CodeProject: Extending ASP.NET 2.0 security. Free source code and programming help

Report Article

Discuss

Send to a friend

16 votes for this Article.

Popularity: 3.33 Rating: 2.77 out of 5

Introduction

The current implementation of ASP.NET 2.0's security is great and I have fallen in love with it, but it's still too limited. I will show you how to extend ASP.NET 2.0's security using a custom HTTP Module and your existing Web.sitemap.

This article will show you how to secure individual pages, each with independent permissions, without the need to add redundant data into your web.config.

Assumptions

This article assumes you are already familiar with ASP.NET 2.0's built-in user and role based security. This article also assumes you are familiar with ASP.NET 2.0's Web.sitemap. Familiarity with C# is a bonus, but not required.

I'm also assuming your site is already setup and using forms authentication.

The Problem

ASP.NET 2.0 gives you this great tool to make securing directories easy, and it does a great job.

You are also given a Web.sitemap file that allows you to restrict access by roles.

<?xml version="1.0" encoding="utf-8" ?>
<siteMap>
    <siteMapNode url="Default.aspx" title="Home" 
                    description="This is the default page">
        <siteMapNode url="Webform1.aspx" title="Webform1"  description="">
            <siteMapNode url="Marketing/SecureFile.aspx" title="Secure File 1"
                description="" roles="Marketing" />
        </siteMapNode>
        <siteMapNode url="" title="Marketing">
            <siteMapNode url="SecureFile.aspx" title="Secure File 2"
                description="" roles="Marketing" />
        </siteMapNode>
        <siteMapNode url="" title="Links">
            <siteMapNode url="http://google.com" title="Google" 
                description="Google" roles="" target="_blank" />
            <siteMapNode url="http://yahoo.com" title="Yahoo!" 
                description="Yahoo!" roles="" target="_blank" />
            <siteMapNode url="http://microsoft.com" title="Microsoft" 
                description="Microsoft" roles="" target="_blank" />
        </siteMapNode>
    </siteMapNode>
</siteMap>

Unfortunately, only the ASP.NET 2.0 site navigation controls use the Web.sitemap roles attribute to determine whether or not they should display the link (assuming, I rolled my own and don't use the built-in controls - I'll test later).

If you go directly to the URL of a file in the Web.sitemap that has roles, it will not be restricted by those roles (though, it'd be nice if it did).

The Solution

The solution is to implement your own HTTP Module and determine the allow / deny security based upon the roles attribute in the Web.sitemap file. This works in conjunction with ASP.NET 2.0's built-in security.

Add the following code to your web.config file inside the <system.web> node. This will allow you to intercept requests to all pages before processing, allowing you to force the Web.sitemap security.

<httpModules>
    <add name="SecurityHttpModule" type="Joel.Net.SecurityHttpModule" />
</httpModules>

Here's the code that performs all the magic...

using System;
using System.Web;
using System.Web.Security;

namespace Joel.Net {

    /// <summary>Security Http Module</summary>

    public class SecurityHttpModule : IHttpModule {

        public SecurityHttpModule() { }

        /// <summary>Initializes a module and prepares

        /// it to handle requests.</summary>

        /// <param name="context" 
        /// >An <see cref="T:System.Web.HttpApplication" />

        /// that provides access to the methods, properties,

        /// and events common to all application objects within

        /// an ASP.NET application </param>

        public void Init(System.Web.HttpApplication context) {
            context.AuthenticateRequest += new 
                    EventHandler(this.AuthenticateRequest);
        }

        /// <summary>Occurs when a security module

        /// has established the identity of the user.</summary>

        private void AuthenticateRequest(Object sender, EventArgs e) {
            HttpApplication Application = (HttpApplication)sender;
            HttpRequest Request = Application.Context.Request;
            HttpResponse Response = Application.Context.Response;
            bool allow = false; // Default is not not allow


            // Exit if we're on login.aspx,

            // not authenticated, or no siteMapNode exists.

            if (Request.Url.AbsolutePath.ToLower() == 
                FormsAuthentication.LoginUrl.ToLower()) return;
            if (Application.Context.User == null) 
                Response.Redirect(FormsAuthentication.LoginUrl);
            if (SiteMap.CurrentNode == null) return;

            // Check if user is in roles

            if (SiteMap.CurrentNode.Roles.Count == 0) {
                allow = true; // No Roles found, so we allow.

