ASP.NET Webforms Authorization

Question

I want to implement the Authorization for my project. It would be a custom authorization where admins can create roles and assign to users. The authorization is simple at the page level, either a user has access to page or not. Now can somebody suggest which is a best place to write the code for authorizing users - Global.asax or HttpModule? or somewhere else?

I have a Session variable which I need to access while authorizing users. I tried writing code in Application_AuthenticateRequest (Globaal.asax) but found that session is inaccessible in it. After googling, I found Application_PreRequestHandlerExecute is a safe place for Session to be accessible in Global.asax. So my question is that if Application_PreRequestHandlerExecute is called for each and every Request? and a safe place to write code for authorization? At times, I have noticed the Session is null in this event too.

Answer 1

Here's a tutorial that shows you how to build a WSAT-like tool from the ground up:

Rolling Your Own Website Administration Tool - Part 1

Here's another source of tutorials to do the same thing:

How to handle security and authorization in your Web Forms applications using ASP.NET membership and roles.

Answer 2

I would implement a filter using ASP.NET's HttpModule and then configure that in Web.config.

The filter can check the URL of the page as well as the user currently logged in (and role...) and then decide to let the request through or not.

Sample code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Collections.Specialized;
using Axiomatics.Security.AccessControl.Protocols.Xacml;

namespace axiomatics
{
    public class AuthZHttpModule : IHttpModule
    {

        public void Dispose()
        {
        }

        public void Init(HttpApplication context)
        {
            // context.BeginRequest += new EventHandler(OnBeginRequest);
            context.AuthenticateRequest += new EventHandler(onAuthenticateRequest);

        }

        public void onAuthenticateRequest(Object s, EventArgs e)
        {
            HttpApplication app = s as HttpApplication;
            // HttpModule called - let's check the current situation
            Global g = (Global)s;
            String username = "";
            if (g.User!=null && g.User.Identity!=null){
                username = g.User.Identity.Name;
            }
            string requestUrl = g.Request.Url.LocalPath;
            // Only protect .aspx pages
            if (requestUrl.EndsWith("aspx")){
                AuthorizationDecision decision = PDPUtil.pageAuthorized(username, g.Request);

                bool grantPageAccess = decision.Decision == Decision.Permit;
                if (grantPageAccess == false)
                {       
                    g.Response.Redirect("/error.aspx");
                }
            }
        }
    }
}

In the sample code, I use a XACML-driven authorization engine ( PDPUtil.pageAuthorized() ) to determine whether access should be granted.

You can replace the XACML piece with your own logic if you like.