ASP.NET - Role Based Authorization. - Asked By Ajay Paritala on 11-Nov-11 03:04 PM

HI,

I've used Membership concept for registration. Now i have to do Role based authorization.
We have Admin,User,Employee i need to do this. I have no clue how to perform. I searched over Google i found some articles but they are not clear.
Can some one say me step by step ?

any help highly appreciated..

Thanks..
Kirtan Patel replied to Ajay Paritala on 11-Nov-11 03:39 PM
you can apply role based authorization with combining two techniques
 
using Web.Config File
----------------------
to apply roles based security on several pages which you want that will be accesible only by Allowed roles put them into seperate folders and create web.config file in each of the folder
configure web.config like this to apply roles on that pages inside folder. .
 
<configuration>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only.
It is located in the same folder as this configuration file. -->
    <location path="default1.aspx">
      <system.web>
          <authorization>
              <allow users ="*" />
          </authorization>
      </system.web>
    </location>
<!-- This section gives the unauthenticated user access to all of the files that
are stored in the Subdir1 folder.  -->
    <location path="subdir1">
      <system.web>
          <authorization>
              <allow users ="*" />
          </authorization>
      </system.web>
    </location>
</configuration>
 
using code to check Roles of user at runtime
----------------------------------------------
 
if (User.IsInRole("Admin"))
{
   /* Do Some Action only */
}
 
 
Riley K replied to Ajay Paritala on 11-Nov-11 08:42 PM


A typical use for roles is to establish rules that allow or deny access to pages or folders. You can set up such access rules in thehttp://msdn.microsoft.com/en-us/library/8d82143t.aspx section of the Web.config file.


<configuration>
  <location path="MemberPages">
  <system.web>
    <authorization>
    <allow roles="members" />
    <deny users="*" />
    </authorization>
  </system.web>
  </location>
  <!-- other configuration settings here -->
<configuration>


Now you can code like thi s

if (User.IsInRole("members"))
{
   buttonMembersArea.Visible = True;
}


Refer this link

http://msdn.microsoft.com/en-us/library/5k850zwb.aspx

Regards

Suchit shah replied to Ajay Paritala on 12-Nov-11 01:16 AM

To make the role-based authentication work for Forms Authentication, make sure you have a Web.config file in your Web Application root. For the authentication setup, this particular Web.config file must be in your Web Application's document root. You can override the <authorization/> in Web.config files for sub-directories.

To begin, make sure your Web.config file has at least the following:


<configuration>
    <system.web>
      <authentication    mode="Forms">
        <forms name="MYWEBAPP.ASPXAUTH"
          loginUrl="login.aspx"
          protection="All"
          path="/"/>
      </authentication>
      <authorization>
       <allow roles="Administrator"/>
        <deny users="*"/>
      </authorization>
    </system.web>
</configuration>

The FormsAuthentication name (MYWEBAPP.ASPXAUTH) above it arbitrary, although the name there and the name in the HttpCookie we created to hold the hashed FormsAuthenticationTicket must match, for even though we are overriding the ticket creation, ASP.NET still handles the authorization automatically from the Web.config file.

To control authorization (access by a particular user or group), we can either 1) add some more elements to the Web.config file from above, or 2) create a separate Web.config file in the directory to be secure. While, I prefer the second, I will show the first method:

<configuration>
    <system.web>
      <authentication mode="Forms">
        <forms name="MYWEBAPP.ASPXAUTH"
          loginUrl="login.aspx"
          protection="All"
          path="/"/>
      </authentication>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
    <location path="administrators">
      <system.web>
        <authorization>
          <!-- Order and case are important below -->
          <allow roles="Administrator"/>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>
    <location path="users">
      <system.web>
        <authorization>
          <!-- Order and case are important below -->
          <allow roles="User"/>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>
</configuration>

Sometimes it's better to show / hide content based on roles when you don't want to duplicate a bunch of pages for various roles (user groups). Such examples would be a portal site, where free- and membership-based accounts exist and membership-based accounts can access premium content. Another example would be a news page that would display an "Add" button for adding news links if the current user is in the "Administrator" role. This section describes how write for such scenarios.

The IPrincipal interface, which the GenericPrincipal class we used above implements, has a method called IsInRole(), which takes a string designating the role to check for. So, if we only want to display content if the currently logged-on user is in the "Administrator" role, our page would look something like this:

<html>
<head>
  <title>Welcome</title>
  <script runat="server">
  protected void Page_Load(Object sender, EventArgs e)
  {
   if (User.IsInRole("Administrator"))
    AdminLink.Visible = true;
  }
  </script>
</head>
<body>
  <h2>Welcome</h2>
  <p>Welcome, anonymous user, to our web site.</p>
  <asp:HyperLink id="AdminLink" runat="server"
   Text="Administrators, click here." NavigateUrl="administrators/"/>
</body>
</html>

For more info on step by step with example Refer :
http://www.codeproject.com/KB/web-security/rolesbasedauthentication.aspx
http://www.4guysfromrolla.com/articles/082703-1.aspx
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

Jitendra Faye replied to Ajay Paritala on 12-Nov-11 08:01 AM

For that implement role based security in your site.

To accomplish this, start by adding a Web.config file to the Roles folder.

http://i1.asp.net/asp.net/images/security/11/images/aspnet_tutorial11_RoleAuth_cs_figure03.png

 

Next, add the following configuration markup to Web.config:


<?xml version="1.0"?>
<configuration>
    <system.web>
     <authorization>
      <allow roles="Administrators" />
      <deny users="*"/>
     </authorization>
    </system.web>
    <!-- Allow all users to visit RoleBasedAuthorization.aspx -->
    <location path="RoleBasedAuthorization.aspx">
     <system.web>
      <authorization>
       <allow users="*" />
      </authorization>
     </system.web>
    </location>
 </configuration>

Follow this link for complete article-
http://www.asp.net/security/tutorials/role-based-authorization-cs
Hope this will help you. 

dipa ahuja replied to Ajay Paritala on 12-Nov-11 09:01 AM
Untitled document
You can manage the admin part and users part using the role management
 
add the line in web.config :
 
<roleManager enabled="true"/>
 
you can hide menu or pages using the role of the logged in users :
     
//hyperlink of adming page admin.aspx .. hide if user with anther role is logged in
 
if (User.IsInRole("admin"))
{
   Hyperlink1.Visible = true;
   ad.Visible = true;
}   
 else
{
   
   Hyperlink1.Visible = false;
  ad.Visible = false;    
}
 
and suppose if user try to open webpage by writing manually for that you can use the Location Tag in the web.config file :
 
<location path="admin/Adminmenu.aspx">
   <system.web>
   <authorization>
   <deny users="?" roles="user"/>
   <allow users="*" roles="admin"/>
   </authorization>
   </system.web>
 </location>
 
Now if local user try to access the page of admin he will be redirected to login page to login with admin username and password.
 
hope this will help you!
 
Devil Scorpio replied to Ajay Paritala on 13-Nov-11 06:41 AM
Hi,

You can have role based authorization by using following query

The rolesForUser stored procedure is fairly straightforward - it simply takes in a single parameter (the username to search on) and then returns the list of roles the user belongs to.

CREATE PROCEDURE rolesForUser 
(
   @Username   varchar(50)
)
AS

SELECT G.Name
FROM Roles R
   INNER JOIN Groups G ON
      R.GroupID = G.GroupID
   INNER JOIN Users U ON
      R.UserID = U.UserID AND U.Username = @Username