Introduction I don't mean to rant, but if I see another 'username | password' prompt i think i'm going to choke. This post is about doing whatever you can to make this world have one less system that needs a logon prompt... This describes how to secure your Asp.Net application if you're inside an Active Directory environment, and you want to use the integrated sign on, so your users don't have to remember yet another login/password. How to limit access to your application This explains how to limit access to your application to members of a certain role/group. First you need to change your web.config so that it uses windows authentication, and make it only allow members of a specific Active Directory group. Here is the cut down web.config, showing the changes to the system.web section:
<?xml version="1.0"?> 
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> 
  ...etc... 
  <system.web> 
    <authentication mode="Windows" /> 
    <authorization> 
      <allow roles="MYDOMAIN\MyAppUsers" /> 
      <deny users="*" /> 
    </authorization> 
  </system.web> 
</configuration>
Then you want to make a landing page for users who aren't allowed to log in. This is just a plain HTML page, you can call it 'noaccess.htm'. Now you want to make it send disallowed people to this 'noaccess.htm'. Open or create the Global.asax page, and change/add this function:
// This redirects people without access to the noaccess.htm page 
protected void Application_EndRequest(Object sender, EventArgs e) 
{ 
  HttpContext context = HttpContext.Current; 
  if (context.Response.Status.Substring(0, 3).Equals("401")) 
  { 
    context.Response.ClearContent(); 
    context.Response.Write("<scr" + 
      "ipt language=javascript> self.location='noaccess.htm'; </sc" + 
      "ript>"); 
  } 
}
How to figure out who is logged in Quite simple this one - it is stored in this variable, accessible from your aspx.cs code-behind classes (Update - FIXED):
HttpContext.Current.Request.ServerVariables["AUTH_USER"];
Say you've got a literal control on your webform, and you want to show the currently logged on user, you could do this:
literalLoggedOnUser.Text = HttpContext.Current.Request.ServerVariables["AUTH_USER"];
How to give different permissions to different users Say you want to give some people more access than others, you'll want to create another AD group for these users: "MYDOMAIN\MyAppAdmins". Open up your web.config and add the appSettings section like so:
<?xml version="1.0"?> 
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"> 
  <appSettings> 
    <add key="AdminGroup" value="MYDOMAIN\MyAppAdmins"/> 
  </appSettings> 
  ...etc... 
</configuration>
The reason for adding the name of the admin group in the web.config is so that if you have different AD groups for the development vs production environments, it'll be a simple matter of only changing the web.config. The principle adhered to here is that the only difference between development and production should be the web.config file. Then you'll use this piece of code to check if the current user is in that group:
string group = ConfigurationManager.AppSettings["AdminGroup"]; 
if (User.IsInRole(group)) 
{ 
  // this user is an administrator 
} 
else 
{ 
  // this user is a common pleb 
}
Hint: You're most likely to place code like that in the Page_Load function for the admin pages. Notes This is for C# ASP.Net 2. Some things may be different with VB.Net or .Net 1.1 Redirect to noaccess.htm: http://www.codeproject.com/aspnet/Custon401Page.asp

Thanks for reading! And if you want to get in touch, I'd love to hear from you: chris.hulbert at gmail.

Chris Hulbert

(Comp Sci, Hons - UTS)

iOS Developer in Sydney.

I have worked at places such as Google, News Corp, Fox Sports, NineMSN, FetchTV, Woolworths, and Westpac, among others. If you're looking for a good iOS developer, drop me a line!

Get in touch:
chris.hulbert@gmail.com
github.com/chrishulbert
linkedin
my resume



 Subscribe via RSS