Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
In the last post I talked about how to expose or hide specific tables in ASP.NET Dynamic Data. What if you want to this based on authorization rules, eg whether a user is authenticated or a member of a particular role. ASP.NET offers a powerful set of application services that include authentication and role based authorization. It'd be a shame not to use them.
The first (and easiest) way to control access is declaratively in web.config. However, as Dynamic Data makes use of ASP.NET Routing, you can't simple create a local web.config file in the folder you want to secure; that wont work for requests that are routed via an IRouteHandler. Instead you can make use of the location element under <configuration> in web.config. This allows you to specify a path that the configuration settings apply to. eg to prevent access to the List view on my Order_Details table I would use:
<location path="Order_Details/List.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
Alternatively, if you want additional flexibility, it's possible to hook into the routing mechanism itself. To do this I would create my own IRouteHandler and Route (both derived from their DynamicData equivalents) and add some authorization in there. Here's a simple example which ensures only authenticated users get access. This could easily be modified to check for roles and could be nicely hooked into a declarative mechanism to specify rules for particular tables.
Imports Microsoft.VisualBasic
Imports System.Web.DynamicData
Public Class CustomDynamicDataRouteHandler
Inherits DynamicDataRouteHandler
Public Overrides Function CreateHandler(ByVal route As System.Web.DynamicData.DynamicDataRoute, _
ByVal table As System.Web.DynamicData.MetaTable, _
ByVal action As String) _
As System.Web.IHttpHandler
If (HttpContext.Current.User.Identity.IsAuthenticated) Then
Return MyBase.CreateHandler(route, table, action)
Else
Throw New UnauthorizedAccessException()
End If
End Function
End Class
Public Class CustomDynamicDataRoute
Inherits DynamicDataRoute
Sub New(ByRef url As String)
MyBase.New(url)
Me.RouteHandler = New CustomDynamicDataRouteHandler()
End Sub
End Class
To make this work I simply add a CustomDynamicDataRoute in RegisterRoutes() rather than a DynamicDataRoute.
I have to admit it took me ages to get the VB syntax right for the above. It also took me a while to figure out that TypeOf in VB is not the same thing as TypeOf in C#. Oh well....
Technorati Tags: asp.net,dynamic data,security
Comments
Anonymous
August 06, 2008
PingBack from http://blog.a-foton.ru/2008/08/more-on-securing-entities-in-aspnet-dynamic-data/Anonymous
August 06, 2008
I should mention (as I failed to do so in my last post ) that some of the information (in particular