https://stackoverflow.com/questions/21485708
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianWe use this same authentication/authorization setup in several of our web apps, using Windows Authentication, and a custom SQL table for authorization.
You have a few options: I would recommend option 1 or 2.
Since you have a custom table that stores your user roles/types, you could write a custom RoleProvider (http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx ), and add web.config authorization rules to restrict access to pages based on the user Roles. This is what we have done in our application.
Use Windows Active Directory groups in place of your userType table, and then you can add web.config authorization rules to allow the AD groups you want. You will need to use the Windows Role Provider (which I believe is the default for Windows authentication, so may not have to change anything there).
Add code in the Page_Load method of your pages to lookup that the user has access based on your UserType table and throw an UnauthorizedAccessException is the user does not have access. If you only have a few pages in your app and don't have a lot of concurrent users, then this is the "quick" solution, but isn't the cleanest option.
To add the web.config authorizaiton rules, use this syntax, and add <location> sections under the root of the <configuration> element, where path can be a folder name or page name. ASP.NET will auto-magically enforce these rules for you.
<location path="AdminFolder">
<system.web>
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*,?"/> // deny everyone else
</authorization>
</system.web>
</location>
Use a given RoleProvider, you can also use User.IsInRole("YourRoleName") from anywhere in code if you need to check is a user belongs to a given role.
Here is the shell for the class layout including the methods that need implemented for the custom RoleProvider in option 1. NOTE: if you have your own UI for managing role memberships, then you don't have to fully implement the CreateRole and DeleteRole methods. I just have Throw New NotImplementedException() for both as the implementation and it works fine. You do need to implement the other methods.
Public Class MyCustomRoleProvider
Inherits RoleProvider
Public Overrides Sub AddUsersToRoles(usernames() As String, roleNames() As String)
End Sub
Public Overrides Property ApplicationName As String
Get
End Get
Set(value As String)
End Set
End Property
Public Overrides Sub CreateRole(roleName As String)
End Sub
Public Overrides Function DeleteRole(roleName As String, throwOnPopulatedRole As Boolean) As Boolean
End Function
Public Overrides Function FindUsersInRole(roleName As String, usernameToMatch As String) As String()
End Function
Public Overrides Function GetAllRoles() As String()
End Function
Public Overrides Function GetRolesForUser(username As String) As String()
End Function
Public Overrides Function GetUsersInRole(roleName As String) As String()
End Function
Public Overrides Function IsUserInRole(username As String, roleName As String) As Boolean
End Function
Public Overrides Sub RemoveUsersFromRoles(usernames() As String, roleNames() As String)
End Sub
Public Overrides Function RoleExists(roleName As String) As Boolean
End Function
End Class
