Custom Authorization
Authentication determines that I am who I say I am. This is usually done via name/password combinations. Authorization, on the other hand, determines what a particular user is allowed to access. Typically authorization is handled with a group-mapping or role-mapping scheme. A user is associated with multiple roles and these roles are then mapped to resources. ASP+ allows for you to define roles with access to resources outside of the scope of the access control lists (ACLs) placed on individual files. This is done in the CONFIG.WEB file in an <authorization> node. Listing 5 shows a CONFIG.WEB file that would be put into an administrative directory to limit access to pages there.
By placing CONFIG.WEB files like the one in Listing 5 in different locations throughout your site, you can customize who has access to things on a directory level irrespective of ACLs and have those permissions persist even after moving the site with FTP or some other type of XCOPY process.
Now that I have defined what roles are required to access a particular URL, how do I map users into roles? This is done by defining two additional tables in SQL Server: Groups and UserGroupMappings. Groups contains the roles like Administrator, Publisher, or any other role you would like to create. UserGroupMapping connects particular users to roles. This allows me to perform a query and get all the roles for an authenticated user. Listing 6 provides the TSQL to create these tables.
Now that I have the roles defined in the database I have to write some code to handle authorizing against the database. You might think this would need to go into the login.aspx page. But that page is only called on the first request. Authorization needs to happen on each request. The way this is done is to define an httpModule, the binary equivalent of global.asax. HttpModules participate in the application event model and can sink various events that are raised. In this case I am interested in the Application_Authenticate() event, which is raised each time the system needs to authenticate access. Listing 7 shows how to add the httpModule to CONFIG.WEB.
In the DevxGroup event handler, I connect to the database, retrieve the list of groups, create a new DevxCustom security principal, and populate it with the roles I looked up from the database. Going to the database each time you need to authenticate a page is not the most efficient way to handle this but you could easily extend the methodology to store the roles in an encrypted cookie. The DevxCustom security principal implements the IsInRole() interface, which is called by ASP+. If the user is in the role that ASP+ passes to this function, the method should return True; otherwise it should return False. It compares the passed-in role with the string table that was created in DevxCustom when the principal was created. Listing 8 and Listing 9 include the code from the DevXGroup and DevXPrincipal classes.
That's it! Using these techniques you should be able to create your own authentication and authorization schemes using any data source for storing user data. Have fun, and if you have any suggestions on improvements please feel free to forward them to me at ckinsman@devx.com.
(Thanks to Scott Guthrie for helping me figure this all out.)
Chris Kinsman is Vice President of Technology at DevX.com. He is reponsible for the site architecture, development, and day-to-day maintenance of the DevX network of sites.
