Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / web / ASP.NET

A simple work around of Forms Authentication based on user's role

0.00/5 (No votes)
25 Aug 2010CPOL1 min read 9.3K  
this tip is to use roles instead of individual user's access right to limit user's access on folders
Introduction

I have been searching through google couldn't find a better solution to authenticate user easily and quickly. Here is a solution I made so far, please comment on, help me improve it.

Background

Asp.net provide 2 authentication method, forms and windows, people normally use forms, because it provide more flexibility, while-as windows type authentication requires PC create account every user. With forms authentication a web site can use database or other method to authenticate users.

How it works

Download source code, create a IIS virtual directory, run it. That's all. It provide a default page, login page, logout page, and an admin folder, which restrict user 's access by through web.config file.

At this web.config file, important parts are:

1. Create an entry called "admin" folder, only allow users with a role of "administrators" to access it.
2. Authentication mode set to "Forms".

Web.config file snippet like this:

XML
<location path="Admin">
    <system.web>
        <authorization>
            <allow roles="Administrators"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>
<authentication mode="Forms"/>


Create a site map, which will be used to create your web site. Web.sitemap file
web.SiteMap file may look like this:

XML
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="~" title="Home"  description="">
        <siteMapNode url="default.aspx" title="Home"  description="" roles="*"/>
      <siteMapNode url="login.aspx" title="Login"  description="" roles="*"/>
      <siteMapNode url="Admin/" title="Administration"  description="" roles ="*" >
        <siteMapNode url="Admin/default.aspx" title="Administration"  description="" roles ="Administrators" />
      </siteMapNode>
      <siteMapNode url="logout.aspx" title="Logout"  description="" roles="*"/>
    </siteMapNode>
</siteMap>


Your login.aspx may look like following:
C#
protected void btnLogin_Click(object sender, EventArgs e)
    {
        FormsAuthenticationUtil.RedirectFromLoginPage("Lewis", "Administrators", true);
    }


FormsAuthenticationUtil is a third party dll, which I found is quite reliably pass user's roles to application. "Lewis" is a authenticated user, "Administrators" is that user's role, this role conform to our web.config's roles and folder settings.

At your global.asax, you should see following line
C#
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (HttpContext.Current.User != null)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    FormsIdentity id =
                        (FormsIdentity)HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket ticket = id.Ticket;

                    // Get the stored user-data, in this case, our roles
                    string userData = ticket.UserData;
                    string[] roles = userData.Split(',');
                    HttpContext.Current.User = new GenericPrincipal(id, roles);
                }
            }
        }
    } 


Remeber add following line at top your Global.asax file:
XML
<%@ Import Namespace="System.Security.Principal" %>


Please rate or comment on :)

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)