Authorization - How To Handle Membership Levels With Roles
Mar 21, 2011
I am building a subscription based web site, which currently has three subscription levels, i.e. Horses, Soccer, and Horses and Soccer. I was thinking of implementing standard role based authorization, where a Horses subscriber would get roles including those to use the Horses section, etc.
Should I use a standard role provider, and when a member subscribes to the site, assign roles for his subscription to him, or use a hierarchical role provider, that when asked for the roles for a member, only then uses the member's subscription level to 'calculate' a set of roles for the member.
View 2 Replies
Similar Messages:
Jan 16, 2010
I have a client asp.net website that uses ASP.Net Membership, Roles and Profile providers and Login controls. I need to expand the application so was going to use WCF Workflows, the ASP.Net website will be hosted on a different server than the WCF Services so what I want to do is get the ASP.Net Website to auth via the WCF Service. So process will go:
ASP.Net Website ------------------> WCF Service ------------------> SQL Database (Membership, Roles, Profile, Workflow Persistence Data and Business Data)
I tried creating a custom Membership and Role providers but I have had problems managing the users (Membershipuser class) saying null when a vaild user has been return by the WCF Service as can access the properies but not the methods.
View 5 Replies
Mar 29, 2011
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
View 1 Replies
Mar 4, 2010
I need to design a system that will control access to certain information. The requirement from the user is to use access levels e.g.
Level 1 - Support
Level 2 - Manager
Level 3 - Senior Manager
Level 4 - Department Head
etc.
If a certain piece of information is marked as Level 1, then all roles should be able to view that piece of information. If it is marked as level 3, then only the Senior Manager and Department Head can view it, but the Manager and Support roles can't view it.
Questions
When I assign the access level to a piece of information, will I have to assign multiple roles to it in order for me to achieve this functionality? Is there a better way of doing this?
View 2 Replies
Dec 30, 2010
I wanna write a usercontrol to handle different access levels on pages.
Below is the html i wanna achieve.
[Code]....
This is my code at this point:
[ParseChildren(false), PersistChildren(true)]
public partial class RequiredUserType : System.Web.UI.UserControl
{
public string UserTypes { get; set; }
[Code].....
My problem is that the <Content> and <AlternativeContent> doesn't get rendered as Panels and on the Client side its rendered as the initial tags(<Conten>) and not a div or whatever a asp:Panel normally gets converted to.
View 1 Replies
Feb 28, 2011
We're writing an app that has a requirement for allowing/disallowing access based on user role.In a traditional .net app of course you set the security trimming attribute in the web.config and set the nodes in the web.sitemap file and you were set.
View 2 Replies
Apr 29, 2010
Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
<authorization>
<allow roles="Global, Region" />
<deny users="*" />
</authorization>
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:
<authorization>
<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />
</authorization>
I realize I probably should have a new role for this scenario, but I'd like to avoid that.
View 1 Replies
Mar 14, 2011
Is there to implement roles authorization on those ActionLinks?
View 5 Replies
Aug 12, 2010
Where can I find a good tutorial on setting up roles and authorizing them? I'm using Windows Authentication for an intra-net based app and need to figure out how to grant the users access to the various pages.
View 5 Replies
Oct 21, 2010
I'm trying to use a custom Principal (with custom Identity) for security. This all works fine for logging in, out etc. I am now trying to limit access to unauthorised users within my code as follows:
[Code]....
Again, all is fine there. Except I need some more complicated rules, something along the lines of "Allow Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials". All of that information exists within a database.
View 2 Replies
Feb 25, 2011
I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.
Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.
Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.
We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.
View 2 Replies
Mar 23, 2011
I'm investigating creating a WCF REST service for an existing asp.net application to be consumed by various clients including Windows Phone 7, Android, iPhone apps etc.Creating a simple WCF REST service and consuming it from the above platforms is not a problem and works really well. What I am struggling to get my head around is authorization.The asp.net application uses the Membership provider to provide authentication and authorization and I'm comfortable in using that API from the REST service.
How do I secure my REST service so that the first call has to be to authenticate (passing the username and password) and following calls know who is 'logged in'. I'm guessing the authenticate method will have to pass back some sort of token to be used in subsequent calls identifying the caller. Is this secure enough as the whole site / service is over SSL?
View 2 Replies
Apr 28, 2010
I have an old website running fine in Classic ASP with large customer base registered onto the site. The current site allows users to have their own user name(unique) registered against an ID assigned to them. They can change the User name later as well provided it is still Unique in the database(Database is SQLServer2005).
