Problem with implementing role-based security.

[mike55]

Hi all

I am trying to use role-base security with forms authentication on a web app. I have a database with a login table that has a username, employeeId, password and role. Role can be either "admin", "superAdmin" or "staff".

In my proj. I have two sub-directories one is Admin and the other is All. I want to allow only the users with the "admin" and "superAdmin" role access to the Admin folder and let users with all three roles access to the All folder.

Here is the web config for the Admin folder:

<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <authorization>
      <allow roles="admin"/>
      <deny roles="staff"/>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

Here is the web config for the All folder:

<configuration>
  <appSettings/>
  <connectionStrings/>
  <system.web>
    <authorization>
      <allow users="*"/>
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

Here is the main section from my main web config file:

<system.web>
		<siteMap defaultProvider="default">
			<providers>
				<clear/>
				<add name="default" type="System.Web.XmlSiteMapProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
			</providers>
		</siteMap>
		<roleManager enabled="true"/>
		<authentication mode="Forms">
			<forms name="MYWEBAPP.ASPXAUTH" loginUrl="index.aspx" protection="All" path="/"/>
		</authentication>
</system.web>

Once I get a reply back from the database indicating that the user is valid and their role (employeeRole), I use the following code to create the authentication ticket:

FormsAuthentication.Initialize()
        Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, _
                        txtUsername.Text, DateTime.Now, _
                            DateTime.Now.AddMinutes(30), True, _
                                employeeRole, _
                                    FormsAuthentication.FormsCookiePath)

        Dim hash As String = FormsAuthentication.Encrypt(ticket)
        Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)

        If ticket.IsPersistent Then
            cookie.Expires = ticket.Expiration
        End If

        Response.Cookies.Add(cookie)

I then redirect the user to the default start page using Response.Redirect("abc.aspx")

As you will notice from the section from my main web config file, I am using a sitemap to provide my menu functionality. I have set the "SecurityTrimmingEnabled" to True.

Finally, here is the entry in my global.asax file:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
        If (Not HttpContext.Current.User Is Nothing) Then
            If (HttpContext.Current.User.Identity.IsAuthenticated = True) Then
                If TypeOf HttpContext.Current.User.Identity Is FormsIdentity Then
                    Dim id As FormsIdentity = CType(HttpContext.Current.User.Identity, FormsIdentity)
                    Dim ticket As FormsAuthenticationTicket = id.Ticket
                
                    Dim userData As String = ticket.UserData
                    Dim roles() As String = userData.Split(",")
                    HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(id, roles)
                End If
            End If
        End If
    End Sub

My problem is that the role based security doesnt seem to work, in that a user with the "staff" role seems to be able to log into the admin pages. And that the site map is not working correctly i.e. displaying the correct options based on the users role.

Any suggestions?

Mike55

 

[PlausiblyDamp]

Not had time to properly look at your code (or check if it will work with the .Net 2 security mechanisms) - however have you considered creating your own membership / role providers. This route definitely integrates with the control / security architecture provided in .Net 2

 

[mike55]

Hi PlausiblyDamp

Many thanks for the reply. Solved the problem, in my main web.config file I had said:

"<roleManager enabled="true" cacheRolesInCookie="true"/>"

Once I removed this line and changed to web.config file in each folder to:

<authorization>
      <allow roles="admin,manager"/>
      <deny users="*"/>
    </authorization>

The code worked correctly.

As you als suggested, I have previously used the control/security architecture supplied by .Net 2.0 but on this occasion I am unable to apply this due to user requirements.

Mike55.