Have you tried making use of the aspnet_users, aspnet_usersinroles, aspnet_roles tables???You can add whatever roles you want to and aspnet automatically manages the roles. Also since you have the page permissions in the database already, you can easily map it to the roles that you are going to create.
For example, There is a method called GetRolesForUser which gives you the current roles that an user is in. Hope this helps. Also there is minimal web.config changes required for these. Have you explored this option before?? http://www.4guysfromrolla.com/articles/120705-1.aspx On Tue, Jul 7, 2009 at 8:51 AM, Kiran Raj <[email protected]> wrote: > Hi everyone I am in the midsts of converting an aging windows application > to a web application using ASP.NET <http://asp.net/> 2.0. I am struggling > with how to migrate its security architecture to .NET. > > URL Authorization will not work as it would be to much to constantly manage > the web.config file, the permissions for each page in the application are > stored in a database. Also I do not want to have to explictely check a users > permission in the Page_Load event of each page. I want to have the code > further up in the pipeline that will redirect a user to a NotAuthorized.aspx > type page when they do not have the required permissions. > > Each page in the application is associated with a group of pages and then > an integer defines what minimum level a user must have to view any of the > pages. This data is stored in a DataSet that is populated when the > application starts. > I also need to create a similiar matrix of permissions for EACH user that > works with the application. This is where the problem arises. My plan was > to store this information in Session state and use it inside the > global.asax's Application_AuthorizeReuqest event. When a user requested a > page I would consult the application matrix to find out what minimum level > is required for that page, then I would lookup similiar data from the users > security matrix and see if they had the necessary levels. However we are > not allowed to access Session state information int that event in the > pipeline. > > Does anyone have ANY insight on this? I was under the impression > Authorize_Request existed so we could roll our own custom authorization. > Which it does it just gives us no way to store permissions we may pull from > databases, and doing this on every request would be a performance nightmare. > > Appreciate any insight. > > Regards > Kiran > > >
