the controls that consume the SiteMap and not for Forms Authentication.

Thanks for any help,
Tyler


--
------------------
Tyler Carver

Hi Tyler,

Thanks for posting!

For the current issue, my understanding is that you want to management the
authentication of the site. If I have misunderstood anything, please feel
free to let me know.

As far as I know, the "location" element in the web.config file can be used
for the directory or sub directories. I suggest you put the pages which
allow the authorized client to access into the same directory. And then,
you just need mark the path of the directory in the web.config file. The
following link is detail explanation about the "location" element. I hope
this will be helpful.

If you have any issues or concerns, please let me know. It's my pleasure to
be of assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

Hi Tyler,

Sorry for carelessness!

The link as below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/ht
ml/gngrflocationelement.asp

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

[quoted text, click to view]

I think you misunderstood my question. I'm not asking how do I apply forms
authentication to a certain directory or file from the web.config, I'm asking
how do I appliy authentication and authorization to a URL programmatically.
For instance let's say I have the following 2 URLs that I want to apply roles
to:

http://myweb.com/doc.aspx?id=1

I want the following roll:
ServiceA

http://myweb.com/doc.aspx?id=2

I want the following roll:
ServiceB

I want the fact that these two URL's have these rolls to be managed in a
database and then when a request comes in for these URL's I want to let forms
authentication know what authorization and roles to apply to that URL.

[quoted text, click to view]

I appreciate your input here but it has no relevance to my question. I know
how to control authentication and authorization from the web.config.

Thanks,

[quoted text, click to view]

Ya I've thought about writing a Http Module that would check the URL and the
assigned rolls and then do this very thing. Of course you can't control
authentication that way but I could control authorization. I just wish MS
would have added a provider for this, I don't know why it has to be hard
coded in the web.config.

I'm considering this as a work around because the right way to do it is to
have Forms do it's normal job and for me to control what authentication is
assigned to what URL. So I am still interested in a programmatic way to
control the <authorization> element of the <system.web> configuration. This
way I can corretly apply full authentication and authorization. (Also, I

Hi,

you can use Context.User.IsInRole() to check for the role of the user. If
that fails you can call FormsAuthentication.RedirectToLoginPage

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

Not sure if this is what you are after but...

The location tag path can't be made unique based on the querystring but
the sitemap url can.

Sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/" title="Home" roles="*">
<siteMapNode title="ServiceA" roles="ServiceA">
<siteMapNode url="~/doc.aspx?id=1" title="Doc" />
</siteMapNode>
<siteMapNode title="ServiceB" roles="ServiceB">
<siteMapNode url="~/doc.aspx?id=2" title="Doc" />
</siteMapNode>
</siteMapNode>
</siteMap>

web.confg:
<siteMap defaultProvider="default">
<providers>
<add name="default" type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
</providers>
</siteMap>

<location path="doc.aspx">
<system.web>
<authorization>
<allow roles="ServiceA,ServiceB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Or if you want my own cheesy hack then you can spin up your own user
for the specific request...

Protected Sub Application_PostAuthenticateRequest(ByVal sender As
Object, ByVal e As System.EventArgs)
Dim a As HttpApplication = sender
If a.Context.User Is Nothing = False _
AndAlso a.Context.User.Identity.IsAuthenticated _
AndAlso a.Request.AppRelativeCurrentExecutionFilePath =
"~/doc.aspx" _
Then
Dim id As Integer = CInt(Request.QueryString("id"))
Dim gi As GenericIdentity = New
GenericIdentity(a.Context.User.Identity.Name)
Dim r() As String = New String() {"Service" & Chr(64 + id)}
' now supporting A-Z and beyond, TODO: replace with db code.
Dim gp As GenericPrincipal = New GenericPrincipal(gi, r)
a.Context.User = gp
End If
End Sub

This at least breaks the windows rolemanager (Roles.*) for this request
but User.IsInRole, location tag locks and securityTrimming still work.

Hi Mike,

The sitemap stuff looks very interesting.

[quoted text, click to view]

So are you saying that if I add all the roles to the global location, add
only the roles I REALLY want in the site map for the specific location, and
then turn on security trimming, Windows Forms will only use what I have added
as roles in the site map to my specific URL?

If this is true then I can easily write a custom sitemap provider and take
care of all this in the db. Of course I will have to make sure that there
are no security holes in my website given the fact that I have added all
roles to the root. Also, if this is true then I may be peeing in my pants.

Time to get testing. Thanks!

Hi Tyler,

Sorry for misunderstood! I think the issue is related to ASP.NET v1.1.

If you want to use the SiteMap to approach your issue, as Michael
mentioned, the security is still be controlled from location. So, your idea
is appropriate, you can write your own provider for current issue. Thanks
for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================