ASP.NET Role-Based Security

April 27, 2007 at 4:41 pm 6 comments

Role-based security is not a new concept in ASP.NET. What is interesting today is a colleague was asking me how he can authorize access to certain part of an ASP.NET application (that runs using Windows Authentication) based on some attributes set in an Active Directory schema.

Normally, when you use Active Directory with ASP.NET, you would use an Active Directory group as a role, and then use the web.config file to specify authorization for the role to your resources. This works if your Active Directory is designed to have AD groups that map straight to the roles of your applications. But chances are that they don’t map 100%. Or there might be other business reasons that such groups cannot be created.

In order to get around the situation, what we can do is to setup authorization the same way: using web.config and set <Allow roles=”Role1″ /> to authorize access to your resources.

Then we need to override the Application_AuthenticateRequest event of the ASP.NET application. This is implemented via the Global.asax file of the ASP.NET application.

By changing the Application_AuthenticateRequest method, you can insert roles to the principal object the current thread carries.

void Application_AuthenticateRequest(object sender, EventArgs e)
  if (Request.IsAuthenticated())
    // some business rules to determine what roles to grant to the current user
    string[] roles = {"Role1", "Role2"};
    Thread.CurrentPrincipal = new GenericPrincipal(Context.User.Identity, roles);  // set the Principal of the current thread

So to get back to the example, what my colleague can do is to insert logic inside the if block of the code above and determine by the attribute of the Active Directory record of the current user, and assign the proper roles to the GenericPrincipal object. The rest of the authorization will then be handled by ASP.NET using the Role-based security model.

Happy programming!


Entry filed under: ASP.NET.

MOSS 2007 WCM Development Part 2 – Customize Variation Root Landing Logic

6 Comments Add your own

  • […] ASP.NET Role-Based Security […]

  • 2. Nipleptpern  |  February 29, 2008 at 4:07 pm

    Hello there.
    Just found your site. Great job!
    I like it much.
    look here

  • 3. Skylark  |  June 19, 2008 at 1:42 am

    Somehow i missed the point. Probably lost in translation 🙂 Anyway … nice blog to visit.

    cheers, Skylark.

  • 4. Alexwebmaster  |  March 3, 2009 at 12:21 am

    Hello webmaster
    I would like to share with you a link to your site
    write me here

  • 5. golf swing  |  June 22, 2013 at 3:24 am

    Howdy, merely transformed into alert to your blog through Yahoo and google, and located it is really beneficial. Let me be careful pertaining to brussels. I am grateful in the event you continue on this specific in the future. A great many other folks may be benefited from your producing. Regards!

  • 6. alainamoon74228  |  April 9, 2016 at 1:40 am

    Bush is forever saying that democracies do not invade other countries and start wars. Well, he did just that. He invaded Iraq, started a war, and kil Click


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

April 2007
« Feb    


Blog Stats

  • 116,683 hits

%d bloggers like this: