2

I am using FormsAuthentication and ASP.NET Memberships and Roles in my ASP.NET project. I have some aspx files which can be viewed / accessed by only authenticated users. I think I can do this using one of the following two ways.

  1. Configuring the web.config file. Allow users with roles 'admin' and 'members' to access those apsx files, and deny all other anonymous users.

  2. In page_load events of those apsx files, just checking whether the curent user is authenticated or not using HttpContext.Current.User.Identity.IsAuthenticated

I am wondering whether these two approaches are equivalent or not for apsx files.

Improve this question

3 Answers 3

Reset to default
1

They are not equivalent. Method 1. gives access only to the "admin" and "members" roles. If you add another role, they won't have access. Method 2 lets any signed in user access the data.

I think that the preferred way is to organize the aspx files in directories depending on what roles should access them. Then configure access on the directories in web.config.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

For method 2, I can check whether the user has the role 'admin' or 'members' using HttpContext.Current.User.IsInRole. Now is it equivalent to Method 1?
Yes, checking HttpContext.Current.User.IsInRole would make those methods equivalent.
1

As others mention, this is not equivalent. However, even if you modify "2." to check roles, this is worse approach as you introduce a custom code to handle something which can easily be handled in a standard way.

Consider also yet another approach, where you create a separate folder, put your restricted pages there and create an auxiliary web.config to contain:

...
<system.web>
   <authorization>   
       <allow roles="admin,members" />
       <deny users="*" />
   </authorization>   
</system.web>

This way you require authorization to all resources in the folder, pages, styles, images.

Improve this answer

Comments

0

Hello you must distinct between Authentification and Authorization

  1. "HttpContext.Current.User.Identity.IsAuthenticated" is : Authentification

  2. "Allow users with roles 'admin' and 'members'" is : authorization, after authentification we execute authorization

You can read this article : http://www.duke.edu/~rob/kerberos/authvauth.html

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:

Who is the user?
Is the user really who he/she represents himself to be?

Authorization systems provide answers to the questions:

Is user X authorized to access resource R?
Is user X authorized to perform operation P?
Is user X authorized to perform operation P on resource R?
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.