Hi everyone I am in the midsts of converting an aging windows application to a web application using ASP.NET 2.0. I am struggling with how to migrate its security architecture to .NET.
URL Authorization will not work as it would be to much to constantly manage the web.config file, the permissions for each page in the application are stored in a database. Also I do not want to have to explictely check a users permission in the Page_Load event of each page. I want to have the code further up in the pipeline that will redirect a user to a NotAuthorized.aspx type page when they do not have the required permissions. Each page in the application is associated with a group of pages and then an integer defines what minimum level a user must have to view any of the pages. This data is stored in a DataSet that is populated when the application starts. I also need to create a similiar matrix of permissions for EACH user that works with the application. This is where the problem arises. My plan was to store this information in Session state and use it inside the global.asax's Application_AuthorizeReuqest event. When a user requested a page I would consult the application matrix to find out what minimum level is required for that page, then I would lookup similiar data from the users security matrix and see if they had the necessary levels. However we are not allowed to access Session state information int that event in the pipeline. Does anyone have ANY insight on this? I was under the impression Authorize_Request existed so we could roll our own custom authorization. Which it does it just gives us no way to store permissions we may pull from databases, and doing this on every request would be a performance nightmare. Appreciate any insight. Regards Kiran