            } else {

                // Loop through each role and check to see if user is in it.

                foreach (string role in SiteMap.CurrentNode.Roles) {
                    if (Roles.IsUserInRole(role)) { allow = true; break; }
                }
            }

            // Do we deny?

            if (allow == false)
                Response.Redirect(FormsAuthentication.LoginUrl);
        }

        /// <summary>Disposes of the resources (other than memory)

        /// used by the module that implements

        /// <see cref="T:System.Web.IHttpModule" />.</summary>

        public void Dispose() { }
    }
}

Inside the Init function, we tie an event handler to the AuthenticateRequest event of the Context object. This allows our AuthenticateRequest to be called every time the Context.AuthenticateRequest event is raised.

The first block of code sets up all the objects we'll need, Application, Request, Response, in addition to creating an 'allow' boolean value to determine if they pass or fail the authentication in the Web.sitemap.

The following block will exit, or allow access (allowing access only means our custom HTTP module permits it, it still has to pass ASP.NET 2.0's security restrictions), under three conditions:

if we are at the Login page (we can't restrict the login page - how will they log in!?),
if the user is not logged in (if they're not logged in, we cannot get their roles; therefore, we let ASP.NET 2.0's built-in security handle this request),
there is no entry in the Web.sitemap for the current URL.

Next, we loop through each role in the current siteMapNode and check to see if the user exists in that role. If they are in the role, we set the 'allow' variable to true and break the loop.

Lastly, we test our 'allow' variable to see if we should let them pass through or force them to the login page.

Summary

We created an easy way (only approx. 55 lines of code) to extend ASP.NET 2.0's security, while still allowing ASP.NET 2.0 to control the security. When our HTTP Module cannot handle a request (e.g.: user not logged in, page not in Web.sitemap), we simply pass the request off to ASP.NET 2.0 and let it handle the security.

Resources

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Joel Thoms

Joel Thoms has been tinkering around with computers and programming ever since he got his first C= 64 at the age of 5. He has been programming professionally since 1996.

He mostly works with ASP.NET, C# and VB.NET, but is also fluent with ASP, VB6 and JavaScript. Has dabbled a little with C++, Perl, Cobol and a few other languages but doesn't have much use for them.

Joel is now the lead developer for Host Collective the company responsible for discountasp.net (one of the leaders in the asp.net hosting industry)

Occupation:	Web Developer
Location:	United States

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Cookieless ASP.NET forms authentication
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!
Single sign-on across multiple applications in ASP.NET
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.

Article Top

You must Sign In to use this message board.

Msgs 1 to 25 of 33 (Total in Forum: 33) (Refresh)

FirstPrevNext

Subject

Author

Date

Thank you

DuraiPrasanna

9:09 11 Jun '08

Thank you very much for sharing this article. It defenitely helps for people who don't want(or unable) to provide authorization for each & every files(in a folder) at web.config file. I was planning to look permission from DB for each page. But your Sitemap code changed my way.
Sign In·View Thread·PermaLink

source code download

kumarrajt

22:30 30 Sep '07

can i get source code download link to download the application Raj
Sign In·View Thread·PermaLink	1.60/5 (4 votes)

VB Conversion

timmyt851

14:11 11 May '07

For those of us who use Visual Basic, here is the translated code:

(web.config)
<httpModules>
      <add name="auth_pages" type="auth_pages" />
</httpModules>

(auth.vb)
Imports System.Web.Security

Public Class auth_pages
     Implements IHttpModule

     Public Sub Init(ByVal context As HttpApplication) Implements IHttpModule.Init
          AddHandler context.AuthenticateRequest, AddressOf AuthenticateRequest
     End Sub

     Public Sub AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs)
          Dim Application As HttpApplication = CType(sender, HttpApplication)
          Dim Request As HttpRequest = Application.Context.Request
          Dim Response As HttpResponse = Application.Context.Response
          Dim bAllow As Boolean = False
          If Request.Url.AbsolutePath.ToLower() = FormsAuthentication.LoginUrl.ToLower() Then Exit Sub
          If IsNothing(Application.Context.User) Then Response.Redirect(FormsAuthentication.LoginUrl)
          If IsNothing(SiteMap.CurrentNode) Then Exit Sub

          If SiteMap.CurrentNode.Roles.Count = 0 Then
               bAllow = True     'No Roles found, so we allow.
          Else
               'Loop through each role and check to see if user is in it.
               For Each role As String In SiteMap.CurrentNode.Roles
                    If Roles.IsUserInRole(role) Then bAllow = True
               Next
          End If

          If bAllow = False Then
               Response.Redirect(FormsAuthentication.LoginUrl)
          End If
     End Sub

     Public Sub Dispose() Implements IHttpModule.Dispose
     End Sub

End Class

I would like to see Security Trimming added so the sitemap works as if you had set the permissions in the web.config! Thanks,

TIM

2.00/5 (1 vote)

Getting naught but syntax and ms JScript errors [modified]

mrpimp

4:51 21 Feb '07

Hi,
I've been looking and pondering your solution for some time and it seems that it would solves an issue we're having with a Web portal project we have here.

