Vista - Use login control to limit access to certain pages

Hi all,

Recently I got a project specify that part of our web site(it was developed
and in production) will be only available to our
authorized users, not to all public site visitors.

I plan to use Membership database in asp.net 2.0. But the question is the
files(pages) are scattered among different directories and they are put in
some directores containing files which don't need protection at all. And
even worse,
some of those files are in the site's root directory which has some files
don't need to protect at all.
So I don't know what I should do with this scenario. Do you have a
suggestion for me?

Thanks,
--
Betty

// web.config
// To allow or deny access to the application to certain users or roles
// use <allow> or <deny> child tags.
<authorization>
<allow roles="Administrators, RegisteredUsers" />
<deny users="*" />
</authorization>

// The following is how its done at the folder level
// Allows unrestricted access to the folder named anonymousAccess
// where login.aspx is located
<location path="anonymousAccess">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="securedAccess">
<system.web>
<authorization>
<allow roles="Administrators, RegisteredUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>

// Will you test yourself and let us know if we can do the following?
<location path="someFolder/someFile.aspx">
<system.web>
<authorization>
<allow roles="Administrators, RegisteredUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>

Otherwise, the HTML in each page has to be modified in each page.




"c676228" <betty@xxxxxx> wrote in message
news:22A07D9A-5176-43AE-88A3-D394B91B8AF6@xxxxxx

Hillbilly,

If I understand you correctly. You mean we can use the following web.config
to list all the files need to be protected? Unfortunately we have too many
this kind of files.
It would be very tedious to list all files in the configuration file.

// Will you test yourself and let us know if we can do the following?
<location path="someFolder/someFile.aspx">
<system.web>
<authorization>
<allow roles="Administrators, RegisteredUsers" />
<deny users="*" />
</authorization>

I am thinking we probably have to do a bit of migration(or reorganization of
the files) in order to protect the whole directory(move all files need to be
protected into one or two directories) like you mentioned here:


<location path="securedAccess">
<system.web>
<authorization>
<allow roles="Administrators, RegisteredUsers" />
<deny users="*" />
</authorization>
</system.web>
</location>

The reason I am asking is if there is a better or easier way to do it
instead of reorgnization?
Thanks,

--
Betty


"Hillbilly" wrote:

Hi Betty,

From your description, my understanding is that you want to use the
Membership Database to store your users and want unauthenticated users to
access some resources. The resources are scattered as you said, so it is
not reasonable to list all files in web.config using <Location> tags. There
are many files to restrict and they might be changed. If I have
misunderstood you, please feel free to let me know.

It is easy to use location tags in web.config for specific files or
directories. Because we don't need to write code and just need to
configure it in web.config, and then ASP.NET will handle authorization. For
more information, see http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx.

I want to confirm which authentication type you are using? I assume that
you are using forms authentication. In this case, we can put multiple
web.config files in subdirectory and use its web.config's Location tags to
control access permission in current directory. For example, we can use
root web.config's Location tags for root unprotected files of your
application and use a web.config in another folder for unprotected files
that are in this subdirectory. For more information about using Location
tags to configure specific file and subdirectory, see
http://msdn.microsoft.com/en-us/library/6hbkh9s7.aspx.

It also would be better to re-organize the website and put unprotected
resources in a separate directory, and then use Location tags to this
directory. Because it is easy to manage files.

If you don't want to re-organize your website, you can use custom
authentication with Membership APIs instead of forms authentication. This
needs us to write our own code to implement authentication and
authorization. We will use an XML file to store unprotected resources
paths and access it while authorizing user. Every user can access the file
without validation when request path is in this XML file. The following
demo is just used to demonstrate the process of custom authorization and it
doesn't use Roles. If you need to use Roles, the section 1 and 3 will be
modified correspondingly.

To do so, we need to implement the following aspects:

1. The XML file used to store unprotected files should look similar to the
following. We can modify it in future.
XML content:
=================================
<ControlList>
<allow>
<path>help.html</path>
<path>information.aspx</path>
<path>product/newProduct.aspx</path>
....
....
</allow>
</ControlList>
================================
We can put this XML file in root directory of your web application.

2. Use Membership APIs to validate user and use Cookies to indicate whether
user is authenticated or not. The Cookies will be used to determine whether
user is authentication in section 3.
================================
protected void Login_Click(object sender, EventArgs e)
{
if (Membership.ValidateUser(txtUserName.Text, TxtPsw.Text))
{
Response.Cookies["userName"].Value = txtUserName.Text;
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1);
}

}
=================================
With Membership APIs, we can directly work with Membership provider.
For more information about Membership APIs, see
http://msdn.microsoft.com/en-us/libr...mbership_metho
ds.aspx

3. Check whether requested file is protected in Application_BeginRequest of
Global.asax. If the file is in unprotected, we don't need to validate
whether user is authenticated.

=================================
void Application_BeginRequest(object sender, EventArgs e)
{

bool blnUnprotectedFile = false;

///
///TO DO: Access XML file to see whether we need to validate user.
/// If the file is unprotected, we don't need to validate
user.
/// Custom your AccessControlXML code and set
blnUnprotectedFile value.

//AccessControlXML

string strRequestFile = Request.FilePath;
//...
//...
//...

// Set blnUnprotectedFile value to true if the file is unprotected;


if (!blnUnprotectedFile)
{
//the file is protected
if (Response.Cookies["userName"].Value == "")
{
//the file is protected and user is not logging in.
Response.Write("You don't have permission to access
protected resource. Please log in and try again.");
Response.Write(" <a href=\"Login.aspx\">Return Login
Page</a>");
Response.End();
}
}


}
================================
We can use XmlDocument Class to load the XML file and access unprotected
files. For more information about XmlDocument Class, see
http://msdn.microsoft.com/en-us/libr...ldocument.aspx


Note:
We need to make sure this XML file is protected. We can map the .xml
extension to ASP.NET in IIS and file path to the HttpForbiddenHandler
handler in ASP.NET to protect it. For more information about
HttpForbiddenHandler, see
http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx


I look forward to receiving your test results.






Best Regards,
Thomas Sun

Microsoft Online Partner Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.