Authorization in ASP.NET

Introduction

In this article, I will explain authorization in ASP.NET, uses of authorization and how to set authorization rules in web.config to allow or deny resources for particular user or role in ASP.NET.

Description

Today, I am writing this post to explain about authorization concept in ASP.NET. In one of the interviews, the interviewer has asked questions like what is authorization in ASP.NET and how we can use the authorization concept to allow or deny resources to a particular user or role in ASP.NET.

What is an Authorization in ASP.NET?

Authorization is the process of allowing or denying particular resources to user or role in ASP.NET.

We will discuss this topic with an example. First, create a new website and check everything with examples.

Once we create a website, open the web.config file and check how it would be if you observe in configurationsection under system.web section, we are able to see only authentication mode. There is no authorization mode that exists which would be just like this:

<configuration>
<system.web>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows" />
</system.web>
</configuration>

Here we need to change authentication mode to “Forms” to implement authorization concept in web.config file. After change authentication mode we need to add authorization in system.web section to implement our custom requirements like allow or deny resources to particular user / role.

Now we will start with section like deny anonymous user’s access to website, i.e., the persons who login into our website are the only ones who are able to access application.

<configuration>
<system.web>
<authentication mode="Forms">
</authentication>
<authorization>
<deny users="?"/><!--will deny anonymous users-->
</authorization>
</system.web>
</configuration>

(Note: The above situation is used whenever user’s accounts are created by some administrator to access the application.)

In some situations, we will get a requirement like we need to allow users to access the particular page and restrict other pages access only to logged/authenticated users.

Example: I have a website. Now I want to allow all users to access only Registration page to register in website and allow only logged / authenticated users to access remaining pages in the website.

In this situation, we need to write code like this:

<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>  <!--This will restrict anonymous user access-->
</authorization>
</system.web>
<location path="Registration.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="*"/> 
<!-- This will allow users to access to everyone to Registeration.aspx-->
</authorization>
</system.web>
</location>
</configuration>

Here, the location path should be your page path. My page exists in root folder of application that’s why I given direct path. If your page exists in another folder, we need to change location path should be like this~/UserDetails/Registration.aspx.

Till now, we have seen how to allow authenticate users to access webpage. Now we will discuss how to allow only a particular user to access website and deny all other users.

In this situation, we need to write the code in web.config file like this:

<configuration>
<system.web>
<authorization>
<allow users="RahulMittal"/>  <!-- It will allow only RahulMittal -->
<deny users="*"/>  <!--Deny others -->
</authorization>
</system.web>
</configuration>

If we observe the above code, it will allow only user “RahulMittal” and deny all other users to access that application. If we want to give permission for more users, just add usernames separated with comma like “RahulMittal,Abhishek,Azad,etc.”

Now if we want to allow only one user to access a particular page and deny access to other users to particular page, write the code like this:

<configuration>
<location path="Registration.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="RahulMittal"/>
<deny users="*"/> <!—deny all other users -->
</authorization>
</system.web>
</location>
</configuration>

Up to now, we learnt how to allow or deny resources to users. Now will see how we can allow users in a particular role?

Now we have different roles like Admin, Customer, and Technician, etc... If we want to allow only admin roles to access the application and deny permission for all the roles, then we need to write the code in web.config like this:

<system.web>
<authorization>
<allow roles="Admin"/> <!--Allows users in Admin role-->
<deny users="*"/> <!--Deny everyone else-->
</authorization>
</system.web>

Now we have another condition like how to allow users in a particular role to access folders.

Example: I have two folders, one is Administrator folder and another one is Customer folder. Now I want give permissions like Admin role users are able to access both the folders and Customer role users are able to access only Customer folder. For that, we need to set the condition like this in web.config file.

<configuration>
<location path="AdminFolder">
<system.web>
<authorization>
<allow roles="Admin"/> <!—Allows Admin role Users-->
<deny users="*"/> <!--Deny everyone else Admin role Users-->
</authorization>
</system.web>
</location>
<location path="CustomerFolder">
<system.web>
<authorization>
<allow roles="Admin, Customers"/> <!--Allow users in Admin and Customers roles-->
<deny users="*"/> <!--Deny rest of all-->
</authorization>
</system.web>
</location>
</configuration>

In this way, we can allow or deny resources to a particular user or role by using authorization in web.config.

Note: Here one thing we need to remember is that allow statement is always before the deny statement because if we place deny statement first and then allow statement, in this situation allow statement properties won’t work.