So I've created a small   web project so as to test your HttpSecurityModule solution..

I'm using the standard XML sitemap provider, AspNetSqlMembershipProvider and AspNetSqlRoleProvider.
I've created a few nearly empty pages that worked fine before I added the SecurityModule. (I just retried it after removing the <httpModules> in the Web.config and it still worked fine.)

But each time I try to build it, it just loops through an infinte number of runtime and ms Jscript runtime errors(Object expected) without getting anywhere.

I include my web.sitemap, where I guess could be the error, though I can't find anything.
<code><?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="frmLogin.aspx" title="Accueil" description="Test de sitemap" roles="" >
      <siteMapNode url="frmPageGen1.aspx" title="Page générale1"   description="p1" roles="" />
      <siteMapNode url="frmPageGen2.aspx" title="Page générale2"   description="p2" roles="" />
      <siteMapNode url="" description="Pour FolderUsers" title="Usagers" roles="FolderUser"   >
         <siteMapNode url="Folders.aspx" title="Dossiers test" description="p.Dossier" roles="FolderUser" />
      </siteMapNode>
      <siteMapNode url="" title="Admins" roles="Admin" >
         <siteMapNode url="frmAdmin1.aspx" title="Page d'administration"   description="test de roles" roles="Admin" />
         <siteMapNode url="frmAdmin2.aspx" title="Admin Section" roles="Admin" />
      </siteMapNode>
</siteMapNode>
</siteMap>
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="frmLogin.aspx" title="Accueil" description="Test de sitemap" roles="" >
      <siteMapNode url="frmPageGen1.aspx" title="Page générale1"   description="p1" roles="" />
      <siteMapNode url="frmPageGen2.aspx" title="Page générale2"   description="p2" roles="" />
      <siteMapNode url="" description="Pour FolderUsers" title="Usagers" roles="FolderUser"   >
         <siteMapNode url="Folders.aspx" title="Dossiers test" description="p.Dossier" roles="FolderUser" />
      </siteMapNode>
      <siteMapNode url="" title="Admins" roles="Admin" >
         <siteMapNode url="frmAdmin1.aspx" title="Page d'administration"   description="test de roles" roles="Admin" />
         <siteMapNode url="frmAdmin2.aspx" title="Admin Section" roles="Admin" />
      </siteMapNode>
</siteMapNode>
</siteMap>

Any help would be appreciated.

Regards,
Pascal Marier-Dionne
Québec, Canada

-- modified at 10:20 Wednesday 21st February, 2007
Tracing through the SecurityHttpModule class, I see that it goes a first time through the verifications and bail out when the Request.Url.AbsolutePath is equal to my "LoginUrl" Web.config setting, and then goes through the AuthenticateRequest again, (but with WebResource.axd as the Request.Url.AbsolutePath) to then crashes repeatedly on the Response.Redirect(FormsAuthentication.LoginUrl).

Re: Getting naught but syntax and ms JScript errors

mrpimp

6:39 21 Feb '07

Well, we succeeded. But we had to add a validation to see whether the Request.Url.AbsolutePath contained "WebResource.axd"... Anyone knows why that is? I hate having to do that... Pascal Marier-Dionne Québec, Canada
Sign In·View Thread·PermaLink

What is the use?

juleshop

4:20 24 Mar '06

I thought I like your solutions, but the XmlSiteMap provider works in conjunction with the <authorize>-tags in the webconfig.

This is my situation. I only want to secure the "SecurePage.aspx" in my ASP.NET application.

Sitemap states this, note that the SecurePage needs a user with Right1

<siteMapNode url="~/Default.aspx" title="Home" roles="" description="">
    ...  
    <siteMapNode url="~/SecurePage.aspx" title="Secure" roles="Right1" description="" />
  </siteMapNode>
</siteMap>

The web.config states this:

<authorization>
   <deny users="?" />
   <allow users="*" />
</authorization>
...

