Custom Role Based Security

[Boris Condarco]

Hi gurus,

I was reading some documentation about security in .NET Framework, it
mention that it is possible to make custom Role Based security for example:
check the authentication with Windows Integrated and once do that, create a
Generic Identity in orde to create a Generic Principal with custom roles for
that user. Finally, replace the current Principal to the new Generic
Principal.

Is it possible to do this in an ASP.NET application?, If yes, Does someone
of you can share a little code?, i would really apreciate it...

Thanks in advance.

Boris.

 

[=?ISO-8859-1?Q?Michel_Andr=E9?=]

Look at
"Designing Application-Managed Authorization"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/damaz.asp


Basically set the HttpContext.Current.User to you own IPrincipal
implementation in Global.asax Application_AuthenticateRequest method.

/Michel

 

[Tommy]

You can definitely perform impersonation in ASP.NET. There are a few
ways to do it. Which approach fits you depends on what level of
security you need.

1. Turn on "Basic authentication" on your virtual directory through
IIS.
Turn on impersonation in your ASP.NET web application through
Web.Config.

2. Use a mix of .NET Framework and Windows API to authenticate the
user's
identity.
Use a mix of .NET Framework and Windows API to check if the user
has
authorization to the resource.

3. Combine "Basic Authentication", a custom ISAPI filter, and Active
Directory
to authenticate and authorize user's access to resources.

Option #1 requires no code in your part, but it is the least security
approach.

Option #2 requires requires coding with the .NET Framework and Windows
API, but is not too bad. The ASP.NET newsgroup will have plenty of
examples code sample.

Option #3 is the most secure approach among all the options. However,
It requires a lot of coding, especially with the ISAPI filter sinces
it needs to be written in C++.

Tommy,