web analytics

Understanding ASP.NET authorization


codeling 1595 - 6639
@2017-03-22 14:10:06

Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET, there are two ways to authorize access to a given resource:

  • File authorization - File authorization is performed by the FileAuthorizationModule. It checks the access control list (ACL) of the .aspx or .asmx handler file to determine whether a user should have access to the file. ACL permissions are verified for the user's Windows identity (if Windows authentication is enabled) or for the Windows identity of the ASP.NET process.
  • URL authorization - URL authorization is performed by the UrlAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles.
@2017-03-22 14:21:02

Using URL Authorization

With URL authorization, you explicitly allow or deny access to a particular directory by user name or role. To do so, you create an authorization section in the configuration file for that directory. To enable URL authorization, you specify a list of users or roles in the allow or deny elements of the authorization section of a configuration file. The permissions established for a directory also apply to its subdirectories, unless configuration files in a subdirectory override them.

The following shows the syntax for the authorization section:

  <[allow|deny] users roles verbs />

The allow or deny element is required. You must specify either the users or the roles attribute. Both can be included, but both are not required. The verbs attribute is optional.

The allow and deny elements grant and revoke access, respectively. Each element supports the attributes shown in the following table:





Identifies the targeted identities (user accounts) for this element.

Anonymous users are identified using a question mark (?). You can specify all authenticated users using an asterisk (*).


Identifies a role (a RolePrincipal object) for the current request that is allowed or denied access to the resource.


Defines the HTTP verbs to which the action applies, such as GET, HEAD, and POST. The default is "*", which specifies all verbs.

The following example grants access to the Kim identity and members of the Admins role, and denies access to the John identity (unless the John identity is included in the Admins role) and to all anonymous users:

  <allow users="Kim"/>
  <allow roles="Admins"/>
  <deny users="John"/>
  <deny users="?"/>

The following authorization section shows how to allow access to the John identity and deny access to all other users:

  <allow users="John"/>
  <deny users="*"/>

You can specify multiple entities for both the users and roles attributes by using a comma-separated list, as shown in the following example:

<allow users="John, Kim, contoso\Jane"/>

Note that if you specify a domain account name, the name must include both the domain and user name (contoso\Jane).

The following example allows all users to perform an HTTP GET for a resource, but allows only the Kim identity to perform a POST operation:

  <allow verbs="GET" users="*"/>
  <allow verbs="POST" users="Kim"/>
  <deny verbs="POST" users="*"/> 

Rules are applied as follows:

  • Rules contained in application-level configuration files take precedence over inherited rules. The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list.

  • Given a set of merged rules for an application, ASP.NET starts at the head of the list and checks rules until the first match is found. The default configuration for ASP.NET contains an <allow users="*"> element, which authorizes all users. (By default, this rule is applied last.) If no other authorization rules match, the request is allowed. If a match is found and the match is a deny element, the request is returned with the 401 HTTP status code. If an allow element matches, the module allows the request to be processed further.

In a configuration file, you can also create a location element to specify a particular file or directory to which settings in that the location element should apply.

@2017-03-22 14:42:33

Role management lets you treat groups of users as a unit by assigning users to roles such as manager, sales, member, and so on. After you have established roles, you can create access rules in your application. For example, your site might include a set of pages that you want to display only to members. Similarly, you might want to show or hide a part of a page based on whether the current user is a manager. By using roles, you can establish these types of rules independent from individual application users. For example, you do not have to grant individual members of your site access to member-only pages. Instead, you can grant access to the role of member and then just add and remove users from that role as people sign up or let their memberships lapse.

The primary purpose of establishing roles is to give you an easy way to manage access rules for groups of users. You create users and then assign the users to roles (in Windows, to groups). A typical use is to then create a set of pages that you want to restrict to certain users. Often you isolate these restricted pages in a folder by themselves. Then you can establish rules that grant and deny access to restricted folders. For example, you can configure the site so that members or managers have access to the pages in the restricted folder and all other users are denied access. If an unauthorized user tries to view a restricted page, the user either sees an error or is redirected to a page that you specify.

