Security :: Controlling Directory Wise Authorization From Database?
Nov 22, 2010
In my website project, i have not used any controls like login, createuser, forget pass etc. However, i can login, create user, recover password, change security question etc, using only code-behind programming. mean without using any inbuilt security controls as discussed above, i am fully secured but on some points i need little help.I have stored all users credentials in columns named username, password, securityques, security ans, libraryadmin (this is checkbox field), contentadmin (this is checkbox field) etc.I am wishing, when I check in database in fields libraryadmin or contentadmin for any user, he can access to that zone too. Still I am using this feature as given below:
****************************************************
[Code]....
****************************************************************
Look at the codes above, in "libraryadmin" directory/zone only username "abhimanyu" is authorized and the same in "contentadmin" directory/zone only "abhimanyu" is authorized.But I am wishing to control such authorization from database where I have stored the credentials. I mean by checking in checkbox field named libraryadmin (this is boolean field) in database that user automatically be authorized, no need to type always in configuration file. you have any idea about, or tell me some articles on it. I know how to manage it from asp.net default authorization and authentication. I just need it manually as I have considered above
View 1 Replies
Similar Messages:
Apr 26, 2010
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
View 1 Replies
Apr 21, 2010
I've created a web application that's using Windows Authentication using roles authorization.
In VS2008 everything's runs fine by running the app or browsing using the VS web server.
I create a new virtual App in IIS6 and then try to browse the page. The app hangs, and has a very mysterious habit of creating a new SQL Server Express database in our appdata directory called TimeTracker.MDF.
So I was thinking somewhere along the line we installed a TimeTracker Starter Kit and it updated a configuration file somewhere.
My initial reaction was to search all of the config files under the framework directories. So i did that using Windows GREP, only to find one entry here:
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files
oot26676eb792c7e946App_Code.hcjj1nuh.dll
View 2 Replies
Nov 25, 2010
in my table test
Name Add
0 prinku sad
1 tommy asdsa
2 ghhgh sdsdd
now i want to select the name in the first row...am using Ado.net entity framework
empEntities db =
new
empEntities();
now how to select the name at 1
db.Tests.Name.ElementAt(1);?actuually this throws an error...
View 5 Replies
Nov 24, 2013
I have basic understanding to cache webpages for duration. Now I have some complex requirements:
1. User e.g "Nauna" login in asp application
2. Visit on report page
3. Pass data range from 01-01-2013 to 30-12-2013 and extract the report which retreive data in 55 seconds on gridview
4. Now I want that when next time user "Nauna" login in the application and use the same report with same parameter 01-01-2013 to 30-12-2013 so that report should be come up from cache instead of run the complete life cycle.
View 1 Replies
Nov 22, 2010
I have an asp.net 3.5 web application for which the client has requested that the security model allows (a licensing model) restricting the number of simultaneous users logged onto the website. I am not sure how this is achievable - I'm currently controlling membership via the AspNetSqlMembershipProvider.
View 5 Replies
Sep 3, 2010
If I want limit certain users or user_groups to - create a packing list (which consist of number of items and quantity)and then the creator of the packing list can select users / user_groiups to have right to- read a packing list- update a packing list - delete packing listsCan this be done by a custom made RoleProvider ? How best to implement the authorization ?
View 1 Replies
Apr 21, 2010
What is the authentication mode available in ASP.NET? How do you set authentication mode in the ASP.NET application? How do you provide secured communication in ASP.NET? List out the difference between windows authentication and form authentication. ?
View 3 Replies
May 18, 2010
I'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this: FormsAuthentication.SetAuthCookie(account.Login, false); I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?
View 3 Replies
Feb 16, 2010
I'm using Visual studio 2005 with C# on .NET framework 2.0.. I am implementing forms authentication in this project but the problem is when I'm on registration form ( outside login) and try to open any window on that form using java script (window. open) it redirects me to login page. How should i tackle this problem??
View 1 Replies
Aug 24, 2010
I have an ASP.NET application that can be installed with either Forms Authentication or Windows Authentication. All of my customers install using Windows Authentication. I use Forms Authentication in-house as it is easier for me to work with different clients. But enough about that.
I have a module as part of my application for Mobile Users. It displays a very simple HTML interface for low bandwith phones and air cards. It seems that some phones when going to this type of site that is Windows Authentication, it throws an error saying that you aren't authorized to view the page. From a computer, it will ask for credentials.
What I would like to do is use Windows Authentication Or Forms for my Main Application, but in the MOBILE folder, it would be nice if I could use FORMS Authentication. Can I mix the two? Can I just add a Web.Config to the folder for the Mobile Files and put FORMS Authentication?
The only other way I thought of doing this is:
1) create a seperate installable application that is always FORMS Authentication that is not part of the main application. Which sucks, as I now have to manage two applications.
2) In the main Web.Config I can set that folder to have no authentication and it will be avail to anyone, and then enforce my own authentication on the few pages it contains.
View 1 Replies
Sep 30, 2010
I'm using a Custom Role Provider for authorization.
There are 2 roles: "VIEWER" and "SYSTEM_ADMINISTRATOR".
I have set up my role for my account as "VIEWER".
Roles.GetRolesForUser(this.User.Identity.Name) returns "VIEWER"
User.IsInRole("SYSTEM_ADMINISTRATOR") returns false
Web.Config contains below:
<location path="Administration">
<system.web>
<authorization>
<allow roles="SYSTEM_ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
However, I can still access the ~/Administration pages.
