Re: Use login control to limit access to certain pages

Hi Betty,

From your description, my understanding is that you want to use the
Membership Database to store your users and want unauthenticated users to
access some resources. The resources are scattered as you said, so it is
not reasonable to list all files in web.config using <Location> tags. There
are many files to restrict and they might be changed. If I have
misunderstood you, please feel free to let me know.

It is easy to use location tags in web.config for specific files or
directories. Because we don't need to write code and just need to
configure it in web.config, and then ASP.NET will handle authorization. For
more information, see http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx.

I want to confirm which authentication type you are using? I assume that
you are using forms authentication. In this case, we can put multiple
web.config files in subdirectory and use its web.config's Location tags to
control access permission in current directory. For example, we can use
root web.config's Location tags for root unprotected files of your
application and use a web.config in another folder for unprotected files
that are in this subdirectory. For more information about using Location
tags to configure specific file and subdirectory, see
http://msdn.microsoft.com/en-us/library/6hbkh9s7.aspx.

It also would be better to re-organize the website and put unprotected
resources in a separate directory, and then use Location tags to this
directory. Because it is easy to manage files.

If you don't want to re-organize your website, you can use custom
authentication with Membership APIs instead of forms authentication. This
needs us to write our own code to implement authentication and
authorization. We will use an XML file to store unprotected resources
paths and access it while authorizing user. Every user can access the file
without validation when request path is in this XML file. The following
demo is just used to demonstrate the process of custom authorization and it
doesn't use Roles. If you need to use Roles, the section 1 and 3 will be
modified correspondingly.

To do so, we need to implement the following aspects:

1. The XML file used to store unprotected files should look similar to the
following. We can modify it in future.
XML content:
=================================
<ControlList>
<allow>
<path>help.html</path>
<path>information.aspx</path>
<path>product/newProduct.aspx</path>
....
....
</allow>
</ControlList>
================================
We can put this XML file in root directory of your web application.

2. Use Membership APIs to validate user and use Cookies to indicate whether
user is authenticated or not. The Cookies will be used to determine whether
user is authentication in section 3.
================================
protected void Login_Click(object sender, EventArgs e)
{
if (Membership.ValidateUser(txtUserName.Text, TxtPsw.Text))
{
Response.Cookies["userName"].Value = txtUserName.Text;
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1);
}

}
=================================
With Membership APIs, we can directly work with Membership provider.
For more information about Membership APIs, see
http://msdn.microsoft.com/en-us/library/system.web.security.membership_metho
ds.aspx

3. Check whether requested file is protected in Application_BeginRequest of
Global.asax. If the file is in unprotected, we don't need to validate
whether user is authenticated.

=================================
void Application_BeginRequest(object sender, EventArgs e)
{

bool blnUnprotectedFile = false;

///
///TO DO: Access XML file to see whether we need to validate user.
/// If the file is unprotected, we don't need to validate
user.
/// Custom your AccessControlXML code and set
blnUnprotectedFile value.

//AccessControlXML

string strRequestFile = Request.FilePath;
//...
//...
//...

// Set blnUnprotectedFile value to true if the file is unprotected;


if (!blnUnprotectedFile)
{
//the file is protected
if (Response.Cookies["userName"].Value == "")
{
//the file is protected and user is not logging in.
Response.Write("You don't have permission to access
protected resource. Please log in and try again.");
Response.Write(" <a href=\"Login.aspx\">Return Login
Page</a>");
Response.End();
}
}


}
================================
We can use XmlDocument Class to load the XML file and access unprotected
files. For more information about XmlDocument Class, see
http://msdn.microsoft.com/en-us/library/system.xml.xmldocument.aspx


Note:
We need to make sure this XML file is protected. We can map the .xml
extension to ASP.NET in IIS and file path to the HttpForbiddenHandler
handler in ASP.NET to protect it. For more information about
HttpForbiddenHandler, see
http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx


I look forward to receiving your test results.






Best Regards,
Thomas Sun

Microsoft Online Partner Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: AD group logon script question
    ... like I described our logon script: ... If individuals need special access to certain resources, ... and each group must be protected from the administrators of the other. ... membership as required. ...
    (microsoft.public.scripting.vbscript)
  • RE: Forms Authentication vs MembershipProvider
    ... First, I'm glad that you've got custom membership provider working, great ... For Forms authentication and membershp service, ... authenticaiton) which is used to provide security authorization (protect ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: AD group logon script question
    ... the purpose of each OU he was supportive of the design. ... to a specific site, from another site's resources. ... It's coming up with that "well-defined group management methodology" that I ... > membership as required. ...
    (microsoft.public.scripting.vbscript)
  • RE: Membership Provider Woes
    ... You set the FormsAuth ticket on the Login_LoggingIn. ... cookie regardless of whether the user's authentication failed or not. ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: MOSS2007/WSS 3.0 Installation/Configuration Problems
    ... At work the WSS v3 worked without issue. ... Authentication ... Is there some way to figure out if the ASP.NET membership is the cause ... try a clean install this afternoon. ...
    (microsoft.public.sharepoint.windowsservices)