Monday, 25 July 2011

Using Role Based Permissions with ASP.NET 4.0


In this tutorial we will explore ASP.NET's Website Administration Tool to create users, manage roles, and demonstrate how you can control which user accounts have access to certain web pages.

Creating the Default.aspx Page
For this tutorial we will need to create a simple home page that allows us to login and contains a link to our secure admin page. At this point in the tutorial I have created a new ASP.NET Empty Web Site in Microsoft Visual Web Developer. To begin setting up our home page, add a new Web Form to the project named Default.aspx and open it up to Design mode. Then:
  1. Drag and drop a HyperLink Control onto the Web Form.
    2. 1.1.  Change the Text property of the HyperLink to 'Admin Page'.
    1.2.  Change the NavigateUrl property of the HyperLink to 'Secure/Admin.aspx'.
  2. Expand the Login tab in your toolbox.
    3. SS1.gif
  3. Drag and drop a Login Control under the Admin Page HyperLink.

We chose Server Intellect for its dedicated servers, for our web hosting. They have managed to handle virtually everything for us, from start to finish. And their customer service is stellar.

Creating the Admin.aspx Page
Next, we are going to add in a simple page called Admin.aspx that we will secure and only let Administrators access. To do this:
  1. Add a New Folder to the project called 'Secure'.
  2. Add a Web Form to the Secure Folder called 'Admin.aspx'.
  3. Add the following text to the Admin.aspx page: 'Welcome Admin!'.
Enabling and Creating Roles
Next, we are going to enable roles and add in two different roles, one for administrators and another for ordinary users. To do this:
  1. Click the ASP.NET Configuration icon in the Solution Explorer to open up the ASP.NET Website Administration Tool.
  2. In the ASP.NET Website Administration Tool click the Security tab.
  3. Under the Roles header click Enable roles.
  4. Under the Roles header click Create or Manage roles.
    5. SS2.gif
  5. Type 'Administrator' in the New role name TextBox and click Add Role.
  6. Type 'User' in the New role name TextBox and click Add Role.
Now we have added two different roles to distinguish between our ordinary users and administrators. Next we need to create accounts that utilize these roles.

Server Intellect assists companies of all sizes with their hosting needs by offering fully configured server solutions coupled with proactive server management services. Server Intellect specializes in providing complete internet-ready server solutions backed by their expert 24/365 proactive support team.

Enabling and Creating Users
Next, we are going to create two users, Admin and User. To do this:
  1. In the ASP.NET Website Administration Tool click the Security tab.
  2. Under the Users header click Select authentication type.
  3. Select From the internet and click Done.
  4. Under the Users header click Create user.
  5. Create a new account called 'Admin' making sure that under Select roles for this user the Administrator role is checked.
    6. SS3.gif
  6. Create a new account called 'User' making sure that under Select roles for this user the User role is checked.
Managing Access Rules
Next, we are going to set permissions so that only users with an Administrator account can access pages in the Secure folder that we added earlier. To do this:
  1. In the ASP.NET Website Administration Tool click the Security tab.
  2. Under the Access Rules header click Manage access rules.
  3. Under the Manage Access Rules header select our Security folder.
  4. Click Add new access rule.
  5. Make sure that Role is selected and that Administrator is selected in the DropDownList.
  6. Under Permission select Allow.
  7. Click OK.
  8. Click Add new access rule.
  9. Make sure that All users is selected.
  10. Under Permission select Deny.
  11. Click OK.
SS4.gif
  1. Close the ASP.NET Website Administration Tool.
What this has done is made it so that all users excluding Administrators are denied access to the Secure folder. In this case, our Admin.aspx page is in that folder so only an Administrator account will be able to access this.

If you're looking for a really good web host, try Server Intellect - we found the setup procedure and control panel, very easy to adapt to and their IT team is awesome!

Testing
Next, we want to test this out to make sure it is working. Go ahead and load up the Default.aspx page and:
  1. Click the Admin Page link. Notice that it tells us the page cannot be found. This is because we do not currently have access to it because we are not logged in.
  2. Navigate back to the Default.aspx page.
  3. Login using the User account we created.
  4. Click the Admin Page link. Notice it still cannot be found, even though we are logged in to an account we still are not an Administrator.
  5. Navigate back to the Default.aspx page.
  6. Login using the Admin account we created.
  7. Click the Admin Page link. Notice you see the Welcome Admin message meaning the page loaded successfully.
The Default.aspx source looks like this: 
<body>
    <form id="form1" runat="server">
    <div>
    
        <asp:HyperLink ID="HyperLink1" runat="server" NavigateUrl="Secure/Admin.aspx">Admin Page</asp:HyperLink>
        <br />
        <asp:Login ID="Login1" runat="server">
        </asp:Login>
    
    </div>
    </form>
</body>

The Admin.aspx source looks like this: 
<body>
    <form id="form1" runat="server">
    <div>
    
        Welcome Admin!</div>
    </form>
</body>
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)