Google
 

4.23.2007

Implementing Authorization in ASP.NET

Page 9 of 9

Previous Page: Additional Implementation Details | Next Page: Further Reading

Once you have your SmartCardPrincipal setup, there are several ways to implement authorization with the IPrincipal using Code Access Security (CAS) for authorization within ASP.NET.

We can configure Role base authorization using the web.config file, using PrincipalPermission Demands, or IPrincipal.IsInRole() checks in code.

Declarative

  • Principal Permissions can be used to decorate methods that will demand upstream callers in the stack have a particular Role.

C#

using System.Security.Permissions;
...
[PrincipalPermission(SecurityAction.Demand, Role="Administrator"),
PrincipalPermission(SecurityAction.Demand, Role="Auditors")]
public void DoSomethingImportant()
{
...
}


VB.Net


Imports System.Security.Permissions
...
<PrincipalPermission(SecurityAction.Demand, Role:="Administrator"), _
PrincipalPermission(SecurityAction.Demand, Role:="Auditors")> _
Public Sub DoSomethingImportant()
...
End Sub

Imperative

  • Principal Permissions can be used to make demands programmatically to upstream callers in the stack have a particular Role.

C#


using System.Security.Permissions;
...
public void DoSomethingImportant()
{
PrincipalPermission permCheck = new PrincipalPermission(Nothing, "Administrators");
permCheck.Demand();
}

VB.Net

Imports System.Security.Permissions
...
Public Sub DoSomethingImportant()
Dim permCheck As New PrincipalPermission(Nothing, "Administrators")
permCheck.Demand()
End Sub


IPrincipal.IsInRole() Check

  • We can check if the IPrincipal is in the role we require (which is exactly what the PrincipalPermission class does by using the IPrincipal stored in the Thread.CurrentPrincipal):

C#


if (myPrincipal.IsInRole("Administrators")
{
...
}


VB.Net

If myPrincipal.IsInRole("Administrators") Then
...
End If


Web.Config - Specify access permissions to files and/or folders in the web.config

  • To allow all Administrators and deny everyone else to a folder called ‘Admin’, and to allow only Auditors into a folder called ‘Reports’, we’d add the following to the web.config:

<configuration>
<system.web>
...
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Reports">
<system.web>
<authorization>
<allow roles="Auditor" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>


Conclusion


ASP.NET provides a powerful, yet simple way to implement custom authentication functionality in the HTTP Pipeline using HTTP Modules. IIS also has robust support for Client Certificates and when combined, Http Modules in ASP.NET and IIS make a great platform for developing sites that need to use Smart Cards for authentication and authorization.


Previous Page: Additional Implementation Details | Next Page: Further Reading


Page 9 of 9

Posted by j. montgomery, CISSP, GNET, GSEC at 9:13 PM
Labels: , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)