|
Example: Overriding Security at the Page Level
July 23, 2009
Iron Speed Designer V6.2 and later
In some cases, it may be advantageous to provide custom or alternative security on a page-by-page basis. You can do this by passing information to the page via a .NET session variable, by handling events rased by the security layer or by calling methods defined in the SecurityControls class. Before each page is displayed, retrieve the session variable or call one of aforementioned methods and perform the necessary checks to determine whether the user has permission to view the page.
One approach is to perform such validation by overriding the Authorize method. However you do not need to do this on a page by page basis. You can also override the Authorize method in the BaseApplicationPage class. BaseApplicationPage is the class from which all page classes are derived in your application.
In the example below, a signed-in user with DeptID “1” is restricted from accessing EditOrders.aspx and AddOrders.aspx.
Step 1: Enable application security using the Application Security Wizard in Iron Speed Designer.
Step 2: Create an application using the Orders table in the Northwind database. Set the start page to ShowOrdersTable.aspx. Set the access permissions for ShowOrdersTable.aspx to “Grant access only to signed in users”.
Step 3: Add the following code in the SignIn_Control class of SignIn_Control.ascx.cs located in:
Security\SignIn.aspx.cs (.vb)
C#:
public SignIn ()
{
this.LoginSucceeded+= new LoginSucceededHandler(SignIn_Control_LoginSucceeded);
}
private void SignIn_Control_LoginSucceeded(object sender, System.EventArgs e)
{
string myId = this.SystemUtils.GetUserID();
string whereStr = "EmployeeID='" + myId +"'";
EmployeesRecord myrec = EmployeesTable.GetRecord(whereStr);
if(myrec != null)
{
System.Web.HttpContext.Current.Session["mySessionVar"] = myrec.DeptID;
}
}
Visual Basic .NET:
Private Sub Page_LoginSucceeded(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.LoginSucceeded
Dim myId As String = Me.SystemUtils.GetUserID
Dim whereStr As String = "EmployeeID='" & myId & "'"
Dim myrec As EmployeesRecord = EmployeesTable.GetRecord(whereStr)
If (Not myrec Is Nothing) Then
System.Web.HttpContext.Current.Session("mySessionVar") = myrec.DeptID
End If
End Sub
Note: DeptID is a field (of type int) added to the Employees table (Northwind) in the database. You can replace DeptID with any other field.
Step 3: Add your code in the BaseApplicationPage class of BaseApplicationPage.cs located in:
<Application Folder>\App_Code\Shared\BaseApplicationPage.cs
C#:
public BaseApplicationPage()
{
base.Load += new System.EventHandler(this.Page_Load);
this.Load += new System.EventHandler(BaseApplicationPage_Load);
}
private void BaseApplicationPage_Load(object sender, System.EventArgs e)
{
if (System.Web.HttpContext.Current.Session["MySessionVar"] != null)
{
int myDeptID = (int)System.Web.HttpContext.Current.Session["MySessionVar"];
if (myDeptID == 1)
{
if (this.Page.GetType().Name == "orders_editorderspage_aspx" ||
this.Page.GetType().Name == "orders_addorderspage_aspx")
{
this.Page.Response.Redirect("../Orders/ShowOrdersTable.aspx");
}
}
}
}
Visual Basic .NET:
Private Sub myPage_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Load
If (Not System.Web.HttpContext.Current.Session("MySessionVar") Is Nothing) Then
Dim myDeptID As Integer = CType(System.Web.HttpContext.Current.Session("MySessionVar"), Integer)
If (myDeptID = 1) Then
If (Me.Page.GetType.Name = "orders_editorderspage_aspx" OrElse
Me.Page.GetType.Name = "orders_addorderspage_aspx") Then
Me.Page.Response.Redirect("../Orders/ShowOrdersTable.aspx")
End If
End If
End If
End Sub
Instead of handling Login_Succeeded you may also handle LogEvent which is always fired when login happens even if the login was automatic as with Windows Security which effectively does not go to the Sign In page. Handling LogEvent may be also useful if you do not want to use the Sign In page.
See Customizing Application Security for details regarding LogEvent.