Best way to ensure page-level security

Question

I wish to ensure a user has access to an aspx page by 'Zone'. For example, "Financials" is a Security Zone which some users should not have access to.

The result should not involve patterns such as MVP, MVC, MVVM, etc. I'm looking for something that's light and quick to do.

To make things easier I have a base class which each aspx page derives from. What is the easiest/best way to have each page to be checked versus a security zone given the userID?

Thanks.

Answer 1

I've used this, whether it's the best way is seriously questionable. I have a class I derive from Page, called SecurePage. In that I usually have a cross table in a database that lists objects, such as the page, and groups/users that have access to that page. Running a stored procedure using the UserID and the Object name (Page name in this case, but can be a field, or whatever) it returns whether that user or a group that the user belongs in has access. You can check this during the page init, and if it doesn't match up, then response.redirect them or whatever you want to do.

Answer 2

You basically need to create a little ACL implementation. (Access Control List).

Create a acl_roles table, with all your roles (Admin, Accountant, whatever, guest) and stuff. Then link the id of it with your user table, so each user has a role_id.

Then define a acl_resources table, where you add the "zones" in your app and the minimum role they have to be to access it.

Then at the start of each script simply do check if the current user has enough privileges to be in that zone.

There are more details into this, but that is the basic idea.

Answer 3

Yeah, use forms or Windows authentication. You can easily lock down different parts of your site based on the authenticated user's role. Look into using locations .

Answer 4

Why not just use the security features such as forms authentication built into .NET? It's very easy.