Web.config location or multiple using roles etc.

Question

User1142872905 posted

Hallo,

I want to secure my simple Intranet application (now only windows authentication).
Every user of our domain can see the complete content.

For the future we have to make different access rights.

We have 3 companies, for each company we have a separate subdirectory with sensible content

comp1
comp2
comp3

Since I know the windows username, I can  lookup in a sql table which companies he is allow to view (e.g. comp2 and comp3)

How can I protect the directories the user is not allowed to? Please help !

Should I work with multipe web.configs? Or location-Tags in the root web.config? Working with roles etc.

I habe no idea to find a practicable solution ..

Answer 1

User-943250815 posted

You can use one web.config per directory or sub directory, or location on main web.config, personally I prefer one web.config per directory.
Roles will give you more control for group of users. If you want use location path is relative to virtual directory so set it like "~/comp1"
Take a look on these links they can help you
https://support.microsoft.com/en-us/help/323176/how-to-implement-windows-authentication-and-authorization-in-asp-net
https://weblogs.asp.net/scottgu/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application
https://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages

Answer 2

User1142872905 posted

Thanks jzero.

Now I habe 3 web.configs

The main web.config:

<roleManager enabled="true" />
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
</authorization>

subdirectory comp1

<authorization>
<deny users="" />
<allow roles ="comp1"/>
</authorization>

subdirectory comp2

<authorization>
<deny users="" />
<allow roles ="comp2"/>
</authorization>

But how can I programmtically assign the role comp1 to the user (user.identity.name).
I want to read from a database table which companys' content the user is allowed to view and then assign these roles.

Thanks in advance

Paul

Answer 3

User-943250815 posted

Check these articles, you will see there are different ways to do it
https://support.microsoft.com/hr-ba/help/323176/how-to-implement-windows-authentication-and-authorization-in-asp-net
https://weblogs.asp.net/scottgu/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application
https://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASPNET-20-using-Windows-Authentication-and-SQL-Server

Answer 4

User1142872905 posted

Thanks, these articles are really interesting, but they don't really help me....

I am running windows authentication, so I know the user, e.g. "domain1\user1"

Then I want programmatically set the role "comany1" to user "user1"

Depending on web.config files the user should have the custom permissions...

Any idea?

Answer 5

User-943250815 posted

Considering Windows Authentication, what about make all Groups you need on AD and use such groups as Roles.
I do not have a way to test, but here are 2 fragments (quoted bellow) from
https://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASPNET-20-using-Windows-Authentication-and-SQL-Server

In article:

ASP.NET supports multiple places where user to role mappings can be stored and defined. When Windows Authentication is enabled, ASP.NET will by default use the Active Directory user/group mappings to support role access permission checks. This is useful when the permission checks you want to perform are global to your company environment.

In comments:

If you configure the role manager to use the ActiveDirectoryRoleProvider, then you can definitely grant/deny users based on the roles/groups within your active directory.

Just use the syntax "DOMAIN\Group" in order to grant/deny people.

Best I can suggest right now is look for ActiveDirectoryRoleProvider over the web to know a little more about