Hi Paul,
Sure, you can use FormsAuthentication and use the storage your prefer
for your profile roles data. In fact, you should just define a type
which would represent a "profile" in your application and demand to its
instances the job of retrieving the roles of a particular profile, via a
method named IsInRole(); doing so requires that type to implement the
IPrincipal interface [1]. Then, inside your application
AuthenticateRequest [2] event handler code, create a new istance of the
aforementioned type, based on some value acquired from the current
FormsAuthenticationTicket [3], and assign it to the Context.User [4].
Obviously your login page should store something meaningful in your
FormsAuthenticationTicket, such as your user id...
[1]
http://msdn2.microsoft.com/en-us/library/system.security.principal.iprincipal.aspx
[2]
http://msdn2.microsoft.com/en-us/library/system.web.httpapplication.authenticaterequest.aspx
[3]
http://msdn2.microsoft.com/en-us/system.web.security.formsauthenticationticket.aspx
[4]
http://msdn2.microsoft.com/en-us/library/system.web.httpcontext.user.aspx
HTH,
Efran Cobisi
http://www.cobisi.com
Paul Cowan wrote:
hi,
We are using FormsAuthentication which I know is still possible but I really do not want not want to have to create a seperate database to store the roles information. That is I do not want to create the aspnetdb.
Is it possible to use this approach without using the aspnetdb?
Cheers
[EMAIL PROTECTED]
Date: Wed, 7 Feb 2007 10:02:39 -0800> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] AOP and security> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > You can use a <location path=""> directive to apply at the page level as well. For example:> > <location path="page1.aspx">> >
<system.web>> <authorization>> <allow roles="members" />> <deny users="*" />> </authorization>> </system.web>> > </location>> > Note that the location directive can be used for any configuration setting in web.config files.> > BTW -- this tutorial of mine
covers using Role Based Authorization and security trimming with windows auth and might be useful to look at: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx> > Thanks,> > Scott> > -----Original Message-----> From:
Discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Phil Sayers> Sent: Wednesday, February 07, 2007 9:47 AM> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> Subject: Re: [ADVANCED-DOTNET] AOP and security> > i originally did not suggest using the built in stuff because depending on> how the security will be used to
answer the question "can this user look at> this page?"... you could end up with a fairly ugly set of folders &> subfolders...and maybe even duplicating the same page across many subfolders> to accommodate the various user accounts.> > but yes, i've recently done a website using the built in stuff....very slick> and easy
to use.... but from my "limited" experience, you can only apply the> "this role can access these items" at the folder/subfolder level, not the> individual page level, so you have to have some fairly clean deliniation> between groupings of pages and how that lines up to the various security> roles you define.> >
> > -----Original Message-----> From: Discussion of advanced .NET topics.> [mailto:[EMAIL PROTECTED]
===================================
This list is hosted by DevelopMentorĀ® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
