I have an asp.net (C#) set up to authenticate with LDAP. Everything works fine, I can log in with any users in our directory. The thing is, I need to restrict certain pages to people in specific groups. I'm using the login view + the account folder approach.
My website design is simple, it has three pages, one is viewable for everyone (outside of the account folder), the two others require authentication. I want one group to have access to both web pages, and a second group to have access to only ONE of the pages.
I've tried:
String group = "group";
if (!User.IsInRole(group)) {
Response.Redirect("login.aspx");
}
But no matter what my user isn't in that group. I have an LDAP browser on and I know for SURE I'm in the group. The LDAP browser shows "memberOf" and "CN=group".
Is there something I'm doing wrong?
Have you tried adding the domain name?
You could also implement this using the App.Config: http://bytes.com/topic/asp-net/answers/300187-web-config-authorization-help
Edit:
Here is a better link for role-based security in ASP.NET using the App.Config.
When you create your FormsAuthenticationTicket
for the user, the UserData
is what specifies the "Role(s)" for that user.
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx
Just for example:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
username, DateTime.Now, DateTime.Now.AddMinutes(30),
isPersist, "group");
//I'll add more example code for the sake of completing the example
string encryptTick = FormsAuthentication.Encrypt(authTicket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptTick);
if (isPersist)
cookie.Expires = authTicket.Expiration;
Response.Cookies.Add(cookie);
This should allow your code above to work.
If you are using Integrated Authentication against your domain, and you've set impersonation to true, you can lock down areas of your application by removing ASPNET (and any other global groups) from having permissions to the directory, and add in the designated AD groups you want to have access.
I would definitely document this, as I inherited a system that used this method and it tripped me up for a few hours figuring out where the Access Control was enforced.