This ASP.NET C# web solution uses the Forms-based authentication scheme to require users to login before access is allowed to any of the secure pages on the website. In addition, role-based security is used to authorize access to individual pages within the application. Normally, you would dynamically filter the links/pages displayed within the website navigation based on whether the user has permissions (or not) to view those pages. However, for this demonstration, I have chosen to display an “Unauthorized Access” message instead.
In this ASP.NET C# application, two pages in the project require the user to enter their credentials before they are allowed to access the content. These pages are called “Secure Page” and “Admin Page”. I have associated two different roles to the web application – “user” and “admin”. Any logged in user, including users with a role of “admin” and “user” can access the “Secure Page”. However, the “Admin Page” can only be access by users with a role of “admin”. If a user with a role of “user” attempts to access the “Admin Page”, the solution will block access; display their current role to them along with the following message: “Unauthorized Access”.
You would normally store credentials in a database. However, for this example, I have hard-coded the following user credentials into the Login.aspx.cs code-behind page:
USERNAME | PASSWORD | ROLE
“John” | ”password” | ”admin”
“Mary” | ”password” | ”user”
“Paul” | ”password” | ”user”
“Kim” | ”password” | ”admin”
Most of the magic happens in the Web.config file. This solution has a total of three Web.config files, one at the root level and one in both the Secure and Admin Page folders. Using just a little markup in the configuration files, specific web pages or entire directories can be locked down so that they are only accessible to specific users based on roles. Page-level functionality can be turned on or off based on the logged in user using programmatic logic.
The key is the “authentication” and “authorization” elements in the Web.config files. The mode=”Forms” attribute in the authentication element indicates that form-based authentication is used. The other important piece is the “loginUrl” information. This attribute denotes the login page, which will be re-directed to whenever authentication is needed. This information is defined in the Web.config file at the root level of the application.
Next is the authorization component, which is defined in the Web.config files for both the Admin and Secure pages. The authorization section in the configuration file for the “Secure Page” includes the following attribute: deny users=”?”. The “deny” element specifies that we will deny any unauthenticated user from accessing the “Secure Page”. Therefore, you must login in order to access this page. The Web.config file for the “Admin Page” includes the following attributes: allow roles = “admin” and deny users = “*”. This means allow users with an “admin” role to access the page and deny all other users.
In conclusion, Forms authentication and authorization are the two basic components of role-based security in ASP.NET web applications. The provided ASP.NET C# solution has lots of potential and will give you a heads start on your next project. So download it using the link below then modify it to fit your needs. Use the credentials listed above to get a feel of how the application behaves when logged in as a regular “user” versus an “admin” user.
Download Source Code - Role-Based SecurityView the Role-Based Security and Forms Authentication Image Gallery Below:
