Role Based Security - DB Authentication

[RealQuiet]

I am trying to limit access to certain areas of my site based on roles. I am not using Windows Authentication (not practical in this situation), and I'm running into some problems. I authenticate the login info against a database, retrieving associated roles for that user, and then creating a GenericPrincipal object with the FormsIdentity object and the list of roles. I then assign the GenericPrincipal object to Context.User. I did this based on some articles on Microsoft's site. I get no errors in my code, but I cannot get it to work properly. In my web.config file I am trying to limit access to a path by:

<location path=&quot;somepage.aspx&quot;>
<system.web>
<authorization>
<allow roles=&quot;Test&quot;/>
<deny users=&quot;*&quot;/>
</authorization>
</system.web>
</location>

This is denying requests for this page regardless of what I set for the roles in the GenericPrincipal object. Maybe I am way off base, but I would appreciate if someone pointed me in the right direction.

 

[RealQuiet]

I think I have it worked out. Basically, you have create the GenericPrincipal Object and assign it to the context.user in the Application_AuthenticateRequest of the global.asax. This pulls the role information out of a cookie and assigns it for the current web request only. I had it in my login page, so it was just going away once that request was completed. Anyhow, here's a great article on the subject.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp

 

[Zarcom]

This article also does a good job of showing how to use role based security.

http://www.codeproject.com/aspnet/formsroleauth.asp

That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540