URL authorization in business modules

Topics: Web Client Software Factory
Jan 29, 2008 at 6:16 PM
I am trying to implement my authorization within business modules. Module definitions (business module name) and related paths (key, url, url, title, sortorder) are kept in DB. I am using membership provider for keeping user information in DB. I have table defining role to url mapping (modules and paths).

So, currently I am able to draw the sitemap based on my modules and paths table. I need sitemap to be rerendered for each logged user, based on his role to url mapping and to deny access (direct http request) to all those urls to which the role don't have mapping definition.

Can anyone suggest the best way (may be sample) for this case.

thanks
Jan 31, 2008 at 5:02 PM
Hi.

  • First, you must define the authorization rules for your application in the securityConfiguration section of your application configuration file:
<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="">
<authorizationProviders>
<add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" name="RuleProvider">
<rules>
<add expression="R:Administrator" name="AllowAccessTransfers" />
</rules>
</add>
</authorizationProviders>
</securityConfiguration>

  • Now, open the Web.config file located in the module folder of the DevelopmentWebsite site, and then add the rule nodes to the compositeWeb/authorization element:

<authorization>
     <rule Url="~/EFT/Default.aspx" Rule="AllowAccessTransfers" />
     <rule Url="~/EFT/LastTransferView.aspx" Rule="AllowAccessTransfers" />
</authorization>

Adding this XML restricts access to the module Web pages to users for which the evaluation of the AllowAccessTransfers rule returns true.

  • Finally, to add a node to the site map, you use the AddNode method of the IsiteMapBuilderService:

protected virtual void RegisterSiteMapInformation(ISiteMapBuilderService siteMapBuilderService)
{
                SiteMapNodeInfo moduleNode = new SiteMapNodeInfo("EFT", "~/EFT/Default.aspx", "EFT");
                siteMapBuilderService.AddNode(moduleNode, "AllowAccessTransfers");
 
                SiteMapNodeInfo transfersViewNode = new SiteMapNodeInfo("LastTransferView", "~/EFT/LastTransferView.aspx", "Transfers");
                siteMapBuilderService.AddNode(transfersViewNode, moduleNode, "AllowAccessTransfers");
}

For a complete sample, you can download the Hands-on Labs for WCSF June 2007 (Lab 06 - Authorization)

Thanks.

Sebastian Iacomuzzi
http://staff.southworks.net/blogs/siacomuzzi
Jan 31, 2008 at 6:16 PM
Thanks Sebastian,

I did all that but the way to set roles in rules section (<add expression="R:Administrator" name="AllowAccessTransfers" />) manually is not acceptable for my task. I need to allocate the rules dynamically from my DB for which I have still no solution.

For each module I am dynamically loading the URL to rule mapping in each ModuleInitializer's configure function (public override void Configure(IServiceCollection services, System.Configuration.Configuration moduleConfiguration)).

Can you please advice me on dynamically loading rules section for authorizationProviders?

thanks,
Armen


  • First, you must define the authorization rules for your application in the securityConfiguration section of your application configuration file:
<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="">
<authorizationProviders>
<add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" name="RuleProvider">
<rules>
<add expression="R:Administrator" name="AllowAccessTransfers" />
</rules>
</add>
</authorizationProviders>
</securityConfiguration>