Is Permission Manager any use if you use Forms Authentication?

Hi,

I am coming to the conclusion that Permission Manager is effectively useless for anyone using Forms Authentication. Here's why...


My site currently uses forms authentication. There are certain areas of the site which can only be accessed by users who have logged on. The content of those pages depends on the user logged on. I am doing all this using the standard ASP.net 2.0 membership providers and it all works very nicely.


However... I also have a number of tasks which I am kicking off using the 'Scheduled Tasks' function that DiscountASP provides for this purpose. The pages which trigger these tasks are in a folder called 'ScheduledTasks'.

I don't want my users to access these tasks, so I use Permission Manager to deny access to anonymous users on the folder 'ScheduledTasks'. Access is also granted to a new user account specifically set up for accessing this folder. This useraccount is called 'scheduler'.

When setting up my Scheduled Task, I simply enter the user credentials for 'scheduler', so Scheduled Task can access the folder successfully.

All this is done using NTFS folder permissions and is a seperate authenticaiton mechanism from 'forms authentication' mentioned above in the first paragraph.


However... there is a problem.

Although an anonymous browser user cannot access the 'ScheduledTasks' (if they try they are challeneged for a user id and password), they can access files within 'ScheduledTasks'.
So, they are challenged when they try to go to:
www.mysite.com/ScheduledTasks/
But they can sail straight through and access:
www.mysite.com/ScheduledTasks/housekeeping.aspx
with no problems.


I raised a support ticket about this and was told the following:

By default, ASP.NET does not inherit NTFS permissions and you will need to modify your web.config file a bit. For instructions and information on how to force ASP.NET to use NTFS permissions, please take a moment to read the following DiscountASP.NET Knowledge Base article: http://kb.discountasp.net/article.aspx?id=10178</BLOCKQUOTE>
I looked at thearticle and it tells me I have to set my site authentication to 'Windows' rather than 'Forms' befor Permissions Manager will work properly.


So... it seems I two choices:

1. I use forms authentication, allowing me to use the ASP.net 2.0 Membership proivder such that users can signup, create an account, access their pages etc.
But with forms authentication, I cannot use Permission Manager to restrict access to a Tasks folder.

2. I use windows authentication. Now Permission Manager works properly and I can set up Scheduled Tasks to work properly and make sure general users can't access these files.
But I cannot now use the ASP.net 2.0 Membership provider to allow users to create their own accounts etc.


Is there a way of getting both sets of functionality? If not, it effectively makes Permissions Manager useless for anyone using Forms Authentication (which I think most people will be).

Any thoughts much appreciated.

 

Hi Bruce,

Yes, I was thinking about that as a solution, and it seems like a good idea anyway because it helps separate Admin functionality out completely.

Can you tell me:

Should I put my two applications in separate folders,or can I run one WebApp hierachically nested inside another WebApp? If the latter, does the 'Parent App' simply ignore everything that happens in the 'Child App' directory?

Actually, if I remember correctly you cannot disable the root application, so my Admin App would have to be nested inside this. So do the two Apps just ignore each other completely?

Thanks very much for your help with this.

 

My admin pages (including the 'startTasks' pages)usea lot of the classes and dlls that my main application uses. I've just realised that to create a separate application it looks as though I will have to replicate these classes and dlls into respective 'App_Code' and 'bin' folders in my Admin application. This creates extra maintenance.

I take it there is no way to allow my sub-Application to access the App_Code and bin folders of the root application?

Thanks...