AddThis Social Bookmark Button


Using the Security Controls in ASP.NET Whidbey
Pages: 1, 2, 3

Creating Roles

Besides restricting access to individual users, it is sometimes much easier to restrict access based on groups, or roles. You can create roles using the ASP.NET Configuration Tool. Click on Create Roles to create a new role (see Figure 18):

Figure 18. Creating a new role

Enter a name for this new role. In my case, I named it "administrator." Click on Done to complete the role's creation (see Figure 19).

Figure 19. Naming a new role

To add/remove users from a role, click on the Manage link (see Figure 20):

Figure 20. Managing a role

Check the user that is going to be part of this role (see Figure 21)

Figure 21. Assigning a user to a role

So now "lwm" is a member of the administrator role. If you add the following line to web.config, only users belonging to the administrator role can now access the page.

	 <allow roles="administrator" />
	 <deny users="*" />

To test this example, you need to go to main.aspx and log in with the account information. Then go to http://localhost:40967/Membership/Private/privatepage1.aspx. If your user ID is part of the administrator role, you can then view the page; otherwise, you will see an error page.

Retrieving Forgotten Passwords

Another security control that we have not discussed yet is the PasswordRecovery control (see Figure 22). This control allows users to retrieve their forgotten passwords via email. All you have to do to use this control is to set two properties and configure a SMTP server for sending emails to the user.

Figure 22. Using the PasswordRecovery control

To send out emails to users, you just need to set the From and Subject properties from the MailDefinition node in the Properties window (see Figure 23).

Figure 23. Configuring the PasswordRecovery control

Adding a User Via the Membership Class

The last topic I want to discuss in this article is the Membership class. The Membership class allows you to perform common tasks involved in user management, such as user addition, deletion, change of passwords, etc. To see how to use the Membership class, add a new web form and name it AddUser.aspx. Populate the new web form with the following controls, as shown in Figure 24:

Figure 24. Populating the web form

In the Click event of the Add User button, code the following:

using System.Web.Security;

void cmdAddUser_Click(object sender, System.EventArgs e)
  // can also use the CompareValidator control
  if (txtPassword1.Text==txtPassword2.Text) 

To test the application, go to http://localhost:28169/Membership/Private/AddUser.aspx and add a new user. You can verify that the new user has been added by viewing the AspNetDB file located in your application's Data folder. The user information is saved in the aspnet_Users and aspMembership tables.

Wei-Meng Lee (Microsoft MVP) is a technologist and founder of Developer Learning Solutions, a technology company specializing in hands-on training on the latest Microsoft technologies.

Return to