Even if I change the web.config to:
<location>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can still access any of the pages, but I shouldn't be able to access any page when this is set. Correct?
I'm pretty sure my Role Manager is working fine (see above calls to User and Roles), but here's the config:
<roleManager enabled="true" defaultProvider="MyRoleProvider" >
<providers>
<clear/>
<add type="MyNamespace.MyRoleProvider" name="MyRoleProvider"/>
</providers>
</roleManager>
I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.
View 1 Replies
Jul 2, 2010
Trivial question:
Noticed the following error whilst trawling the logs:
Authorization rule names cannot contain the '*' character
I have the code:
[Code]....
Does that mean I don't need to make and authorisation rules - I had used:
[Code]....
Now - is that completely redundant? Also, is * wrong syntactically?
View 2 Replies
Jun 28, 2010
I am looking for some suggestions for an application I am writing. Here is a brief description of the application:The application is written in C# ASP.NET version 4.0 and is to be hosted on an IIS6 web server. The purpose of the application is to serve as a download page for sensitive documents. There will be several levels of access which will be granted according to user credentials stored in a SQL table. I don't want the application to check the user's NT ID and either allow or disallow access to the application depending on whether they are authorized or not, I want it to filter on data i.e. everyone can view the application, it will just limit the data they can view depending on their access.
point me in the direction of some source code that can check the NT ID of user's local machines and compare it to a table in SQL?
View 2 Replies
Feb 28, 2011
We're writing an app that has a requirement for allowing/disallowing access based on user role.In a traditional .net app of course you set the security trimming attribute in the web.config and set the nodes in the web.sitemap file and you were set.
View 2 Replies
Mar 29, 2011
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
View 1 Replies
Jan 30, 2010
i need clear expition for authentication and authorization in .net
View 3 Replies
May 26, 2010
which is the best method to create own customized login page?
i m not interested to use inbuilt controls, thts why m want to make own sign up pages and login page
View 3 Replies
Nov 30, 2010
I am going through the Security Tutorials here on ASP.Net. I am currently working on the last part of the Membership - User-Based Authorization. The tutorial covers restricting access to specific pages or to directories using a second Web.Config file. I am running into a problem with the myLogin page DestinationPageURL. Here is what is happening: 1. When the website starts, the Login page opens. 2. If I log in with an existing user, I am sent to the Default.aspx page. That is what is in the yLogin.DestinationPageURL for the login page.
View 1 Replies
Jan 26, 2010
A few years ago I worked with a team that developed what we thought, at the time, was a unique security model for a company ecommerce site. We wrapped every object (that we cared about) with a authorization / role check. So internal and external would use the same site but what fields, buttons, links etc. that they saw varied with their authorization / role assignments. I know .NET now has some RAD (Rapid App Dev) tools for security / authentication / authorization. Everything I have been reading is based upon securing pages / folders / areas of a site but nothing about the level of granularity we took it to so:
1. Was this not such as good way to go back when we did it?
2. I thought Microsoft had an entire security "plug-in" (Not Windows Authentication). Database, roles, etc.
(Don't get me wrong they have made life a ton easier with what they have given us)
3. What is the current method / practice in use for reasonably high security ecommerce environments. Cookieless Forms Auth? Something new altogether?
View 2 Replies
Aug 12, 2010
Where can I find a good tutorial on setting up roles and authorizing them? I'm using Windows Authentication for an intra-net based app and need to figure out how to grant the users access to the various pages.
View 5 Replies
Oct 21, 2010
I'm trying to use a custom Principal (with custom Identity) for security. This all works fine for logging in, out etc. I am now trying to limit access to unauthorised users within my code as follows:
[Code]....
Again, all is fine there. Except I need some more complicated rules, something along the lines of "Allow Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials". All of that information exists within a database.
View 2 Replies
Sep 22, 2010
I am working on a scenario where I need to combine three applications into one (Project Requirement). I link the three applications on a web page and which ever link is clicked, I redirect it to that page.
My application sturcture looks as below
MainPage
- Folder1 with App1 (uses Active Directory group for authentication)
- SubPages
- Folder2 with App2 (Uses Membership roles and users)
- SubPages
- Folder3 with App3 (Uses Other logins for oracle database)
- SubPages
Is it possible to provide authorization only for my App2 based on the role created in membership.
For eg: There is user1 with role1 and user2 with role2 but i need to allow only user1 with role1.
When I was checking this scenario in the ASP.NET configuration settings to modify, it has the allow all permisions which is disabled to modify and it is given that Rules that appear dimmed are inherited from the parent and cannot be changed at this level.
View 1 Replies
Oct 26, 2010
I have the following site structure:
- Site
- Administration
- Resources
- Home.aspx
Basically no unauthorized users should be able to use the system, so they get properly redirected to Home.aspx which has the login controls.
The Administration folder contains a page that should be only accessible to authorized users, but also only to users that belong to specific roles. So I have a web.config inside the Administration folder as this:
[Code]....
At first sight I'd say that this configuration would check that only SystemAdministrators and AccountManagers can access the SecuredPage.aspx. But it doesn't. If I log into the system as a regular user (not part of the roles) and then go to http://mysite/Administration/SecuredPage.aspx, it allows me in, instead of showing a "your not authorized" message.
I've also tried with location=Administration so to secure the entire folder, but same results.
View 1 Replies
Jun 28, 2010
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.
Here's my Forms Authentication:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />
</authentication>
View 1 Replies