Windows authentication based role management in ASP.NET Web Application
Question
I am not quite sure if I am managing the user roles appropriately in an ASP.NET application. Is such an approach is correct, or incorrect or can be improved?
All the user's are added to the users table in the database, which have fields for example: (userid, name, surname, isAdmin)
In my application, I get the user id using
Request.Servervariables.Get("LOGON_USER")
and while rendering a page, I run an SQL Query to check if the current user on that page, has 'isAdmin' parameter ='true' in my SQL Server. Then if yes, I render and make the appropriate controls visible. (For example, a link button to the Administrator page)
2 answers
solution1
1 2012-06-28 06:15:07
That is not a correct way of doing this. You should use asp.net roleprovider that can easily integrate with membership provider. it makes it easy to trim down page controls/access and role provider is very extendable and scaleable. your approach is very strict and might face problems if application grows.
solution2
1 2012-06-28 06:35:57
The ASP.Net role provider (which if you don't like, you can roll your own to do basically the same thing but conform to your requirements) is really useful for this. Instead of putting an SQL query at the top of every page (which would be a nightmare later if something had to change), you can say (paraphrasing here)
if (RoleProvider.IsUserInRole(Request.Servervariables.Get("LOGON_USER"), "Admin") == true)
{
//populate page as admin
}
else
{
//populate page as not admin
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.