Access Control in asp.NET

Question

I would like to manage access control of my users, and allow each role different pages within the website. Each user, might also have different rows.

I would like to know what is the best way to handle this access control. However, I have these limitations. The roles are created on an Oracle database which I am using and I am not to use the ASPNETDB in the APP_DATA to manage the roles.

My initial idea was to veryify the access of the user and create a session to state whether he is an admin, a user, or both. However, I still needed to figure a way how to hide/show menu items accordingly. I did not proceed with this idea because I believe asp.NET 4.0 would have something ready built for this use.

Update: I am using Web Forms

Update #2: I am not using a login form. I am retrieving the windows username of the person logged in and comparing it with the access of that username in the database. The authentication mechanism is manual, just need to find out how to distinguish between roles and how to show different menus.

Answer 1

you can try with override of IPrincipal and IIdentity,

And use these method 

IsInRole("TestRole")

Answer 2

You could implement your own custom Membership and Role providers. It's actually not that difficult.

Use Google to search for "implement custom membership provider" and you will find many articles explaining how to do it. One that I found quite good:

How do I create a custom membership provider for ASP.NET MVC 2?

After you have implemented the providers and registered them in web.config you can use regular methods for access control (authorization in web config, IsInrole in cs code etc).

Answer 3

Have you thought of using Oracle Provider for membership & roles

check out http://docs.oracle.com/html/E10928_01/IntroInstallation.htm http://www.oracle.com/technetwork/topics/dotnet/index-087367.html

Answer 4

Have a look at how Forms authentication works in Asp.net, this is independent from the technology you're using (webforms or mvc) and from the datasource you use for the users (can be sql, xml or whatever). As an example, once you're user get authenticated against your datasource (es: username & password exists in the user table) you assign the IPrincipal User object the Role you want and flag it as authenticated. These values get then stored in a cookie, showing how the authentication mechanism is independent from the app datasources. For more info : http://www.eggheadcafe.com/tutorials/asp-net/009e2e5e-5a44-4050-8233-59a0d69844e8/basics-forms-authentication-in-aspnet-20.aspx

http://msdn.microsoft.com/en-us/library/aa480476.aspx

MembershipProvider in .NET for CAS Shibboleth

Answer 5

Do not use session to store this kind of information because session and authentication are not in sync. You can use build in Asp.Net Membership provider or you can write custom code to create authentication cookie. Here is an example with the authentication cookie. UserModel contains additional informations (roles, user name) and will be stored together with authentication ticket in safe encrypted form.

private void CreateAuthentificationTicet(UserModel user)
{
    var serializedUser = JsonConvert.SerializeObject(user);
    var ticket = new FormsAuthenticationTicket(1,               // version 
                                            user.Email,  // user name
                                            DateTime.Now,    // create time
                                            DateTime.Now.AddMinutes(30), // expire time
                                            false,           // persistent
                                            serializedUser);             // user data

    var strEncryptedTicket = FormsAuthentication.Encrypt(ticket);
    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, strEncryptedTicket);
    Response.Cookies.Add(cookie);
}