I am failing to find good examples of user and activity based authorization for my ASP.NET web forms site. Currently, i am using user roles in web config to allow/deny access to pages within folders. But this method is proving to be a nightmare to maintain, especially when users come up with special case scenarios, which completely deviate from existing role permissions.
So i am looking for a way to be able to store and retrieve user access rights, from the database and then enforce them on my web site dynamically.
My Second problem is how to show/hide certain site master html from certain users. I was also thinking to store this information in the database, so that these rights are dynamically allocated also. Currently, i am hard coding in my site master code behind the hide/show permissions by saying:
// Show Everything
// hide certain html
So this approach works currently, but is problematic to maintain and not very flexible.
Finally, I was looking at activity based authorization, the pros and cons of which were well described in this article: http://ryankirkman.com/2013/01/31/activity-based-authorization.html. So how would i implement that in my ASP.NET web forms site?
In conclusion there is three things i am after:
Any input on this would be highly appreciated. Thank you
You should switch from role based authentication to claims based authentication. Here's an article describing the basics of claims based authentication:
Claims will give you fine grained control over the rights for each individual user. ClaimsPrincipal can also be used in webforms:
An attribute can be applied to pages and methods in an ASP.NET Web Forms application (described in the article above):
Operation="Update", Resource="Customer")]
public partial class CustomerUpdate : System.Web.UI.Page