i originally did not suggest using the built in stuff because depending on how the security will be used to answer the question "can this user look at this page?"... you could end up with a fairly ugly set of folders & subfolders...and maybe even duplicating the same page across many subfolders to accommodate the various user accounts.
but yes, i've recently done a website using the built in stuff....very slick and easy to use.... but from my "limited" experience, you can only apply the "this role can access these items" at the folder/subfolder level, not the individual page level, so you have to have some fairly clean deliniation between groupings of pages and how that lines up to the various security roles you define. -----Original Message----- From: Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Geoff Taylor Sent: Wednesday, February 07, 2007 12:33 PM To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM Subject: Re: [ADVANCED-DOTNET] AOP and security OK, I'll bite. What's wrong with the built-in configurability of role security? http://msdn2.microsoft.com/en-us/library/5k850zwb(VS.80).aspx With that you can specify the allowed/denied roles for a page or subfolder, using multiple <location> tags: <configuration> <location path="memberPages"> <system.web> <authorization> <allow roles="members" /> <deny users="*" /> </authorization> </system.web> </location> <!-- other configuration settings here --> <configuration> You can have as many of those location sections as you need. That would keep the entire configuration of the role security out of the code. (OK, in the past I've found it horribly flaky if the specified target is virtual one rather than an actual file that exists on the filesystem - I don't know if that's improved in .NET 2.0. But apart from that, it's simple and configurable.) Failing that, as Phil says, HttpApplication events are probably the answer. You can either do the Global.asax thing, or implement your own HttpModule. The AuthorizeRequest event may be the one you want - I've used it in the past and can send you some code off-list if you want. Good luck, Geoff > -----Original Message----- > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > [EMAIL PROTECTED] On Behalf Of Paul Cowan > Sent: 07 February 2007 17:08 > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: [ADVANCED-DOTNET] AOP and security > > Hi all, > We have an ASP.NET application where users log in under forms > authentication. Each user is assigned a role and I want only certain > roles to view certain pages. > > I am really unsure where to put the code for the security and I do not > want to hard code the security checks into the code and would somehow > like to configure this. > > Sounds like a job for AOP. I have no experience in this field and was > wondering if somebody could help me out? Or if indeed AOP is a good > fit for this. > Cheers > > Paul > =================================== > This list is hosted by DevelopMentorR http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
