Application roles with Windows authentication RSS

• • Reply
  

  Kevin Daly

  Member

  77 Points

  16 Posts

  Application roles with Windows authentication

  Jul 01, 2004 12:56 PM|LINK

  I've just been experimenting with the security setup and I've found what I consider to be a serious issue, but on the other hand it's possible that it's a limitation of the Express version. But if it's not, I'd like to get my feedback in and hopefully prompt a useful discussion. If I select Windows authentication there is no way for me to assign roles to Windows users: if I go to manage a role and try to select users to add to that role, Windows users are not listed. That would not be a problem if I were able to add Windows logins to the database as users, but I am not given the option to do so anywhere if I have selected Windows authentication, only if I select Forms authentication. If this is intended to be the way it works in the full product, that would be completely daft: I really hope somebody is not assuming we would rely on Windows roles as opposed to application-defined roles, because that is nowhere near flexible enough for intranet applications, and it would in any case be silly to assume that an intranet application will be administered by the same people who administer Windows logins. For our intranet using the existing version of ASP.NET we typically trap authentication from the Global.asax and at that point create a GenericPrincipal object from the current user, associated with a list of roles pulled from the database - specific to that application - then map that GenericPrincipal back to the current user. This works beautifully, and gives us completely flexible role management for the intranet. So WHAT does Visual Web Developer 2005 Express Edition want me to do? I am perplexed. An additional query I have (I'm just not sure of the significance of it) is that I've noticed that when I create roles and users (having given in and selected Forms authentication) the entries are created against an application with the name of "/", not the actual web application name. Does this mean as I assume that users and roles are created against the site as a whole, not the actual application, and if so, is that simply a feature of the Express edition? (otherwise, what have I missed?) PS. Unless it's hidden somewhere in plain site, you might want to consider giving the target audience for the Express edition some guidance on how to configure SQLExpress for use as the SQL provider for ASP.NET - I do this stuff for a living so I was able to figure it out, but I think it could be pretty nasty for someone just dipping their feet in web development. I know they could use the Access provider, but any hobbyist with the heart of a programmer is going to want to try the SQL provider because it's *there*.
• • Reply
  

  Fredrik N

  All-Star

  29674 Points

  5334 Posts

  MVP

  Re: Application roles with Windows authentication

  Jul 01, 2004 02:52 PM|LINK

  There will be an AD/ADAM provider in beta 2 that list users and groups located in the AD. You can use the Roles feature even if you use Windows Authentication, but you have to know the user name you will add the roles to. If you use the Role feature you don't need to create your own GenericPrincipal, the Role feature will do that for you. You can specify your own application path, the "/" is the default value. With the application path you can share users, roles etc between several application as long as you use the same application path. Here are some links that could be interesting for you: Active Directory Membership and Roles Providers? Using AD/ADAM MembershipProvider with Windows Authentication? More about the Membership feature in ASP.Net 2.0 What is ApplicationName property used for in providers? A couple questions re: custom Membership/Role Providers More about the Membership feature in Beta 2 of ASP.Net 2.0 Membership features that will be added for Beta 2
  /Fredrik Normén - fredrikn @ twitter
  MVP, ASPInsider, WCF RIA Services Insider
  My Blog
• • Reply
  

  Kevin Daly

  Member

  77 Points

  16 Posts

  Re: Application roles with Windows authentication

  Jul 01, 2004 08:13 PM|LINK

  To clarify, I mentioned creating a Generic Principal only to illustrate how dynamically derived roles can be associated with a Windows identity in ASP.NET 1.0, I would fully expect this to be handled by the roles system in ASP.NET 2 (I assume something very like this already happens with Forms authentication under the covers). The bits I seem to have missed are: 1) HOW do I specify my own application path - I assumed that when I used the online website administration tool from within a particular application, the settings in question applied to that application - I don't recall anywhere where I was prompted or given the opportunity to enter an application name or path. That said, I do appreciate the ability to define roles and users at a site level as well. On the other hand, the current behaviour seems to involve assumptions that fit more closely a local Access mdb than a SQL Server database with global scope. 2) Other than manipulating the database directly, how do I add users to a given role? When I tried to do this using the role management option of the ASP.NET configuration tool not only were users not listed (which I'll accept for now, since there has been no way to add Windows users to the aspnetdb database with this version), but there is no option for me to type in a username and set it up that way (which I would be perfectly happy to do). Given that what I want to do is perfectly logical for an intranet application and in no way unusual, I would expect support for this with the default providers. Come on guys it's not THAT hard.
• • Reply
  

