Web Page Authorization

sparky posted on Friday, October 05, 2007

I’m wondering how people are doing URL based role authorization in an ASP.NET 2.0 app when using Forms based authentication. I need to do checks as the page loads to verify that the user has rights to it. For instance, a user would need to be in role=’Admin’ to get access to ‘siteAdmin.aspx’ while a user would need to be in role=’User’ or role=’Admin’ to get rights to default.aspx.

 

Seems like there are a few options including:

1. ASP.Net’s web.config file - seems like a nightmare to maintain page and folder names with roles. FIles and folder can easily get moved or renamed.
2. Put calls to User.IsInRole(“roleName1”) || User.IsInRole(“roleName2”) in each individual page load or init.
3. Have a property in a base class that all my pages would inherit from that would set the roles for the page and then have the base page handle the logic to redirect unauthorized users.
4. Call CanGetObject() on a CSLA business object. Which would mean I need to implement this on all business object when I probably wouldn’t need it for any other reasons.

The final option seems the cleanest since I don’t have to have authorization rules in the pages and can rely on CSLA but that also means I need a CSLA business object to base each page on although I guess more than likely I would otherwise what would I need authorization for.

 

Just wondering what other people are doing. Thanks for the help.

JoeFallon1 replied on Saturday, October 06, 2007

I use #2 above. I put it at the top of each page that requires authorization. Some do not require any so I just omit it. Pretty simple - but it works.

Joe