 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Security / June 2004Verify User Group from ASP.NET
Hello, I'm a little uncertain about what I'm asking so please be gentle. I (think) I want to be able to identify and authenticate the currently logged on user against the Active Directory. We have a 2000 domain server and 2000 clients on our network. The idea behind it all is am storing documents in a SQL database and have a list of groups who can view them. If the currently logged on user is not in one of those groups then they should not be permitted to open the document. I'm using VB.NET in ASP.NET to develop with and would appreciate any ideas of where to look for examples of what to do. Thanks, <M>ike If you are using Windows authentication with IIS and ASP.NET (anonymous disabled in IIS, authentication set to Windows in web.config), then all you have to do is call Context.User.IsInRole("domain\group name") That will return true or false if the currently authenticated user is in the group you specified. The Windows security system does all the heavy lifting for you. If you aren't using Windows auth, this is vastly more painful, but can be done by looking up the user's groups programmatically. Joe K. > Hello, > [quoted text clipped - 14 lines] > > <M>ike Wow, That's pretty simple. Compared to the old classic ASP days, it's a doddle! Cheers, <M>ike "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > If you are using Windows authentication with IIS and ASP.NET (anonymous > disabled in IIS, authentication set to Windows in web.config), then all you [quoted text clipped - 30 lines] > > > > <M>ike Ok, A slight variant of the same theme, if (for example) that I (current logged on user) am a member of the Administrators group and I use the IsInRole test against a subgroup that I have not been explicity added to but still have higher permissions than I will get 'False' as the result. Is there a way of testing overall permissions rather than explicit group names, or does this then start to get into problems? <M>ike It sounds like what you want to do is roll up your AD groups into application-specific role descriptions. For example, you might want to put domain\admins1, domain\admins2 and domain\admins3 into a role in your application call Administrators. If that is what you want and you are using Win2K3 server for your web server, the best thing to check out is Authorization Manager (AzMan). It allows you to build application specific roles, tasks and operations and map them to users and groups at runtime. You could also build something similar in ASP.NET, but you'd have to write it yourself. One thing you might do is write an HttpModule that examines the WindowsPrincipal returned by the Windows authentication module and maps the user name and Windows groups into application specific roles. You would then create a new IPrincipal object (probably based on the GenericPrincipal class, but you can write your own easily if you want) that contains your application specific roles. Then, you would test against those roles in your application instead of the groups directly. Such a thing is more work, but might be worth it. Unfortunately I don't have a sample to point you towards. However, the .NET role-based authorization framework is very flexible and doing this kind of stuff is not very hard. Joe K. > Ok, > [quoted text clipped - 6 lines] > > <M>ike Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.