I have a ASP.NET 4.0 web application that uses Windows Authentication against AD and a SQL Server for Role management.
Basically, I want all users who have an AD account to be able to access the application, but I want to further secure the app using roles in Sql Server. I do not want users to have to enter in their passwords for authentication.
Is it viable for me to check authentication in the Global Application_Start method, or should I be executing this code elsewhere?
On
After further research I found "Application_AuthenticateRequest" which I think will serve my purposes of using Windows Authentication and Sql Server role configuration.
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
// just grab the username without domain info
string[] arrTmp = HttpContext.Current.User.Identity.Name.Split('\\');
string username = arrTmp[arrTmp.Length - 1];
// Create an array of role names
List<String> arrlstRoles = new List<String>();
// work-around
if (username == "fakename")
arrlstRoles.Add("Admin");
// Add the roles to the User Principal
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(User.Identity, arrlstRoles.ToArray<String>());
}
}
Application_Startis only fired once when the Application itself is initialized.HttpContext.Current.Userwill contain details of the user making the HTTP request that caused IIS to initialize the application.Instead use
Application_BeginRequestwhich is raised for every incoming request, however ideally you should check authorization (not authentication) when the web-application intends to perform an action, not preemptively on every request.