Code Luck

 Recently I was put on a project that needed to harness the built in windows security for user authentication. Idea was to allow access only tousers of subscribed to certain groups. Once authenticated, based on the group the user is subscribed to, I needed to perform custom actions. 

We deny access to anonymous users. Also, with the "Impersonate clause" we tell ASP.NET

to run using the permission/priveledges of the authenticated user

instead of the default asp_net user.

   37         authentication mode="Windows"        

   38         authorization

   39             allow roles="MSDomain\Buyers,MSDomain\Clerks,MSDomain\Receivers"

   40             deny users="*"            

   41         authorization

   42         identity impersonate="true"        

In order to be able to find out whether a user belongs to a particular group and to get a list of groups a user is subscribed to, we needed to

specify a "roleManager" config section and set the default provider to "AspNetWindowsTokenRoleProvider". Until this is done, the any code written

to check whether the user is part of a group/list of groups will not work.

"Role Manager" helps us manage groups(roles) and perform group based authorization

in the applicaion. We need the role manager to help us identify the groups of which the authenticated user is a part of and perform actions like wise.

Msdn article about role management says:

"The main benefits of using role manager are that it allows you to look up users' roles without writing and maintaining code. Additionally, the 

role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. Therefore, 

if your role store were to change tomorrow, you would only need to change the configuration settings to make your code work."

 roleManager enabled="true" defaultProvider="WindowsTokenRoleProvider" >

The default role providers are as follows:

1. SqlRoleProvider
 - role information kept in SQL Server
2. WindowsTokenRoleProvider
 - read-only provider that retrieves role information for a 
   Windows user account based on the account's Windows security 
   group membership
3. AuthorizationStoreRoleProvider
 - used if your application uses Authorization Manager (AzMan)In my case, all I needed was to redirect user to corresponding portion of the site depending on their role, hence read-only role provider was

sufficient.

Msdn article says "The Windows security system acts as role store for this 

provider, so no additional configuration is required to set up the role store"

Once the user is authenticated, we need to check if the user is part of a particular group, if yes, then perform the custom action.

Below is the code required to validate whether a user is part of a inranet group.

  120         if (User.IsInRole   (WindowsGroupSettings.SettingFor.Buyers))

  121         {

  122             if (this.LoadPricesForBuyer != null)

  123             {

  124                 _buyerName = User.Identity.Name;

  125                 LoadPricesForBuyer(this, EventArgs.Empty);

  126             }

  127         }

  140         if (!IsPostBack)

  141         {

  142             gvRoles.DataSource = Roles.GetRolesForUser(User.Identity.Name);

  143             gvRoles.DataBind();

  149         }