Setting up directory security using ASP and IIS

I was recently asked to create a solution for providing folder access and security on a Web site. The idea was that a user could log in to the Web site and then be automatically directed to a default folder in which files were listed on another page as links. When the user clicks on the file name, the file would be delivered to the user. (This is akin to the process where a user's credential information directs them to a particular directory in FTP. The difference is this is a Web interface to a familiar process.) I'll walk you through my steps for creating this solution. (The code in this article was successfully tested and run on Windows 2000 Server with Internet Information Services (IIS) 5.0.)

Laying the groundwork
The Web site was located on a Windows 2000 machine. Since IIS and Windows security are tightly integrated in this environment, I decided to take advantage of this authentication mechanism. When the user logs in to the originating page, the LOGON_USER environment variable is used to get detailed information about the user. Since Windows takes care of authenticating and authorising the user, the only thing to worry about is where to grab the file information for the currently logged in user.

Since there is no database interaction with the solution, my process uses XML files that provide the ability to persist user information. The XML data will be persisted in application variables â€" any changes to the application XML data will be persisted in the XML files. The only thing that is persisted is identifiable information about the currently logged in user. This is the SessionID of the current user session.

In order to provide flexibility with the security on folders, I wanted to allow users access as individual users or users of a group. This requires that folders provide access to users and groups, and this information must be stored in an XML file. So there should be three XML files: one for users, one for groups, and one for folders.

The user's XML file contains user information. For instance, each logged in user has a username. When the user visits the Web site, a session is created that is identified by a session identifier. Since there is only one user per session, the user node that identifies the user contains a sessionId attribute to hold the current session identifier. The sessionId attribute will be used to locate the user's ID for access information. You'll also need the default folder for the user. Listing A contains an example of the user's XML file.

Listing A
<?xml version='1.0'?>

The group's XML file contains information about groups and the users of each group. Each group node contains a group of users identified by their ID number. Listing B contains an example of the group's XML file.

Listing B
<?xml version='1.0'?>
<groups>
    <group id="1" username="administrators">
        <users>
            <user id="1"/>
        </users>
    </group>
</groups>

The folder's XML file contains all the necessary information for granting access to individual users. Each folder node contains a list of users who have permission to view the contents of the folder. The folder node also specifies a friendly name for the folder â€" to protect the true identity of the folder â€" and an absolute path to the physical folder location on the server. Listing C contains the example for the folder's XML file.

Listing C
<?xml version='1.0'?>
<folders>
    <folder friendlyName="My Folder" absolutePath="C:\test_user">
        <users>
            <user type="user" id="1"/>
            <user type="group" id="1"/>
        </users>
    </folder>
</folders>

When the user logs in to the Web site, he is "directed" to his default folder. This folder will display all the available files and folders within that folder that are accessible.

Putting all of the pieces together
First, the user must log in to the system. A generic login page will provide the means for prompting the user for their credentials. Since I don't want to mess with Windows NT authentication, I'm going to request that the user supplies their credentials through basic authentication. You can do this by setting the Response status to "401 Unauthorized" and adding the header "WWW-Authenticate: Basic". When the browser receives this status, it should automatically provide a login window for the user to enter his username and password. When the user enters and submits this information, IIS will automatically authenticate the user based on the supplied credentials.