On 9 Apr 2006 23:40:28 -0700, charles@charlesforsyth.com wrote:

> What I want to do is build a similar method of authorization in my .Net
> application. I know there are many new security features in .Net; I
> just haven't learned them all so I can't make an informed decision
> as to how to proceed.

<charles@charlesforsyth.com> wrote in message
news:1144651228.462354.195510@u72g2000cwu.googlegroups.com...
> Hi,
>
> I am trying to port my ASP application to ASP.Net 2.0
>
> My application is sold to large corporations that have many thousands
> of users. So I do not use Forms authentication. To make it more
> convenient for them I developed a custom hybrid model of authentication
> and authorization.
>
> You see, the site administrator is often a non-technical person and
> doesn't have the rights to create Windows Groups or Windows Accounts
> or assign Windows Users to Windows Groups.
>
> For this reason, I created a web interface that allows an administrator
> to create and edit "Site Roles" (as I call them). All he must do is
> associate an existing Windows User Group with the Site Role, and then
> decide which security contexts that Site Role may access.
>
> When a user accesses the site, he's authenticated using Windows
> Authentication (Integrated). Then in the Session_OnStart event I have
> code that determines which Roles that user belongs to and which
> Security Contexts that user has permission to. I store these in Session
> variables for that user.
>
> If a Windows User is not a member of any Windows Group associated to a
> Site Role, they do not get access.
>
> Each page that has security contexts has code that checks the session
> variable to make sure that user has access or not to that context. If
> not, they are presented with an error message popup after being
> redirected to the page they came from (or the default page if no
> referrer was found).
>
> What I want to do is build a similar method of authorization in my .Net
> application. I know there are many new security features in .Net; I
> just haven't learned them all so I can't make an informed decision
> as to how to proceed.
>
> Anyone have any suggestions or examples of Windows Authentication but
> using custom Role based authorization?
>