locked
Authorizing loaded modules RRS feed

  • Question

  • User-2088238045 posted

     I have expanded on the help from http://forums.asp.net/t/1136679.aspx and now want continue with this a bit further to include authorization.

     Using the following as an example:

    public bool LoadSection(string segment)
            {
                bool sectionLoaded = false;
                _objMenuGroup = new MenuGroup(segment);
                if (_objMenuGroup == null || _objMenuGroup.MenuGroupID <= 0)
                {
                    _objMenuItem = ProcessError();
                }
                else
                {
                    sectionLoaded = true;
                    _Context.SetItem("Section", _objMenuGroup);
                }
                // return sectionLoaded;
                return true; // debug only
            }

    Ok, so i load a section, then progress onto loading a blog and menu. I want to have authorization at every module. So when I load up the Section, check for the roles associated with it.
    I am assuming that the process would be as follows:
    Load the section.
    Check for roles.
    If roles required, check for logged in use.I
    If found, check for credentials. If ok, continue, if not, redirect to error page saying they don't have access
    If not logged in, redirect to login page.

    Now, the question is, at the moment, the urlrewrite processor is in OnBeginRequest. Would I have to move this to OnAuthorizeRequest? Second question is when I'm loading the user from the FormAuthenticationTicket, should i load their roll and task information into the ticket.UserData, or should I load everything into the Context.Items?
    If I store it in the context.Items, I would have to load the member user object on each request is that right? I want to minimise the overhead as much as possible.

    Thanks in advance,
    Mick
     

    Monday, July 30, 2007 9:07 PM

All replies

  • User-2088238045 posted

    This is what I have got so far, and need some opinions if I'm on the right track...

    string cookieName = FormsAuthentication.FormsCookieName;
    HttpCookie authCookie = _telstraContext.GetHttpCookie(cookieName);
    if (authCookie == null)
       return;

    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
    MembershipUser objMember = Membership.GetUser(ticket.Name, true);
    string[] MemberRoles = Roles.GetRolesForUser(objMember.UserName);
    _HasAccess = CheckRoles(MemberRoles);
    _CurrentUser = objMember;
    _CurrentTasks =
    new TasksCollection(Tasks.GetByUserId((Guid)objMember.ProviderUserKey));

    //put in Context.Items for use outside the page scope (e.g. in httpModules after page level processing is done)
    _Context.SetItem("CurrentUser", _CurrentUser);
    _Context.SetItem(
    "CurrentTasks", _CurrentTasks);
    if (!_HasAccess)
      
    FormsAuthentication.RedirectToLoginPage("InvalidRole=true");

    Usually you check if a user is logged in by User.Identity.IsAuthenticated. I'm assuming that with the above, if I check for an authticket and it finds one, them the user is logged in to some capacity. So if authCookie == null, then I should say that the user is NOT logged in, and redirect to the login page.

    Mick

    Wednesday, August 1, 2007 7:14 PM