We served 2,120,289 users last month
 How to find a suitable job?
  Blue Theme Orange Theme Green Theme Red Theme
 
Home | Forums | Videos | Photos | Downloads | Blogs | Interviews | Jobs | Beginners | Training
 | Consulting  
Submit an Article Submit a Blog 
 Login Close
User Id:
Password:
 
Forgot Password
Forgot Username
Why Register
 Jump to
Skip Navigation Links
TechnologyExpand Technology
WebsiteExpand Website
Sponsored by
Ads by Lake Quincy Media
Become a Sponsor
 Resources  
Close
 Our Network  
Close
Search :       Advanced Search »
Home » Active Directory » Integrated Security with Web Application

Integrated Security with Web Application
By  Shrikant Utekar January 30, 2007

This article will give you an idea about how Integrated Security works with Web Application using Active Directories.
Total page views :  17159
Total downloads : 
   Print Read/Post comments Post a comment  Similar Articles  
   Email to a friend  Bookmark  Author's other articles  
 
Sponsored by
Become a Sponsor

Introduction:

Guys, I've just finished setting up my first application using integrated security, and I thought I would share a few things Which I have learned along the way.

In active directory, the various groups and users are all clubbed in OUs or "Organizational Units."  Within an OU, you will find other OUs or Groups. The groups are in various types. You can set up "Role Groups" with a GSGu_ prefix and you can set up "Resource Groups" with a GSLapaFC_ prefix.

Now to play with this active directory using integrated security we will follow the following pattern in our coding. You put users into Role Groups and you put Role Groups into Resource Groups. There are a number of reasons why you should mind this recommendation, not the least of which is that the AD people want us to follow this as a "best practice."

What Is Role Groups?

Role Groups will have the User IDs of users who either have the same sort of job function or are in the same department, for example. Suppose there is a Admin role which will have all the functions like Update, Delete etc then we will have all the User Id in this Role Group who will have an rights to Update, Delete the records.

What Is Resource Groups?

Resource Groups contain all the role groups that should have access to the "Resource" that the resource group represents -- this may be an entire application, one page in a web app, or even just a small group of controls on a page someplace. The main point is that for each thing that you want to explicitly limit access to, you'll want to create Resource Group to represent it.

So till now you have gone through all the information now you need to implement the same so let's see how to implement.

Create the OU which will store all the Role Groups: Eg : OUg_Functions.
You can specify whatever name you want to give.
After that Create all the Role group according to Role under OUg_Functions.
The naming convention will be GSGu_ApplicationName_Role Eg : Gsgu_Banking_Delete.
Then Add the users in this Role group.

In the above part we created the Role Groups .Now lets see how to make the relation between this Role group and Resource Group.

As I mentioned ,Users will get added in Role Group and Role Group will get added in the Resource Group.

I think there should be at least one resource group that represents the entire application as a whole. Then there may be many other resource groups that control access to different areas within the application.

Lets take an example. In my application there will be Delete, Add, Modify functionality. Now I will create three Role Group as Gsgu_BACR_Delete, Gsgu_BACR_Add, Gsgu_BACR_Modify. Next thing I will add the users who will have Delete Functionality in the Gsgu_BACR_Delete Role AD.

Next thing I will add this Role to Resource group which will be GSLapaFC_BACR_Delete.

There might be possibility that there will be only one user who will have all the three rights. So in that case we can create only one Role group and add that into one Resource group. Because of that we need not to add the same user three times in three different groups.

Once you've got access to active directory and your've created role groups (and added users to them and created resource groups (and added role groups to them), you have to do a number of things to get your application using this info to enforce security.

In web.config, you'll need these settings:

<add key="AuthIgnoreSecurity" value="False" />
<!-- "Web.Config" or "Active Directory" -->
<add key="AuthGroupLocation" value="Active Directory" />
<add key="AuthActiveDirectoryServer" value="LDAP://DC=corpdev,DC=TS-DEV, DC=net" />
<add key="AuthMode" value="Windows" /> <!-- "Forms", "Windows" -->
<add key="AuthTicketDuration" value="30" />
<add key="AuthWindowsCookie" value="BatchControlCetner_WindowsAuthCookie" />
<add key="AuthResourceGroupPrefix" value="GSLapaFC" />  <!-- needed when going against AD -->

We're still looking into the implications of changing the LDAP string so that it starts at a location lower in the AD hierarchy. The example I have here is right at the top.

You'll want to make sure that the value of the AuthWindowsCookie key is different for each application you build to avoid some conflicts between applications.

You need to put some code in Application_AuthenticateRequest in global.asax in order to initialize the security for your app -- it uses the settings in the web.config above and results in a couple of important things: The creation of the windows authorization cookie and the attachment of a string of permitted resources to Context.User in your web app. We only have to hit AD once to build the list of resources for which a user has permission and then we store that information for use by the AdSecurity class.

Here's the code in C#:

if(AdSecurity.AuthenticationMode == "Forms")
{
    HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
    // resource groups cached in cookie are read and added to Context.User
    Context.User = AdSecurity.PrincipalWithResourceGroups(authCookie);
}
else //AuthenticationMode == "Windows"
{
    HttpCookie authCookie = Context.Request.Cookies[WebConfig.GetAppSetting
    (WebConfigKey.AuthWindowsCookie)];
    if(authCookie == null)
    {
        // create a cookie containing the list of resource groups for the user
        authCookie = AdSecurity.WindowsAuthenticationCookie
        (WebConfig.GetAppSetting(WebConfigKey.AuthActiveDirectoryServer),Context.User);
        // even of authCookie.value = "" we want to send the cookie to the browser so we don't
        // have to keep calling AdSecurity.WindowsAuthenticationCookie with each http request
        if(authCookie != null)
        {
            Response.Cookies.Add(authCookie);
        }
    }
    // resource groups cached in cookie are read and added to Context.User
    Context.User = AdSecurity.PrincipalWithResourceGroups(authCookie, Context.User.Identity);
}

Here's the code in vb:

If (AdSecurity.AuthenticationMode Is "Forms" Then
    Dim authCookie As HttpCookie = MyBase.Context.Request.Cookies.Item
    (FormsAuthentication.FormsCookieName)
    MyBase.Context.User = AdSecurity.PrincipalWithResourceGroups(authCookie)
Else
    Dim authCookie As HttpCookie = MyBase.Context.Request.Cookies.Item(WebConfig.GetAppSetting  
    (WebConfigKey.AuthWindowsCookie))
    If (authCookie Is NothingThen
        authCookie = AdSecurity.WindowsAuthenticationCookie(WebConfig.GetAppSetting
        (WebConfigKey.AuthActiveDirectoryServer), MyBase.Context.User)
        If (Not authCookie Is NothingThen
            MyBase.Response.Cookies.Add(authCookie)
        End If
    End If
    MyBase.Context.User = AdSecurity.PrincipalWithResourceGroups(authCookie, MyBase.Context.User.Identity)
End If

Note :  Don't forget to copy out the global.asax file when you deploy your application, or the events handlers it's code behind file contains will not be executed (and your application may not fail -- it just won't work correctly).

Once you've done all this, then it's pretty easy to implement security in the code of your application. You just ask AdSecurity whether or not the current user is authorized to use a particular resource (that you have defined and assigned a resource group name). All your application needs to be aware of is the Resource Groups associated with the things you want to control.  Then you just use AdSecurity.IsAuthorized(Context.User, resourceGroupName) and it will tell you whether or not the current user is allowed to have access to the thing, whatever it may be.

So Enjoy coding...

Login to add your contents and source code to this article
 About the author
 
Shrikant Utekar
Shrikant has been working in the software industry for over 6 years.He is MCP.His more interest is in developing web based applications,building server architecture. His area of expertise is in Microsoft technologies such as .NET, C#, Web services, ASP.NET, ASP/IIS, .NET Security, Data Access Architecture.
Looking for C# Consulting?
C# Consulting is founded in 2002 by the founders of C# Corner. Unlike a traditional consulting company, our consultants are well-known experts in .NET and many of them are MVPs, authors, and trainers. We specialize in Microsoft .NET development and utilize Agile Development and Extreme Programming practices to provide fast pace quick turnaround results. Our software development model is a mix of Agile Development, traditional SDLC, and Waterfall models.
Click here to learn more about C# Consulting.
 
Introducing MaxV - one click. infinite control. Hyper-V Hosting from MaximumASP.
Finally – a virtual platform that delivers next-generation Windows Server 2008 Hyper-V virtualization technology from a managed hosting partner you can truly depend on. Visit www.maximumasp.com/max for a FREE 30 day trial. Hurry offer ends soon. Climb aboard the MaxV platform and take advantage of High Availability, Intelligent Monitoring, Recurrent Backups, and Scalability – with no hassle or hidden fees. As a managed hosting partner focused solely on Microsoft technologies since 2000, MaximumASP is uniquely qualified to provide the superior support that our business is built on. Unparalleled expertise with Microsoft technologies lead to working directly with Microsoft as first to offer IIS 7 and SQL 2008 betas in a hosted environment; partnering in the Go Live Program for Hyper-V; and product co-launches built on WS 2008 with Hyper-V technology.
Dynamic PDF
ceTE software specializes in components for dynamic PDF generation and manipulation. The DynamicPDF™ product line allows you to dynamically generate PDF documents, merge PDF documents and new content to existing PDF documents from within your applications.
Go.NET
Build custom interactive diagrams, network, workflow editors, flowcharts, or software design tools. Includes many predefined kinds of nodes, links, and basic shapes. Supports layers, scrolling, zooming, selection, drag-and-drop, clipboard, in-place editing, tooltips, grids, printing, overview window, palette. 100% implemented in C# as a managed .NET Control. Document/View/Tool architecture with many properties&events. Optional automatic layout.
Dundas Software
Dundas Chart for .NET is the most advanced .NET charting package available today.  With an extremely complete feature set, elegant architecture and easy implementation, Dundas Chart can quickly add advanced Charting functionality to enhance and transform ASP.NET and Windows Forms applications.  Whether you are implementing charting into internal projects, or building applications for clients, Dundas Chart offers advanced technology and advanced results to get the most out of data.
Clickatell's SMS Gateway
Clickatell's Developer Solutions allow you to SMS enable any website or application via a range of API's. Learn More about our API connections.
Free access to .NET Memory Management video
Everything you need to know about Garbage Collection, Temporary Objects, Fragmentation, Finalization and common causes of memory leaks in .NET. Watch the video here.
Microsoft Visual Studio 2010 Professional
Microsoft Visual Studio 2010 Professional will launch on April 12, but you can beat the rush and secure your copy today by pre-ordering at the affordable estimated retail price of $549 (US). Pre-order now.
Nevron Chart for .NET 2010.1 Now Available
The leading .NET charting control now features PDF, Flash and Silverlight export, visualization of large datasets and more. Deliver true charting functionality to your BI, Scorecard, Presentation or Scientific apps. Download evaluation now.
Developer-Ready ASP.NET 2.0 Web Hosting with 3 MONTHS FREE
Now supporting .NET 3.0 Framework with Windows Workflow Foundation, Windows Communication Foundation (WCF), Windows Presentation Foundation (WPF), windows CardSpace (WCS)! Providing more flexibility for Developers with Web Services Support and a User/Permission Manger. Also supporting MS SQL 2005/2000 with Real-Time Backups, FREE Automated Attach .MDF Tool, FREE SQL Restore and Shrink SQL DB Tools, and SQL
 
   Print Read/Post comments Post a comment  Similar Articles  
   Email to a friend  Bookmark  Author's other articles  
 
 Post a Feedback, Comment, or Question about this article
Subject:  
Comment:  
Sponsored by
Click Here for 6 Months Free! Powerful ASP.NET Hosting at your Fingertips!
Become a Sponsor
 Comments
AdSecurity by Rodney On January 3, 2008
Where is this class? Is this something you created or provided by Microsoft? The only reference I can find to it is in this article
Reply | Email | Delete | Modify | 

 Hosted by MaximumASP  |  Found a broken link?  |  Contact Us  |  Terms & conditions  |  Privacy Policy  |  Site Map  |  Suggest an Idea  |  Media Kit
Current Version: 5.2009.6.2
 © 2010  contents copyright of their authors. Rest everything copyright Mindcracker. All rights reserved.