0

I am developing small department-size application using Web Forms. Technology choice comes form the past, as application is based on an old one already existing + Web Forms seem to be extremely fast and efficient for our case.

Default template in VS 2015 creates all login pages, etc. I assign roles to users. And the question comes how to protect specific folder or page to be available only for users with specific role?

The only idea I have is:

If Not Page.User.Identity.IsAuthenticated or Not Page.User.Identity.IsInRole("MyRole") Then
  Response.Redirect("~/Account/Login?ReturnUrl=" & Server.UrlEncode(Request.Url.ToString())
End If

This is not convenient having many pages in application. I saw MVC solves this with attribute

[Authorize( Roles = Constants.ADMIN )]

What is the best way to achieve this? Please advise.

Improve this question

1 Answer 1

Reset to default
1

You can restrict access to pages and folders in your Web.config, instead of writing If Then Else code on each page.

Examples...

Restricting access to a particular page to specific roles

  <location path="SecureFolder/SecurePage.aspx"  >
    <system.web>
      <authorization>
        <deny users="*"/>
        <allow roles="Manager,Admin"/>            
      </authorization>
    </system.web>
  </location>

Restricting access to a particular folder to a specific role

  <location path="AdminFolder"  >
    <system.web>
      <authorization>
        <deny users="*"/>
        <allow roles="Admin"/>            
      </authorization>
    </system.web>
  </location>

You repeat the <location> element for all pages and folders in your application you need to secure.

More information on MSDN here: https://support.microsoft.com/en-us/kb/316871

Folder level Web.config example

An alternate to putting everything in the main Web.config of your web application, is to create a Web.config file in each of the folders you need to secure. When doing this, you don't need anything else in the folder's Web.config file, and you don't need to include the <location> element

e.g. instead of putting the AdminFolder config in your main Web.config file, you can create a new Web.config file inside the AdminFolder directory which only contains the following code.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Admin" />
      <deny users ="*" />
    </authorization>
  </system.web>
</configuration>
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The article says it applies to ASP.NET 1.0 and 1.1. Is this still proper way to do this with ASP.NET Identity 2.1.0? I mean will this work with roles stored using Identity or this is intended for some older technology like ASP.NET Membership?
@Megrez7 I have done it this way in ASP.NET Identity. It's a perfectly valid method still. Having said that, the method you use in your original question is also perfectly valid too - and is also a method I have used, where appropriate (i.e. for a small number of pages).
Restricting access to a particular folder to a specific role, here when i set in web.config file now i am not able to direct access the .aspx file or after authentication with the role provided in both case it's requesting login agian

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.