  Fredrik N

  All-Star

  29674 Points

  5334 Posts

  MVP

  Re: Application roles with Windows authentication

  Jul 01, 2004 08:38 PM|LINK

  You can set the ApplicationPath attribute in the web.config for your provider, so you have to add the provider into the web.config to change the ApplicationPath.

  If you enable the Role feature in the ASP.Net configuration tools, you could add roles programmatically by using the Roles.AddUsersToRole method. But if you use Windows authentication you can't (what I know) add roles to a user in the ASP.Net configuration tools. As you have mentioned, the users will not be listed, this will probably be possible in Beta 2 when the AD/ADAM provider will be available.
  /Fredrik Normén - fredrikn @ twitter
  MVP, ASPInsider, WCF RIA Services Insider
  My Blog
• • Reply
  

  sschack

  Contributor

  3085 Points

  617 Posts

  Microsoft

  Re: Application roles with Windows authentication

  Jul 06, 2004 10:00 PM|LINK

  Your suggestion about having an easy way to select domain users and add them is a good one. I will add it to the list of future items to look at baking into our admin tools. This will also act as a reminder for a good sample in Whidbey. The web admin tool itself is allowed to be extended by the community at large, though we still have to work out the general guidance we give folks so that custom code doesn't get stomped on when a service pack is released. In terms of why the web admin tool (WAT) doesn't have this functionality from the beginning, we thought the WAT would be more suitable for smaller applications, hoster scenarios, and developer desktops. We actually thought that businesses would probably not want a web based tool reaching out into their directories and mucking around (even though this would be read-only access). With all that said, Fredrik's notes about using the API directly for now are correct. Two additional points of info on this: 1. You can use Role Manager from outside ASP.NET. So it is pretty easy to put together a console app that creates one or more roles, and then adds all the desired users to the various roles. 2. When adding users to roles, make sure to first test out how the usernames are appearing in ASP.NET. Most likely you will be passed usernames in the older DOMAIN\USERNAME syntax. You need to make sure that the same username is applied when calling AddUserToRole (or one of the related overloads). Other than that, once you populate users and roles, and you enable role manager in config, the RoleManagerModule will automatically attach a RolePrincipal to the HttpContext for each request. For the application name question, you will need to manually set the applicationName configuration attribute. We had kicked around ideas for auto-magically determining this value based on the application currently running, but we decided that the logic would become rather complex. Especially taking into account things like ASP.NET vs. non-ASP.NET hosts, as well as boundary issues such as what should we choose for application name when the ASP.NET application is actually the root of a web site. Also - there was another question that came in via the MSDN site about the Lowered* column names. We changed our logic to physically materialize the values in Beta 1. The reason is that lowering on the fly effectively eliminates indexes from being evaluated during query execution. Previously the sproc code had something like: "where LOWER(@UserName) = LOWER(UserName)". Now the sproc code looks like: "where LOWER(@UserName) = LoweredUserName. The new code allows the index on the LoweredUserName column to take effect during searches and lookups. The underlying reason for all of the LOWER'ing is that from a feature standpoint we want user names and role names to be case insensitive. With this constraint, both IsInRole("FOO") and IsInRole("foo") return the same value. If we did not enforce this restriction, we think a lot of developers would trip over the subtleties caused by case-sensitive comparisons. P.S. I will mirror the above into the MSDN bug report as well.
  -Stefan
  ----------------------------------------------------------
  This posting is provided "AS IS" with no warranties, and confers no rights.