Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security in ASP.Net 2.0

Status
Not open for further replies.
eggy168

eggy168

Programmer
Mar 6, 2002
220
US
Hi,

I am new to the ASP.net. I read so many articles about creating a user and a role using ASP.net tool. I created several users and roles already. Then, I followed all the steps to create the Login Page, Create Login Page, Recovery Password Page successfully. So, I continued building several more web pages. I found those new pages don't need to be login and they can access into it. Do I need to do anything to prevent others to view those pages? I found that I can create a role in the Tool and deny others beside users to access the whole Solution. Is it the right way to do it since it works no problem after I changed it.

Second, I just want to know is there anyway I can use my own set of UserId/Password in the SQL Server 2005 database(s) instead of creating a new set of UserId/Password in the ASP.Net Tool? In fact, I need to create several other Solutions in ASP.Net, is there any way I can point the same set up in multiple solutions? Is there any guidelines/steps to show me how to do it if it is possible?

Thank You
 
Sort by date Sort by votes
Not sure if this is what you are looking for...I copied most of the below from an excerpt from "The Beer House" which is an ASP.NET 2.0 project associated with a book.

Anyway, in order to keep users from accessing pages they shouldn't...in the Page_Load of each page that you need to control access to, you would put something along these lines:

Code: 
if( this.User.Identity.IsAuthenticated && this.User.IsInRole("YourRoleName") ) {

  // any actions you take upon user having access
}
else {
  throw new SecurityException("You are not allowed to access this page");
  // or just redirect users somewhere else
}

That will boot the user off the page if they are not part of the correct role.

The roles system allows you to give one set of users access to such and such pages, and other users access to other pages by giving them different roles...so I'm not sure why you would need the user system duplicated for other uses...at least not on the same site...or are you asking if there is a way to make setup easier...??? If the question is the latter, I simply don't know because I'm in the process of trying to learn how to use this system myself...

Kevin
 
Upvote 0 Downvote
Do I need to do anything to prevent others to view those pages?
Click to expand...

Yes, you need to tweak the authorization element, which you can either place in a web.config file placed within a subfolder, or configure via a "location" element in the primary web.config file.


In fact, I need to create several other Solutions in ASP.Net, is there any way I can point the same set up in multiple solutions?
Click to expand...

Yes. No problem. You can even use the ASP.NET tool to add users that show up in multiple applications (just configure your provider to use the same application name).

Know, however, that the WSAT is not a standalone solution, it is a simple application based on the ASP.NET security providers which you can customize at will.

See here:
and here:

You can also write your own provider (which would work with all the security controls and the WSAT tool):

...but I wouldn't recommend that in your case because simply configuring the built-in provider will probably meet your needs.

If you do decide to write your own, be sure to read up on password hashing and all of the security issues involved in "storing" passwords.



MCP, MCTS - .NET Framework 2.0 Web Applications
 
Upvote 0 Downvote
Thank you for the replied.

Calamus, is your code in C#? Also, I pasted the exact code in Page_load of each web page, I tweaked a bit,

if( this.User.Identity.IsAuthenticated && this.User.IsInRole("PowerUsers") ) {

// any actions you take upon user having access
}
else {
throw new SecurityException("You are not allowed to access this page");
// or just redirect users somewhere else
}

However, I have an error code "Name 'this' is not declared. "SecurityException" is not definied. I am wondering should I defined those in somewhere before I can use it?

Bulderbum, thanks for the links. I am reading on it now.

Anyhow, thanks for the help. Hopefully I can figure it soon so then I can continue working on the journey.



 
Upvote 0 Downvote
Hey eggy,

Yes, that code is in C#...if you're using C#, then "this" should always be defined even if it doesn't give you access to this.User...because everything is within classes in .NET...However, I know next to nothing about VB, though, so if it's VB, I don't know what you'd put there instead of "this".

As I said, I'm in the process of learning this as well, so I posted it without knowing everything about it, thinking it might help since you already know something about the .NET user system. Hopefully I didn't simply make it more confusing...?

Anyway, I don't know why "this" would be undefined if it's C#...maybe "this" doesn't work if you're putting Page_Load in your aspx page instead of externally in aspx.cs page (make sense?). I always keep my coding separate from my HTML and .NET controls on the .aspx page.

Also, you may need any one of these includes (again, in C#) for the SecurityException to work (I don't think that "The Beer House" had any custom exceptions, so it's probably included in one of the below Security includes:

Code: 
using System;
using System.Data;
using System.Configuration;
using System.Collections;
[b]using System.Security;[/b] //??
using System.Web;
[b]using System.Web.Security;[/b] //??
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

However, definitely defer to those who know this system better than me. BoulderBum sounds like he knows this system WAY better than I do.

Kevin
 
Upvote 0 Downvote
Hi Kevin,

I switched to C# and it works after I add the Reference. I guess C# is the language to use in ASP.Net since everyone gives me an example of C#. Anyhow, I found other articles mention adding the following code in the Web.Config

<authorization>
<allow users ="?"/>

or <!--Allow or deny specific users.
<allow users="[comma separated list of users]" roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]" roles="[comma separated list of roles]"/>-->
</authorization>

I think there are more than one way to do this, I guess..I am still in the Log In page, so I really can't tell am I correct or not.

You may want to try it to avoid adding the code in every web page?

Thanks again.
 
Upvote 0 Downvote
Anyhow, I found other articles mention adding the following code in the Web.Config
Click to expand...

You mean the first article I linked to in my last post? [wink]

As a rule of thumb, if you want to secure access to an entire site, use Windows security in IIS, if you want to secure specific directories or pages use web.config authorization elements, if you want to secure an entire class or method use PrincipalPermissionAttribute, and if you want to secure a specific block of code use IPrincipal.IsInRole().

MCP, MCTS - .NET Framework 2.0 Web Applications
 
Upvote 0 Downvote
Yeah, the link on your last posted. It contained so many articles.
Thanks BoulderBum & Calamus.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Makumbi256
  • Locked
  • Question
How to make days vertical and grid view editable using asp.net vb
Replies
0
Views
846
Makumbi256
Makumbi256
snakehips2000
  • Locked
  • Question
Entity Framework, MVC, ASP.NET, ASP.NET Core etc… etc
Replies
0
Views
823
snakehips2000
snakehips2000
WIREMESH
  • Locked
  • Question
Play mp4 files in asp.net 2.0 webforms application
Replies
0
Views
288
WIREMESH
WIREMESH
WIREMESH
  • Locked
  • Question
ASP.NET 2.0 Webform compilation error
Replies
1
Views
386
jbenson001
jbenson001
JohnB33
  • Locked
  • Question
int type causes error
Replies
0
Views
839
JohnB33
JohnB33

Part and Inventory Search

Sponsor

Back
Top