Tutorial on Control access to resources in ASP .Net

Welcome to TheCredence.com - You may like to subscribe to our RSS feed to stay updated.

I just wrote the article How to combine Java and ASP .Net to use both. That article was for beginners so I felt to write something for intermediate ASP users. In this article, I am going to talk about Control Access in ASP

Control access to resources in ASP .Net

Some times access to web sites should be limited, because of various causes like: coder wants to allow using some resources only by subscribed users or users should comply to specific demands. Although coders limit the user access there should always have some pages visible to guests in order the site to represent its target and contents. The exact management of the user rights to access resources form site is called – authorization. In order to be built an authorization there should be provided authentication of users. So to explain the building process of authorization we assume that complete system of authentication is built.

Defining Authentication

Defining the authorization has some variants depending of the point of view. It can be done statically in web configuration file or dynamically in the code behind. Authorization can be built upon users, roles of users or both. Storing the user roles and managing can be done by the built in providers or any custom build role provider.

Authorization basically consists of rules. Rules describe whom and which resource are they applied to. Here are some examples coded in web configuration file. Users that do not match the specified rules are redirected to the login page in Forms authentication.

 
<authorization>
<deny users="?">
</deny>
</authorization>

This means that unauthenticated users are denied.

 
<authorization>
<deny users="?">
<allow users="”*”"></allow>
</deny>
</authorization>

This means unauthenticated users are denied, all other users are allowed.

 
<authorization>
<deny users="?">
<deny users="john">
<deny users="nelly">
<allow users="*"></allow>
</deny>
</deny></deny></authorization>

This denies unauthenticated users along with the specified users. The pointed users can be put in one rule with comma separated list too.

Instead defining rules examining the whole site resources it can be done only upon some pages or directory with resources.
Directory authorization can be done by inserting another web configuration file in it and/or every subdirectory. Note that if a user is denied or allowed accessing the resources in top directory this can be changed to subdirectory.

 
<location path="SomePage.aspx">
	<system.web>
		<authorization>
			<deny users="?">
		</deny>
	</authorization>
</system.web>
</location>

Role authorization

Sometimes site administration is quite a difficult task because the large number of users and their tasks upon the site. For example sites can have the fallowing group of users: administrators, project managers, ordinary users and guests. Programming authorization rules for everyone is difficult. Here comes the ASP.NET 2.0 improvement role management which besides is very connected with Membership /not discussed in this article/. Further we’ll assume that a custom or embedded membership authentication is applied to site. In Windows authentication roles are automatically available. To use role services with built in sql role provider enable role services through the security wizard in VS 2005, select the sql provider for the role management store and a database called ASPNETDB.mdb will be created automatically.

After the roles are enabled and authentication built there are a couple of variants of defining the role authorization.

 
<authorization>
	<deny users="?">
	<allow roles="Manager, Supervisor"></allow>
	<deny users="*">
</deny>
</deny></authorization>

Deny all unauthenticated users, allow only Mangers and Supervisors, deny any other users.

To check users in code behind use something like:

 
if (User.IsInRole("Administrators"))
{
	//allow something
}
else
{
	// Don't allow. Instead, redirect to the restriction page.
	Response.Redirect("Restricted.aspx");
}