Custom Roles/Permissions in ASP.NET

Question

I currently have a Web Application which is using it's own "Permissions" table which contains the following columns:

• UserName - Windows UserName (Context.User.Identity.Name)
• DivisionID - Links to a Division Table
• RoleID - Comes from a custom Roles Table
• RegionID - Recently added field to divide my Application into Countries (Canada, USA, International)

When the User logs into the site, they choose which Region they want to enter and I need to give them access to those Regions based on if they have any permissions set for that specific RegionID. Upon selecting a Region, the RegionID is stored in Session and will be used for this permission check and defining how data is populated on the pages (I haven't implemented the Session variable into all of the pages just yet so that can be changed if need be)

My initial thought would be to run my Permission Check on each page sending them to one of three destinations:

• Invalid Permission Page (false)
• Region Select Page - No Region selected in Session (RegionID = 0)
• The page they requested - If has a permission set for that Region

I've also looked into using the Application_AuthenticateRequest method within the Global.asax but I cannot use Session within this area and it seems to be hitting the Application_AuthenticateRequest much more than it should be.

With my current App, what would be the best way to authenticate each user with their corresponding Regions, based on their Permissions?

Answer 1

Normally I wouldn't recommend this method, but as it seems that you have already developed your application, you could relatively easily implement the following without too much upheaval:

Create a base class for your pages, and then inherit all the pages in your application from the base class. You would of course implement the "authorization" within the base class.

The one rather nasty problem with this is that if you forget to derive your page from the base class, then your page has no security on it.....but you could just as easily forget to implement your "Permission check"....

Something like

public class AuthorizedPage: System.Web.UI.Page
{
    protected override void OnLoad(EventArgs e)
    {
       // ... authorization logic here...

       // Be sure to call the base class's OnLoad method!
       base.OnLoad(e);
    }
}

You could check this out ASP.net "BasePage" class ideas and this https://web.archive.org/web/20211020133935/https://www.4guysfromrolla.com/articles/041305-1.aspx

Or, another idea, if you have used Master Pages you could also just do this stuff in the master page....

Answer 2

I've really only worked with forms authentication-- but I'm assuming you'll be using windows authentication for membership and some form of custom roles authentication. I've never done it, but one would think it should work.

http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.getrolesforuser

You could create a custom provider that would take into account the Session value for Region in order to return the correct roles. I know for a web application, the default provider stores the roles as an encrypted cookie on the client. I'm thinking you can do something similar.