Simple AD Application Security

Question

I have a .Net 4.0 application that uses Windows Authentication (Active Directory) security. I decided to write my own handler to check to see if the user has access to the current page by looking at the page name and checking to see if the user is in the proper AD group that is defined as having access to that particular page.

This application is STRICTLY an Intranet application that will only run in our Company Domain.

I simply use: "System.Web.HttpContext.Current.User.IsInRole".

If the user is in the group, I proceeed on as normal. If the user isn't in the group, I redirect the user to a "No Access" page.

My questions is...I am doing this (IsInRole) check everytime the page loads (in PageLoad(), all of my pages call a method that validates the user against the page, every time the pages loads...)

How would you suggest I be more efficient about this? (I suppose I could at least put a "!PostBack" test before calling the validation code, huh?) What about using Sessions Variable and/or Cookies?

Any advice is much appreciated!

P.S. - I have used the Membership Provider in the past and considered using it for this application, but I decided against it. What I am trying to do is very simple and I really didn't want to junk up my database or code with all the Membership Provide stuff.

Answer 1

One idea is to use the authorization section of the web.config like here.

Another option is to derive all of your pages from a base class (of type Page) that does your IsInRoleCheck in the Init method so you don't accidentally forget and you don't have to repeat the code all over your pages.

Answer 2

Are you using a masterpage?

If so, put a call to your authentication in the Page_Load of the masterpage and it will cascade to any content page using your masterpage.