65.9K
CodeProject is changing. Read more.
Home

A simple work around of Forms Authentication based on user's role

Lewis Liu L
emptyStarIconemptyStarIconemptyStarIconemptyStarIconemptyStarIcon

0/5 (0 vote)

Aug 25, 2010

CPOL

1 min read

viewsIcon

9300

this tip is to use roles instead of individual user's access right to limit user's access on folders

Introduction I have been searching through google couldn't find a better solution to authenticate user easily and quickly. Here is a solution I made so far, please comment on, help me improve it. Background Asp.net provide 2 authentication method, forms and windows, people normally use forms, because it provide more flexibility, while-as windows type authentication requires PC create account every user. With forms authentication a web site can use database or other method to authenticate users. How it works Download source code, create a IIS virtual directory, run it. That's all. It provide a default page, login page, logout page, and an admin folder, which restrict user 's access by through web.config file. At this web.config file, important parts are: 1. Create an entry called "admin" folder, only allow users with a role of "administrators" to access it. 2. Authentication mode set to "Forms". Web.config file snippet like this: 
<location path="Admin">
    <system.web>
        <authorization>
            <allow roles="Administrators"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>
<authentication mode="Forms"/>
Create a site map, which will be used to create your web site. Web.sitemap file web.SiteMap file may look like this: 
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="~" title="Home"  description="">
        <siteMapNode url="default.aspx" title="Home"  description="" roles="*"/>
      <siteMapNode url="login.aspx" title="Login"  description="" roles="*"/>
      <siteMapNode url="Admin/" title="Administration"  description="" roles ="*" >
        <siteMapNode url="Admin/default.aspx" title="Administration"  description="" roles ="Administrators" />
      </siteMapNode>
      <siteMapNode url="logout.aspx" title="Logout"  description="" roles="*"/>
    </siteMapNode>
</siteMap>
Your login.aspx may look like following: 
protected void btnLogin_Click(object sender, EventArgs e)
    {
        FormsAuthenticationUtil.RedirectFromLoginPage("Lewis", "Administrators", true);
    }
FormsAuthenticationUtil is a third party dll, which I found is quite reliably pass user's roles to application. "Lewis" is a authenticated user, "Administrators" is that user's role, this role conform to our web.config's roles and folder settings. At your global.asax, you should see following line 
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (HttpContext.Current.User != null)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    FormsIdentity id =
                        (FormsIdentity)HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket ticket = id.Ticket;

                    // Get the stored user-data, in this case, our roles
                    string userData = ticket.UserData;
                    string[] roles = userData.Split(',');
                    HttpContext.Current.User = new GenericPrincipal(id, roles);
                }
            }
        }
    }
Remeber add following line at top your Global.asax file: 

        <%@ Import Namespace="System.Security.Principal" %>
Please rate or comment on :)