<location path="SecurePage.aspx">
   <system.web>
      <authorization>
         <allow roles="Right1" />
         <deny users="*" />
      </authorization>
   </system.web>
</location>

So now, when I log in with a user that has the role: "Right1" I can access the SecurePage and I can see it in my SiteMap menu. When I change "Right1" to, let's say "Right2" which the user doesn't have both in the web.config and the sitemap I can't access or see this page. However!!!, if I delete the web.config <location>-entry I can see the SecurePage entry in the Sitemap Menu, but I can't access the page (so, for that the HttpModule is working. But of course I must also be hidden in the menu....

Aanyone any thought on this; "...but the XmlSiteMap provider works in conjunction with the <authorize>-tags in the webconfig..."? So when I manage my righs via the web.config, there are automatically used by the sitemap.

Jules

-- modified at 9:54 Friday 24th March, 2006

Re: What is the use?

Joel Thoms

12:55 22 May '06

I did not touch on the topic of hiding elements when displaying the sitemap, I kept this article based on security for simplicity.

You've definately provided an alternate method, though (for my project) I felt it provided too much redundant data. I needed to be able to restrict many different pages all (possibly) with different permissions.

Adding a new <location /> node into the web.config for each page on the site is too cumbersome and redundant, since this data is already in the web.sitemap.

The solution you provided is probably the better solution for sites that are securing a 'secured' directory or just a few pages. But my project required a more flexible solution, and I don't like redundancey.

Joel Thoms
http://joel.net

Re: What is the use?

dbaier

23:15 23 May '06

it is not cumbersome and redundant. You are introducing a redundancy.

The tag is the authoritative authorizataion information - not the sitemap!!!

The only thing you have to enable is security trimming for the site map provider and only links will be shown the user is authorized for. no need for the role attribute. The only reason you would add a role attribute to a site map file is if you wanna override the decision based on the authorization settings.

What you are doing is actually quite dangerous.

dominick baier, DevelopMentor
http://www.leastprivilege.com

Re: What is the use? [modified]

Joel Thoms

13:46 24 May '06

For our site that has 50-100 pages, adding a new entry for each page into the web.config was not an option.

The redundancy comes in when you have to enter every page on the site into both the web.sitemap AND the web.config. For us it was easier to maintain this information in one location (web.sitemap).

The first option we considered was storing security information in some sort of datastore (database, datafile, etc.). The more simple solution was to put use the 'roles' attribute in the web.sitemap.

The control has been tested (and in use) on our web application without any security issues or problems.

Joel Thoms
http://joel.net

-- modified at 23:44 Wednesday 24th May, 2006

Use the Web.config to accomplish this

tketter

9:29 8 Mar '06

To redirect unauthorized users, you can specify a location section in your web.config that will enforce the built-in roles.

<location path="MyAppFolder/Secure">
     <system.web>
          <authorization>
               <deny users="?" roles="UNAUTHORIZED"/>
               <allow roles="AUTHORIZED"/>
                 </authorization>
     </system.web>
</location>

-- modified at 14:31 Wednesday 8th March, 2006

3.00/5 (2 votes)

Re: Use the Web.config to accomplish this

HurricaneGordon

21:55 3 Apr '06

and now your logic about your site and who can see links to a page and who can actually access that page are in 2 different locations, obviously a VERY bad thing, in addition to the difference between adding 1 attribute in the sitemap file, or adding 8 lines of xml in the web.config. As far as I can see this solution is vastly superior to the built-in logic.
Sign In·View Thread·PermaLink

Re: Use the Web.config to accomplish this [modified]

Joel Thoms

12:40 22 May '06

For my project I was unable to use the web.config because each page can have different permissions and adding a new <location /> node into the web.config to control the permissions seemed redundant. Joel Thoms http://joel.net -- modified at 17:40 Monday 22nd May, 2006
Sign In·View Thread·PermaLink

No new functionality

Francisco Jose Peredo Noguez

13:07 7 Dec '05

The security funciontality included in ASP.NET 2.0 does everything this code does... I see no advantage in using this code...
Sign In·View Thread·PermaLink

Re: No new functionality

Joel Thoms

12:42 22 May '06

The security functionality in the asp.net web admin will allow you to secure directories and it does so by adding a web.config into each directory. This code allows you to manage your permissions on a file level (instead of just directory level) and manage them in one place web.sitemap instead of a web.config in each directory. Joel Thoms http://joel.net
Sign In·View Thread·PermaLink

Re: No new functionality

[echo]

5:34 2 Dec '06

You don't need a web.config in every directory: //Henke
Sign In·View Thread·PermaLink

When SecurityTrimmingEnabled is true, SiteMap.CurrentNode returns null for nodes if user is not authorized

Diego Vega

11:01 17 Aug '05

The CurrentNode method of the default SiteMapProvider calls on internal method ReturnNodeIfAccessible() in order to filter nodes based on roles and the
SecurityTrimmingEnabled property.

