AddThis Social Bookmark Button

Print

ASP.NET Forms Security, Part 2
Pages: 1, 2


Figure 3.

Clicking on Create New Role makes the panel visible, as shown in Figure 4.


Figure 4.

Testing Roles

To test the use of roles, you'll make some changes to the default page. Click on the LoginView, open the Common Tasks window, and click on Edit RoleGroups (see Figure 5).


Figure 5.

Add a few (but not all) of the roles you created earlier (see Figure 6).


Figure 6.

Switch to HTML and see the effect; a new section has been added within the LoginView control.

<asp:LoginView ID="LoginView1" Runat="server">
  <RoleGroups>
    <asp:RoleGroup Roles="User"></asp:RoleGroup>
    <asp:RoleGroup Roles="Manager"></asp:RoleGroup>
    <asp:RoleGroup Roles="Guest"></asp:RoleGroup>
  </RoleGroups>
  <LoggedInTemplate>
    Welcome
    <asp:LoginName ID="LoginName1" Runat="server" />. 
      Thank you for logging in.
  </LoggedInTemplate>
  <AnonymousTemplate>
    You have not yet logged in. Please click Login to do so now.
  </AnonymousTemplate>
</asp:LoginView>
Add more lines for the other groups you've created, and then within the RoleGroup elements, feel free to add contentTemplate elements, as shown below
<asp:LoginView ID="LoginView1" Runat="server">
    <RoleGroups>
        <asp:RoleGroup Roles="User">
            <ContentTemplate>
                Welcome  
                <asp:LoginName ID="LoginName2" Runat="server" />
                 You are logged in as a user.
            </ContentTemplate>
        </asp:RoleGroup>
        <asp:RoleGroup Roles="Administrator">
            <ContentTemplate>
                <h3>Administrative tools here</h3>
            </ContentTemplate>
        </asp:RoleGroup>
        <asp:RoleGroup Roles="Manager">
            <ContentTemplate>
                Manager tools go here
            </ContentTemplate>
        </asp:RoleGroup>
        <asp:RoleGroup Roles="Guest">
            <ContentTemplate>
                Welcome guest
            </ContentTemplate>
        </asp:RoleGroup>
    </RoleGroups>
    <LoggedInTemplate>
        Welcome
        <asp:LoginName ID="LoginName1" Runat="server" />. Thank you for logging in.
    </LoggedInTemplate>
    <AnonymousTemplate>
        You have not yet logged in. Please click Login to do so now.
    </AnonymousTemplate>
</asp:LoginView>

If you examine this closely, you'll see that within each RoleGroup you've placed a ContentTemplate that describes what content should be displayed when members of that role group log in. If you create a new user and do not assign that user to a role group, that user will see the content in the LoggedInTemplate.

For security purposes, you can of course restrict pages to people in a particular role. You can test if the logged in user is in a particular role using the User.IsInRole method:

bool isManager = User.IsInRole("Manager");

and take action accordingly. You can restrict access to pages based on roles by adding an authorization section to a web.config file (which can be placed in a subdirectory to control access to all files in that subdirectory and all of its subdirectories, and you can use the location element to control access to specific files.

The web.config file might look something like this:

<authorization>
  <deny users='?' />
  <allow roles='Manager' />
  <deny users='*' />
</authorization>

The first line (deny users = '?') prohibits access to anyone who is not logged in. The second line (allow roles='Manager') allows access to anyone in the Manager role, and the final line (deny users='*') disallows anyone, but is overridden by the allow roles.

[*] If the link does not work for you, please try copying the address into your MSDN Library, or just look up the AddUsersToRole method of the Roles class. If all else fails, you can download the complete (and fully modified) source code for this column from my web site. Click on Books and then on Articles and Publications.

Jesse Liberty is a senior program manager for Microsoft Silverlight where he is responsible for the creation of tutorials, videos and other content to facilitate the learning and use of Silverlight. Jesse is well known in the industry in part because of his many bestselling books, including O'Reilly Media's Programming .NET 3.5, Programming C# 3.0, Learning ASP.NET with AJAX and the soon to be published Programming Silverlight.


Return to ONDotnet.com