I have an internal corporate ASP.NET MVC website.
Requirement(1): When any person is on the network, they can access this site EXCEPT one AD Group (Example: AD_Sales group).
Requirement(2): Also like for example if a person that has the access passes a url (Ex: http://mysite/Home/Index/Product/Letter) to a sales group person, he still should NOT access and need to display a custom message saying "You are not authorised to view this page".
If the scenario is like to issue the access to one AD Group and d开发者_StackOverflow社区eny access for all others, it is fairly is. It can done from IIS. I am Wondering how to do this.
Anybody has implemeted the security for this scenario?
I appreciate your time and responses.
Thanks
I am sure this will work for you...
2 Steps... First thing you need to do is in your Global.asax.cs try to put this
protected void Application_AcquireRequestState(Object sender, EventArgs e)
{
//Context.Handler in this state, we can access Session.
if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
{
//Is it a session created in this request?
if (Session.IsNewSession)
{
//Am I already authenticated?
if (User.Identity.IsAuthenticated)
{
//if already authenticated, check if it is logon, if not, we just logout,
//else, we can continue the logon and reset the user identity.
string url = Request.Url.ToString();
if (url.IndexOf("Account/LogOn") < 0)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
else
{
//Am I already authenticated?
if (User.Identity.IsAuthenticated)
{
try
{
/// Here we try to get the current role of the user logged in from the session
SessionUser myRole = CurrentUser.GetRole();
string[] strRole;
switch (myRole)
{
case Role.ADSales:
{
string[] Roles = { "ADSales" };
strRole = Roles;
}
break;
case Role.DeptHead:
{
string[] Roles = { "DeptHead" };
strRole = Roles;
}
break;
case Role.ProductionCrew:
{
string[] Roles = { "ProductionCrew" };
strRole = Roles;
}
break;
case Role.Admin:
{
string[] Roles = { "Admin" };
strRole = Roles;
}
break;
default:
throw new AuthenticationException(ErrorEnum.Impossible);
//break;
}
Context.User = new System.Security.Principal.GenericPrincipal(Context.User.Identity, strRole);
}
catch (Exception)
{
string url = Request.Url.ToString();
if (url.IndexOf("Account/LogOn") < 0)
{
FormsAuthentication.SignOut();
Response.Redirect(Request.RawUrl);
}
}
}
}
}
}
Next in your controller add the attribute
[Authorize(Roles = "ProductionCrew,DeptHead,Admin")]
public ActionResult Letter()
{
Return View();
}
Take note that I did not include the ADSales in the Roles, this means that the user that has the said role cannot access the page Letter.
Hope this helps. Please vote if it helped you and don't forget to mark it as the answer if it solves your problem. Thanks!
You'll need to enable Windows Authentication on the directory of your application. Then change the ACL of the files/directory involved to deny access to the particular group. Finally, map the IIS 403 error to your access denied method.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论