is there an authorizeattribute equivalent to just standard web forms (not MVC) for .net

Question

I'm working on a project that will use windows role providers and I want to limit functionality to certain AD groups.

With MVC, I could use an AuthorizeAttribute above my action methods and redirect accordingly. Is there something similar I can do for a standard web forms application (.NET 3.5) that doesn't use MVC?

score 4 · Accepted Answer · answered Nov 18 '10 at 17:18

4

You can set this up in web.config with the authorization element.

<configuration>
  <system.web>
    <authorization>
      <allow roles="domainname\Managers" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

Basically domain groups are translated into roles when using <authentication mode="Windows" />. You can read more about it on MSDN

answered Nov 18 '10 at 17:18

Klaus Byskov Pedersen

117,245
29
183
222

right I got that. But is there a way to restrict access at a specific method level similar to how you can do it with MVC? – Blair Jones Nov 18 '10 at 17:36
@Blair Jones, you'll have to do a check like `if(User.IsInRole("somerole"))` within the method, I'm afraid. – Klaus Byskov Pedersen Nov 18 '10 at 17:42

score 3 · Answer 2 · answered Apr 22 '13 at 20:31

I know this is an old post but thought I'd share my experience as I just went through this. I did not want to use web.config. I was looking for a way to create an attribute for webforms similar to MVC's implementation. I found a post by Deran Schilling that I used as a basis for the attribute portion.

I created a custom IPrincipal

interface IMyPrincipal : IPrincipal
{
    string MyId { get; }
    string OrgCode { get; }
    string Email { get; }
}

and Principal

public class MyPrincipal : IMyPrincipal
{
    IIdentity identity;
    private List<string> roles;
    private string email;
    private string myId;
    private string orgCode;

    public MyPrincipal(IIdentity identity, List<string> roles, string myId, string orgCode, string email)
    {
        this.identity = identity;
        this.roles = roles;
        this.myId = myId;
        this.orgCode = orgCode;
        this.email = email;
    }

    public IIdentity Identity
    { 
        get { return identity; }
    }

    public bool IsInRole(string role)
    {
        return roles.Contains(role);
    }

    public string Email
    {
        get { return email; }
    }
    public string MyId
    {
        get { return myId; }
    }
    public string OrgCode
    {
        get { return orgCode; }
    }
}

and created an Attribute for usage on the Page

[AttributeUsage(AttributeTargets.Class, AllowMultiple = false)]
public class AdminAuthorizationAttribute : Attribute
{
    public AdminAuthorizationAttribute()
    {
        var user = (MyPrincipal)HttpContext.Current.User;

        if (user.IsInRole("MyAdmin"))
            return;

        throw new AccessDeniedException();
    }
}

and created some custom Exceptions

public class AccessDeniedException : BaseHttpException
{
    public AccessDeniedException() : base((int)HttpStatusCode.Unauthorized, "User not authorized.") { }
}

public class BaseHttpException : HttpException
{
    public BaseHttpException(int httpCode, string message) : base(httpCode, message) { }
}

and now I can apply the attribute for usage on a given page

[AdminAuthorization]
public partial class Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }
}

I don't think this is a very good example I'm afraid. There is code in the constructor of the attribute, in .NET you have no control over when the attributes are instantiated. In addition they might be cached. This means that HttpContext that you are relying upon in your code for the user credentials might not be the context that you think it is. This may work on some test cases but has the possibility of failing in ways that you might not expect. — AlexC, Nov 22 '13 at 13:31
this code dosn't work in WebForms, it dosn't throw any HttpExceptions. — Emad Armoun, Dec 23 '17 at 09:29

score 0 · Answer 3 · answered Jun 11 '21 at 07:42

A good way to set a generic [Authorize] attribute on a Global fashion without specifing a role is to put the following code into the web.config of the project inside the <system.web> tag.

<authorization>
   <deny users="?" />
   <allow users="*" />
</authorization>

this will allow only any authenticated user to access the document and eventually will trigger the redirect to the authentication page. It is the equivalent of a generic [Authorize] in MVC.

is there an authorizeattribute equivalent to just standard web forms (not MVC) for .net

3 Answers3

Linked