The Problem: Now i want to move the website to .NET and want to use the .NET Membership. I know how to create the database structure in SQL Server through aspnet_regsql script but my problem is how should i import the existing username and passwords as the password stored in MembershipDB is Hashed (salt). Also i might want to allow admins to impersonate as users later.
View 5 Replies
Sep 29, 2010
I am "DomainMyDomainUserName" If I do this:
[Code]....
I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:
[Code]....
I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:
[Code]....
I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:
[Code]....
I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.
What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).
View 2 Replies
Mar 1, 2010
Pls explain the Membership Roles in MVC ASP.NET 3.5
View 1 Replies
Nov 25, 2010
I can't seem to find this answer anywhere on google or stackoverflow, even though I'd thought it would've been an easy thing to do.
I want to understand how the system.web authorization tag on the web.config works, and what exactly each attribute and property does.
For instance, what does
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
Specifically what I want to do is to disallow access to most of the site for unauthenticated users, allow access to some of the site for authenticated users who belong to a certain role, and allow full access to users from a second role.
View 2 Replies
Jun 9, 2010
I have an ASP.NET project where I want to keep the membership (SQL Provider) in a separate database and the Roles/Profiles will be per application.QuestionWhat is the KEY that relates between the Membership database and the Roles/Profile database? Is it the UserID or UserName?I opened up the tables in separate expolrer and notice the UserID is different in the Membership database from that in the application Roles database.
View 2 Replies
May 25, 2010
I have a navigation menu I would like to display based upon user roles (using.net membership) After several hours and headaches (from banging my head against the desk) I was wondering if someone can point me in the error of my ways.
[Code]....
[Code]....
How can I ensure that when the user is logged in, the appropriate menu items are displayed on the Landing page? Still new to all of this and my current method of 'trial and error' has seen me reach suicide levels this morning!
View 5 Replies
Jul 29, 2010
Lets say that I have a database set up with a load of info in it and I decide I want to add the membership and roles functionality to my site but my hosting provider makes me pay for each database I use. I don't want to pay for another db, so how do I set it up so that instread of creating membership and roles tables in the the aspnetdb database, it creates them in my existing database?
View 5 Replies
Nov 15, 2010
Using ASP.NET 2.0, with forms authentication.
Just for a test, I configured the roles cookie in web.config like this :
<roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="2"></roleManager>
I wanted to see what would happen when the cached role cookie expired. Using Fiddler, after 2 minutes had elapsed, I could see that the raw value of the role cookie had changed.
I was expecting that on expiry, that ASP.NET would simply re-read the roles information from the database, and repopulate the cookie with the same value. So my question is, why would the raw value of the cookie change after expiry ? The cookie value is not human-readable (base 64 encoded and/or encrypted ?), so I can't tell if the information in it is the same, although the application still seems to work fine.
EDIT :
It looks like each time the roles are encrypted and cached in the cookie, it gets a different raw value.
e.g. if you run the following code :
RolePrincipal rp = (RolePrincipal) User;
string str = rp.ToEncryptedTicket();
Label1.Text = str;
View 1 Replies
Apr 9, 2010
I have followed scott's gu tutorial here I uploaded the whole database to my site. Before doing what Scott's says I had one username stored in the membership. How can I create an additional user now that the table is in the web host? I can see that there's aspnet_Membership, aspnet_Applications, etc..etc
View 2 Replies
Mar 10, 2010
how do i do that through config file?
View 11 Replies
Jan 20, 2010
in my app i want to create two types of users. (1) 'staff' (2) 'admin'
i have a page called registration which basically creates a user. i used the asp.net configuration wizard to create roles and set access rights to certain pages and this works great.
however, if i was to deploy this app then users wouldnt have access to the asp.net wizard therefore not be able to create users with roles/access.
so how can i do this in code? can i create a drop down in the registration page with two values (staff and admin) which will represent roles and then another drop down with access rights? (allow/deny)
how can i now program these drop down and make it work like i would normally do using asp.net configuration wizard?
View 8 Replies
Feb 3, 2011
I need to enable/disable roles using membership. How is it done.
View 3 Replies
Feb 9, 2010
I am trying to load all the roles into my dropdownlist but I keep getting an error saying IDatasource is not listed, I have the following code:
Roles.datasource = Roles.GetAllRoles()
Roles.databind()
What Else do I have to do?
View 3 Replies
