Reputation: 921
How to implement security for ASP.NET MVC site to deny access to a particular group?
I have an internal corporate ASP.NET MVC website.
Requirement(1): When any person is on the network, they can access this site EXCEPT one AD Group (Example: AD_Sales group).
Requirement(2): Also like for example if a person that has the access passes a url (Ex: http://mysite/Home/Index/Product/Letter) to a sales group person, he still should NOT access and need to display a custom message saying "You are not authorised to view this page".
If the scenario is like to issue the access to one AD Group and deny access for all others, it is fairly is. It can done from IIS. I am Wondering how to do this.
Anybody has implemeted the security for this scenario?
I appreciate your time and responses.
Thanks
Upvotes: 1
Views: 1532
Answers (2)
Reputation: 5030
You'll need to enable Windows Authentication on the directory of your application. Then change the ACL of the files/directory involved to deny access to the particular group. Finally, map the IIS 403 error to your access denied method.
Upvotes: 0
Reputation: 3078
I am sure this will work for you...
2 Steps... First thing you need to do is in your Global.asax.cs try to put this
protected void Application_AcquireRequestState(Object sender, EventArgs e)
{
//Context.Handler in this state, we can access Session.
if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
{
//Is it a session created in this request?
if (Session.IsNewSession)
{
//Am I already authenticated?
if (User.Identity.IsAuthenticated)
{
//if already authenticated, check if it is logon, if not, we just logout,
//else, we can continue the logon and reset the user identity.
string url = Request.Url.ToString();
if (url.IndexOf("Account/LogOn") < 0)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
else
{
//Am I already authenticated?
if (User.Identity.IsAuthenticated)
{
try
{
/// Here we try to get the current role of the user logged in from the session
SessionUser myRole = CurrentUser.GetRole();
string[] strRole;
switch (myRole)
{
case Role.ADSales:
{
string[] Roles = { "ADSales" };
strRole = Roles;
}
break;
case Role.DeptHead:
{
string[] Roles = { "DeptHead" };
strRole = Roles;
}
break;
case Role.ProductionCrew:
{
string[] Roles = { "ProductionCrew" };
strRole = Roles;
}
break;
case Role.Admin:
{
string[] Roles = { "Admin" };
strRole = Roles;
}
break;
default:
throw new AuthenticationException(ErrorEnum.Impossible);
//break;
}
Context.User = new System.Security.Principal.GenericPrincipal(Context.User.Identity, strRole);
}
catch (Exception)
{
string url = Request.Url.ToString();
if (url.IndexOf("Account/LogOn") < 0)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
}
}
}
Next in your controller add the attribute
[Authorize(Roles = "ProductionCrew,DeptHead,Admin")]
public ActionResult Letter()
{
Return View();
}
Take note that I did not include the ADSales in the Roles, this means that the user that has the said role cannot access the page Letter.
Hope this helps. Please vote if it helped you and don't forget to mark it as the answer if it solves your problem. Thanks!
Upvotes: 3
Related Questions
- How do I restrict access to certain pages in ASP.NET MVC?
- In ASP MVC Identity, what is the best way to restrict access based on criteria?
- MVC access restriction for logged in users
- How to protect pages in MVC
- How to make some actions (pages) in the controller accessed only by certain members ? (asp.net-MVC)
- .Net Web Application Restrict access
- Restrict access to MVC route in IIS
- How do I restrict access to certain groups for an entire controller?
- Access control in a ASP.MVC application
- asp.net mvc - limit access to web pages