To work with roles, you must be able to identify users in your application so that you can determine whether the user is in a specific role. You can configure your application to establish user identity in two ways: Windows authentication and forms authentication. If your application runs in a local area network (that is, in a domain-based intranet application), you can identify users by using their Windows domain account name. In that case, a user's roles are the Windows groups that the user belongs to.

In Internet applications or other scenarios where it is impractical to use Windows accounts, you can use forms authentication to establish user identity. For this task, you typically create a page where users can enter a user name and password and then you validate the user's credentials. The ASP.NET Login controls can perform much of this work for you, or you can create a login page and use the FormsAuthentication class to establish a user identity.

If you use Login controls or forms authentication to establish user identity, you can also use role management together with membership. In this scenario, you use membership to define users and passwords. You can then use role management to define roles and assign members to those roles. However, role management does not depend on membership. As long as you have a way in your application to set user identity, you can use role management for authorization.

@2017-03-23 09:59:19

ASP.NET Role Management

In ASP.NET, role authorization has been simplified. You no longer need to retrieve role information when the user is authenticated or add role details to the authentication cookie. The .NET Framework includes a role management API that enables you to create and delete roles, and add users to and remove users from roles. The role management API stores its data in an underlying data store that it accesses through an appropriate role provider for that data store. The following role providers are included with the .NET Framework and can be used with forms authentication:

  • SQL Server. This is the default provider and it stores role information in a SQL Server database.
  • Authorization Manager (AzMan). This provider uses an AzMan policy store in an XML file, in Active Directory, or in Active Directory Application Mode (ADAM) as its role store. It is typically used in an intranet or extranet scenario where Windows authentication and Active Directory are used for authentication.

Role management is not limited to restricting rights to pages or folders. Role management provides an API that you can use to determine programmatically whether a user is in a role. This enables you to write code to take advantage of roles and perform any application tasks based not only on who the user is but also on what roles the user is in.

If you establish user identity in your application, you can use the role-management API methods for creating roles, adding users to roles, and obtaining information about which users are in which roles. These methods enable you to create your own interface for managing roles.

If your application uses Windows authentication, the role management API offers fewer facilities for role management. For example, you cannot use role management to create new roles. Instead, you use Windows user and group management to create user accounts and groups and assign users to groups. Role management can then read Windows user and group information so that you can use the information for authentication.

If you are using the ASP.NET roles service, you can check whether a user belongs to a particular role or to retrieve all the roles for a user. However, you cannot manage roles through the roles service API.

To work with role management, you first enable it and optionally configure access rules that can take advantage of roles. You can then use role management functions at run time to work with the roles.

To use ASP.NET role management, you enable it in an application's Web.config file by using a setting such as the following:

    cacheRolesInCookie="true" >

A typical use for roles is to establish rules that allow or deny access to pages or folders. You can set up such access rules in the authorization section of the Web.config file. The following example shows how to allow users in the role of members to view pages in the folder named MemberPages and denies access to anyone else:

  <location path="MemberPages">
        <allow roles="members" />
        <deny users="*" />
  <!-- other configuration settings here -->

You must also create roles such as manager or member and then assign user IDs to the roles. If your application uses Windows authentication, you use the Windows Computer Management tool to create users and groups.

If you are using forms authentication, you can set up users and roles with the ASP.NET Web Site Administration Tool. If you prefer, you can perform this task programmatically by calling various role-manager methods. The following example shows how to create the role members:


The following example shows how to add the user JoeWorden individually to the role manager, and how you can add the users JillShrader and ShaiBassli to the role members at one time:

Roles.AddUserToRole("JoeWorden", "manager");
string[] userGroup = new string[2];
userGroup[0] = "JillShrader";
userGroup[1] = "ShaiBassli";
Roles.AddUsersToRole(userGroup, "members");



You must Sign In to comment on this topic.

© 2024 Digcode.com