asp.net How do I reference authorized users hard coded in web.config in my code

Question

I am building a website on an intranet and one of the directories can only be accessed by hard coded authorized users. They are defined in web.config. It looks similar to this.

<location path="admin">
    <system.web>
        <authorization>
            <allow users="user1"/>
            <allow users="user2"/>
            <allow users="user3"/>
            <allow users="user4"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

What I want then is to create a link to this directory which only appears to those users... At the moment, to build the link I'm rechecking there windows usernames and hard coding them in again like this...

<% 
    if (HttpContext.Current.User.Identity.Name == "user1" ||         
        HttpContext.Current.User.Identity.Name == "user2" ||
        HttpContext.Current.User.Identity.Name == "user3" ||
        HttpContext.Current.User.Identity.Name == "user4")
    {
        Response.Write("<a href='admin/Default.aspx'>Admin Site</a>");
    }   
%>

But what I want to do is reference my list from the webiconfig file and say something like

if (HttpContext.Current.User.Identity.Name == // a user from the web.config list

Is this possible and if so can you help me... Thanks

You're hard-coding the authorization rules, but how do the user authenticate? — Amiram Korach, Aug 16 '12 at 15:39
its windows authentication... the windows username and domain — kev670, Aug 16 '12 at 16:00
OK. Do you have any server that can tell you what are the roles of a user? — Amiram Korach, Aug 16 '12 at 16:02
no. I was hoping for a built in library... similar to how a connectionString is called from codeBehind. Just something simple — kev670, Aug 16 '12 at 16:03
You need a role provider. You can store the users roles in an xml file and use your custom role provider. I did it once with AD, it's not so hard. http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx — Amiram Korach, Aug 16 '12 at 16:05
BTW, if you don't have a server with roles, how do you authenticate the users? Do they have local computer accounts? this way they can make an account as they like. You must have an LDAP server. — Amiram Korach, Aug 16 '12 at 16:07

score 3 · Accepted Answer · answered Aug 16 '12 at 16:29

3

You can get the authorization rules from web.config like this:

            AuthorizationSection configSection =
      (AuthorizationSection)ConfigurationManager.GetSection("system.web/authorization");

        var users = new List<string>();

        var rules = configSection.Rules;

        foreach (AuthorizationRule rule in rules)
        {
            if (rule.Action == AuthorizationRuleAction.Allow)
            {
                foreach (string user in rule.Users)
                {
                    if (!users.Contains(user)) users.Add(user);
                }
            }
        }

But you must also pay atention to the precedence of the rules.

answered Aug 16 '12 at 16:29

Escobar5

3,941
8
39
62

thanks for the answer but what do you mean the precedence of the rules... what am I not paying attention too? – kev670 Aug 16 '12 at 16:36
for example if you have a deny rule for user1 and then an allow rule for user1, the first one have precedence over the next one, so the request is denied. – Escobar5 Aug 16 '12 at 16:40

asp.net How do I reference authorized users hard coded in web.config in my code

1 Answers1

Linked