First create a pagesByDepatment table and a department table like the following:
- Department
- Id (int)
- Name (string)
- PagesByDepartment
- Id (int)
- DepartmentId (int)
- PageName (string)
- User
- Id (int)
- UserName (string)
- Password (string) - it would be better if you can hash it into a bit array :)
- DepartmentId (int)
You need to authorize the user in every request for all the pages, to me it could be the case to customize the principal object of your user
for example:
public class MyAppPrincipal :IPrincipal, IMyAppPrincipal
{
private IIdentity _identity;
private string _department;
public MyAppPrincipal( IIdentity identity, department)
{
_identity = identity;
_department = department;
}
public bool IsPageEnabled(string pageName)
{
//DB is your access to your database, I know that you´re using plain ADO.NET here so put query here or cache the elements in your app_start and read them from it....
//let´s say you have a method that you pass the pagename and the department
return DB.IsPageEnabled( pageName, this._department);
}
}
add the department to the authentication ticket in the custom user data something like
protected void LoginButton_Click(object sender, EventArgs e)
{
if (ValidateUser(UserNameTextBox.Value, PasswordTextBox.Value))
{
// get the department from your DB
string department = DB.GetDepartmentByUsername(UserNameTextBox.Value);
FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;
tkt = new FormsAuthenticationTicket(2, // version
UserNameTextBox.Value,
DateTime.Now,
DateTime.Now.AddMinutes(30),
RemPassword.Checked,
department, // instead of custom data
FormsAuthentication.FormsCookiePath);
cookiestr = FormsAuthentication.Encrypt(tkt);
ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
if (RemPassword.Checked)
ck.Expires = tkt.Expiration;
ck.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(ck);
string strRedirect;
strRedirect = Request["ReturnUrl"];
if (strRedirect == null)
strRedirect = "Home.aspx";
Response.Redirect(strRedirect, true);
}
else
Response.Redirect("Login.aspx", true);
}
then you need a httpmodule to authenticate / authorize
public class CustomAuthenticationModule : IHttpModule
{
public void Init(HttpApplication httpApp)
{
httpApp.AuthorizeRequest += new EventHandler(this.AuthorizaRequest);
httpApp.AuthenticateRequest += new EventHandler(this.AuthenticateRequest);
}
public void Dispose()
{}
private void AuthorizaRequest( object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User is MyAppPrincipal)
{
MyAppPrincipal principal = (MyAppPrincipal) HttpContext.Current.User;
if (!principal.IsPageEnabled(HttpContext.Current.Request.Path) )
HttpContext.Current.Server.Transfer( "unauthorized.aspx");
}
}
}
}
private void AuthenticateRequest(object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
var id = HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string cookieName = System.Web.Security.FormsAuthentication.FormsCookieName;
string userData =
System.Web.HttpContext.Current.Request.Cookies[cookieName].Value;
ticket = FormsAuthentication.Decrypt(userData);
string department="";
if( userData.Length > 0 )
department= ticket.UserData;
HttpContext.Current.User = new
MyAppPrincipal(_identity, department);
}
}
}
}//AuthenticateRequest
} //class
}
don´t forget to add your custom module
<httpModules >
< add type ="myapp, SecurityModules" name ="CustomAuthenticationModule" />
</ httpModules >
PD:you can read it as pseudo code since I'm coding on the textbox and not VS, I hope that helps