Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
AskSQLTeam
Ask SQLTeam Question
0 Posts |
 Posted - 2002-03-26 : 09:10:51
|
| Michael writes "I don't know if this is the best way or is possible. I have an asp app running on a window 2000 server running IIS 5.0. What I need to use is windows nt security. I don't know if I'm setting this up correctly.1) under opertors tab in IIS I have added my windows account.2) under inetpub/wwwroot/Goodwill. properties tab security I have also added my windows account.3)How do you get the windows login to iis to prompt the user to login?4) Is it possible to read in to asp app the user permissions to justify what the user can do in the app or do i need another sql table with role access." |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-03-26 : 09:40:28
|
quote:
3)How do you get the windows login to iis to prompt the user to login?...4) Is it possible to read in to asp app the user permissions to justify what the user can do in the app or do i need another sql table with role access."
For #3, make sure you set the web folder(s)/directories to disallow anonymous access, and to maintain Windows authentication. Whenever a user browses to the site, they will get the login screen.For #4, if you set up the proper Windows groups, and/or Windows logins in SQL Server, you can add them to roles using sp_addrolemember, and use sp_helprolemember to get their permissions. You can get the login in your ASP page using request.servervariables("AUTH_NAME") amd pass it to your sp_helprolemember call.Whenever I had to do stuff like this (separate functions for different users, based on role), I always had a separate web page for each role, and set each user to have a "default" web page. After they log in, ASP will redirect them to their default page. It's a lot easier than writing a lot of ASP code on one page, IMHO. You should also add some checking so that if they try to browse to a page they're not supposed to see, it stops or redirects them. It might sound like a lot of work, but it's really not too bad. You can make it easier by checking permissions one time, at login, then setting a cookie with those permissions...each page can then check the cookie instead of hitting the database again. |
 |
|
|
joldham
Wiseass Yak Posting Master
300 Posts |
Posted - 2002-03-27 : 08:28:39
|
| In addition to disallowing Anonymous Access , I usually disallow Basic Authentication as well so that password are not seen in clear text. You can also do this for individual files, as well as folders/directories.Also, as robvolk said, you can set a cookie after they have logged in to maintain state accross the website. Another option is to set a Session Variable to allow access. Depending on how you set cookies up, you can visit a site, leave the site and come back to the site without having to log back in. It is a little easier with Session variables to require logins each time a user visits the site.Jeremy |
|
|
|
|
|
|
|
|
ASP Application Using NT Security