ASP.NET Authorization question

[dpdoug]

In my web application I have a collection of pages that are of administrative maintenance in a folder called admin and a collection of pages that are of the nature of making orders, called orders.

I want to use "forms" authentication since I will need to store user names and passwords in a database since there will be lots of registered users with different levels of authorization.

These are some of the entries in my web.Config file:

<authentication mode="Forms" /> 
       <forms name=".ASPXAUTH" 
		timeout="30" 
		path="/" 
		loginUrl="login.aspx"
		protection="All"/>
</authentication> 

<authorization>
     <deny users="?" /> 
</authorization>

I want to deny all users except the ones that have authorization to the admin folder. And all the ones that have authorization to access the admin folder will have access also to the whole site.

How can I authenticate users but yet authorize only certain authenticated users to access pages in the admin folder?

 

[dpdoug]

Here's some added info to make my question clearer:

I have no problem with validating usernames and passwords.

- What I want to know is basically once a user is successfully logged in, with a valid username and password, how do I keep him from getting into the admin folder?

- And how do I give others who have administrative privileges access to the admin folder plus all the other pages?

 

[MikeMCSD]

You can authenticate users and allow them to access certain pages while keeping all other users out:

<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="login.aspx" path="/"
protection="All"
timeout="60">
<credentials passwordFormat="Clear">

<user name="admin" password="admin"/>
<user name="JoeUser" password="joeuser"/>

</credentials>
</forms>
</authentication>

Repeat this for all the pages you that you want to restrict access to:

<location path="adminPage.aspx">
<system.web>
<authorization>
<allow users="admin, JoeUser" />
<deny users="*" />
</authorization>
</system.web>
</location>

Always put <deny users="*" /> last, because if it is first it won't let anyone view the page, even the ones authenticated.
Depending on your situation, this may not be the most secure route.

 

[dpdoug]

There will only be a handful of users (about 6) that will need these credencials, but there will be lots of admin pages -- possibly 40 or 50. Would this be a problem? Or is there a more organized way to to this -- like where I could store this information in database?

Imagine. If I had 50 pages I needed to restrict access to only 6 individuals, the following would be repeated 50 times:

<location path="admin/adminPage.aspx">
    <system.web>
      <authorization>
        <allow users="admin, JoeUser, Mary, John, Sally, Tina />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

We're talking about 8 lines X 50 pages = 400 lines in the web.Config file. It would get pretty unwildy, I think.

 

[dpdoug]

I had a meeting with my client this morning -- he wanted to talk about the security of the application. I'm certain that the extent of the granularity of its security goes way beyond what can be done in the web.Config file.

We need security on page access, menu access, and modify/read-only permissions and the ability to add groups (of users) and maintain security levels to each that can be assigned to users.

Does anyone have an idea where I can start to get an idea just how to approach this?