@Mavera:
Basicly, its the concept of having your own users table in your own database, where you can manage permissions and store login information (Properly hashed of course). In the case of a multi-level permission scheme, I usually use two or more tables, for example:
TblUsers:
-----------------------------------------------------------------
| UserID (PK) | UserName | HashedPassword | PermissionLevel (FK)|
|---------------------------------------------------------------|
| 1 | BobTables| adfafs2312 | 2 |
-----------------------------------------------------------------
TblPermissions
-------------------------------------
| PermissionID (PK) | Description |
--------------------------------------
| 1 | User |
| 2 | SuperUser |
| 3 | Admin |
--------------------------------------
You can add 3rd table that contains a One-To-Many relationship between TblPermissions that exposes the actual abilities the user may be allowed to do.
Querying a user would be as simple as:
SELECT TblUser.Username, TblPermissions.Description
FROM TblUsers, TblPermissions
WHERE TblUser.UserID = @UserID
AND TblUser.PermissionLevel = TblPermission.PermissionID;
Create a custom class to encapsulate that information, and store it in ASP.NET session when they are logged in.
Classic mode (the only mode in IIS6 and below) is a mode where IIS only works with ISAPI extensions and ISAPI filters directly. In fact, in this mode, ASP.NET is just an ISAPI extension (aspnet_isapi.dll) and an ISAPI filter (aspnet_filter.dll). IIS just treats ASP.NET as an external plugin implemented in ISAPI and works with it like a black box (and only when it's needs to give out the request to ASP.NET). In this mode, ASP.NET is not much different from PHP or other technologies for IIS.
Integrated mode, on the other hand, is a new mode in IIS7 where IIS pipeline is tightly integrated (i.e. is just the same) as ASP.NET request pipeline. ASP.NET can see every request it wants to and manipulate things along the way. ASP.NET is no longer treated as an external plugin. It's completely blended and integrated in IIS. In this mode, ASP.NET HttpModule
s basically have nearly as much power as an ISAPI filter would have had and ASP.NET HttpHandler
s can have nearly equivalent capability as an ISAPI extension could have. In this mode, ASP.NET is basically a part of IIS.
Best Answer
Try adding the following to your
<system.webServer> <modules>
block:The
RoleManager
bit is key, and it's not included in any of the online examples that I could find. Without that, the user's role membership isn't initialized for static content, so role-based authorization will always fail.(Disclaimer: I've pieced this together myself based on my limited understanding of IIS, but it seems to work.)
Edit (in response to your comment): Sorry, I don't know much about how RoleManager depends on other modules. You can view the default IIS configuration by looking at
c:\Windows\System32\inetsrv\config\applicationHost.config
(at least, that's the past on my Windows Vista machine) to see the order in which modules are loaded (note the use of managedHandler by default to restrict RoleManager to non-static content), and MSDN covers RoleManagerModule along with the rest of the modules in the System.Web.Security namespace, so you could probably find what you need there.