I'm building a website that needs to restrict access to functionalities/pages depending on the user/role.
I'm building upon asp.net membership schema with users/roles.
My problem is that I want to have a web page where the admin configures access to the various functionalities where he has a list of functionalities with checkboxes for each one and selects what that particular user can access.
If I do this with roles how can I define access in run time to the several pages/folders (I know that we can do this with the web.config).
If someone has a better idea on how to implement this please let me know.
I have seen some different ways to control user/role access to webpages.
I have 4/5 functionalities that I want to limit access so I was thinking to divide them in to folders and limit access with web.config file and editing the file at run time just like the asp.net configuration does.
This way I have all the flexibility I want. I can assign users/roles to the various functionalities but I've read that everytime we change web.config the server restarts the application.
Is this true? and if so what are the implications?
You are correct, any time you modify code in the app_code folder, bin folder or make modifications to the web.config file the application restarts. See my previous post. It works great for using the built in functionality and takes very little to implement.
Remember to mark as answer if this post answered or solved your problem.
There are a few ways of going about implementing folder level security, modifying the web.config is one of them. The other way is to programatically assign your users to roles and check those roles prior to giving access to those folders/pages. This way
stores all the users, roles and user's roles in the database and requires no web.config files in any of the sub folders.
Access is specified within your program. In fact, you could simply setup a method called public bool CheckAccess(string UserName) which would:
Get a list of roles based on the UserName passed in
Loop through each of the roles
Inside the loop, have a switch statement checking the directory they want access to and set the return value = true or false based on the role and directory combination.
You could also store a link between roles and folder access in the database as well. You'd have to create the table and schema as it doesn't exist.
Remember to mark as answer if this post answered or solved your problem.
Marked as answer by adao.c.monteiro on Feb 29, 2012 08:13 AM
Yes, b471 has it; that's the best method if possible. Assign a fixed set of roles and authorization for those roles (via folders & web.config files and/or location). Then it's just a matter of adding or removing users from the roles, in which case no web.config
changes take place, so no app restarts.
If you really need a more flexible system, then it gets complex. You could store all of the authorization details in, for example, a database, but you'd need to create a custom RoleManager and Authorization provider.
I am currently planning a system with MVC3, and I really don't like the code-based restrictions that Microsoft suggests to use.
I also want to define access in run time. Therefore I use Reflection and store representations of my controllers and methods in the database, which I then associate with the Roles.
adao.c.monte...
Member
17 Points
10 Posts
user access best practices
Feb 22, 2012 02:52 PM|LINK
Hello all,
I'm building a website that needs to restrict access to functionalities/pages depending on the user/role.
I'm building upon asp.net membership schema with users/roles.
My problem is that I want to have a web page where the admin configures access to the various functionalities where he has a list of functionalities with checkboxes for each one and selects what that particular user can access.
If I do this with roles how can I define access in run time to the several pages/folders (I know that we can do this with the web.config).
If someone has a better idea on how to implement this please let me know.
thanks,
Adam
b471code3
Star
13877 Points
2598 Posts
Re: user access best practices
Feb 22, 2012 05:18 PM|LINK
If you're using the built-in functionality, check this out: http://www.4guysfromrolla.com/articles/040506-1.aspx
Horizon_Net
Star
8277 Points
1435 Posts
Re: user access best practices
Feb 22, 2012 06:18 PM|LINK
Hi,
if you're using ASP.NET MVC you should have a look at this blog post.
If my post solves your problem, please mark as answer.
adao.c.monte...
Member
17 Points
10 Posts
Re: user access best practices
Feb 23, 2012 03:47 PM|LINK
Hello all,
I have seen some different ways to control user/role access to webpages.
I have 4/5 functionalities that I want to limit access so I was thinking to divide them in to folders and limit access with web.config file and editing the file at run time just like the asp.net configuration does.
This way I have all the flexibility I want. I can assign users/roles to the various functionalities but I've read that everytime we change web.config the server restarts the application.
thanks,
Adam
b471code3
Star
13877 Points
2598 Posts
Re: user access best practices
Feb 24, 2012 12:20 PM|LINK
You are correct, any time you modify code in the app_code folder, bin folder or make modifications to the web.config file the application restarts. See my previous post. It works great for using the built in functionality and takes very little to implement.
adao.c.monte...
Member
17 Points
10 Posts
Re: user access best practices
Feb 27, 2012 05:08 PM|LINK
Hello b471code3,
I'm using the built in functionality, the default membership provider.
I didn't understand, did you suggest that I implement the aproach of modifying the web.config file?
If so doesn´t the app restart affect user interaction?
thanks,
Adam
b471code3
Star
13877 Points
2598 Posts
Re: user access best practices
Feb 27, 2012 07:22 PM|LINK
There are a few ways of going about implementing folder level security, modifying the web.config is one of them. The other way is to programatically assign your users to roles and check those roles prior to giving access to those folders/pages. This way stores all the users, roles and user's roles in the database and requires no web.config files in any of the sub folders.
Access is specified within your program. In fact, you could simply setup a method called public bool CheckAccess(string UserName) which would:
You could also store a link between roles and folder access in the database as well. You'd have to create the table and schema as it doesn't exist.
Dave Sussman
All-Star
37716 Points
5005 Posts
ASPInsiders
MVP
Re: user access best practices
Feb 28, 2012 08:15 AM|LINK
Yes, b471 has it; that's the best method if possible. Assign a fixed set of roles and authorization for those roles (via folders & web.config files and/or location). Then it's just a matter of adding or removing users from the roles, in which case no web.config changes take place, so no app restarts.
If you really need a more flexible system, then it gets complex. You could store all of the authorization details in, for example, a database, but you'd need to create a custom RoleManager and Authorization provider.
ckonig
Member
2 Points
1 Post
Re: user access best practices
Feb 29, 2012 10:26 AM|LINK
I am currently planning a system with MVC3, and I really don't like the code-based restrictions that Microsoft suggests to use.
I also want to define access in run time. Therefore I use Reflection and store representations of my controllers and methods in the database, which I then associate with the Roles.