Security Layers for Asp.NET Control


Note: This page only applies to the Asp.NET control. In DotNetNuke the security is already enforced from Module Settings.


As you may have already noticed managing Dynamic Rotator .NET through the Web Administration screen is a lot more powerful than Visual Studio Designer. But to use this feature you first must configure database access (see Installation Guide) and the security to restrict unauthorized users from accessing the configuration.

Dynamic Rotator .NET comes with two security layers that can be easily configured: Allow IP addresses and Allow Asp.NET Role.
But there's also a third layer that provides a mechanism for you to hook your own security provider by invoking the given type.


Important:
If multiple Security Layers are specified, then they all need to match before the user is granted administration access.


Allow IP Addresses


This security provider receives a list of semicolon (;) delimited list of IP addresses that represent clients allowed to manage the rotator configuration. Note that the code also checks for HTTP_X_FORWARDED_FOR server variable, this usually fixes issues when the IP received by the server represents the load balancer that is between the server and the client.

To configure this provider, click on the Dynamic Rotator control in Visual Studio Designer and bring up its properties. Locate the Security: Allow IP Addresses property and start typing the entries as shown in image below.



Alternatively, you can type in the attribute manually inside the Dynamic Rotator server tag in your code behind file:
SecurityAllowIps="191.154.162.12;192.168.0.1;127.0.0.1"


Allow Asp.NET role


If your website is using Asp.NET authentication, this security provider makes it very easy to integrate the rotator. Open Visual Studio Designer and open properties for the Dynamic Rotator server control. Locate the Security: Allow Asp.NET Role field and put in the role name as shown in image below.


Alternatively, you can type in the attribute manually inside the Dynamic Rotator server tag in your code behind file:
SecurityAllowAspRole="Administrators"


Custom Security Provider


If your site is using custom authentication (or even no authentication at all) you may fall back to implement your own security provider and pass that to Dynamic Rotator.


To implement a custom provider:

  1. Create a new Class Library project in Visual Studio

  2. Locate avt.DynamicFlashRotator.Net.dll and add it as a reference

  3. Implement IAuthenticationProxy interface that lives in avt.DynamicFlashRotator.Net.Services.Authentication namespace.
    There is only one method to implement that receives ID of the control as a parameter and returns true if user has administration access and false otherwise.

  4. Make the Class Library project that you created visible to the website (if it's a Web Application project add it as a reference, if it's a Website project simply copy the new DLL to the website /bin folder).

  5. In Visual Studio Designer open properties for the Dynamic Rotator server control, locate the Security: Invoke Custom Type field and provide your type in standard format Fully.Qualified.Type, AssmeblyName as shown in image below



    Alternatively, you can type in the attribute manually inside the Dynamic Rotator server tag in your code behind file:
    SecurityAllowInvokeType="MyProject.SecurityProvider,MyProject"

Note that you probably don't have to create a new Class Library project, you can implement the interface in an existing project and reference the type from there.


Comments