So, I think the clause "if (SiteMap.CurrentNode == null) return;" is not safe. You are leaving it in hands of the default ASP.NET security, when "null" is telling you that the access should be denied.

I think it would be better to do it like this:

if (SiteMap.CurrentNode == null) {
if (SiteMap.Provider.SecurityTrimmingEnabled) {
Response.Redirect(FormsAuthentication.LoginUrl);
}
else {
return;
}
}

Or even better, refactor your code to set the allow flag on all conditions and only check in the end if you have to call Response.Redirect.

Re: When SecurityTrimmingEnabled is true, SiteMap.CurrentNode returns null for nodes if user is not authorized (correction)

Diego Vega

11:55 17 Aug '05

If you do as I said, you will loose access to every other thing in the server, including pictures, scripts, etc.

Actually, I had to do several other modifications for this solution to work for me:

1. If you redirect to login on (Application.Context.User == null), even downloading external resources like images for the login page will fail. The default behavior of ASP.NET security will take care of this for you, so no need to fiddle with it.
2. I changed the call to CurrentNode to SiteMap.Provider.FindSiteMapNode(), since this will not filter nodes on SecurityTrimmingEnabled.
3. I changed the foreach (string role in SiteMap.CurrentNode.Roles) alltogether for a call to SiteMap.Provider.IsAccessibleToUser(). This has advantages besides avoiding code duplication. For instance, IsAccessibleToUser() works well with "*" roles.

Tomorrow I will try some other ideas.

1.00/5 (1 vote)

Re: When SecurityTrimmingEnabled is true, SiteMap.CurrentNode returns null for nodes if user is not authorized

Joel Thoms

12:59 22 May '06

This can be a good way to extend the security for your project. The project I was working on required only the pages listed in the web.sitemap (with roles) to be secured. All other pages were passed through for asp.net to handle the security. Joel Thoms http://joel.net
Sign In·View Thread·PermaLink

Re: When SecurityTrimmingEnabled is true, SiteMap.CurrentNode returns null for nodes if user is not authorized

Diego Vega

18:45 24 May '06

Well, yes, in the end I think it all depends on your requirements. For instance, I ended up subclassing System.Web.UI.Page for this security feature and for many other uses. I think this approach has some advantages. Thanks for bringing my attention on the issues.
Sign In·View Thread·PermaLink

Re: When SecurityTrimmingEnabled is true, SiteMap.CurrentNode returns null for nodes if user is not authorized

Joel Thoms

15:23 25 May '06

This solution isn't the "perfect" solution for every application. For most people it is best to have a "secured" directory and let the web.config manage it.

For out web application, this was our best solution. This is not the first time I've had to implement complex security, so I thought I would share this for others that might need to.

If nothing else, this code can be a good learning tool.

Joel Thoms
http://joel.net

Inbuilt security sufficient enough to me

neil.young

12:04 5 Aug '05

<snip>
Unfortunately, only the ASP.NET 2.0 site navigation controls use Web.sitemap roles attribute to determine whether or not they should display the link (assuming, I rolled my own and don't use the built-in controls - I'll test later).

If you go directly to the URL of a file in the Web.sitemap that has roles, it will not be restricted by those roles (though, it'd be nice if it did).
</snip>

Not true. Having the <siteMap> section defined as already stated together with additional web.config (which do only have one entry, e.g.)

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
      <system.web>
            <authorization>
                  <allow roles="admin" />
                  <deny users="*" />
            </authorization>
      </system.web>
</configuration>

in the target directory does effectively protect those directory from unauthorized access.

repost: Now proper formatted

dominick.baier

3:02 19 May '05

What you are basically rebuilding is the built-in behaviour of securityTrimmingEnabled in conjunction with <authorization><allow>/<deny>

you have to redefine the sitemap provider in web.config

<siteMap enabled="true">
<providers>
   <clear/>
   <add name="AspNetXmlSiteMapProvider"
      type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
   siteMapFile="web.sitemap"
   securityTrimmingEnabled="true"
/>
</providers>
</siteMap>

after that the sitemap will only show links to pages the user is authorized for

<location path="admin.aspx">
<system.web>
   <authorization>
...

the roles attribute in web.sitemap is only for links that should be shown regardless if the user is authorized.

dominick
http://www.leastprivilege.com