8.3. Restricting Access to Application Pages by Role
Problem
You want to assign or make use of predefined roles for the users of your application, and you want to control access to pages as a function of these roles.
Solution
The solution involves the following steps:
Implement the solution described in Recipe 8.2, adding to
web.configthe required roles for each of the pages.In the code-behind class for the ASP.NET login page, add the user’s role information to the authentication cookie when the user logs in.
Add code to the
Application_AuthenticateRequestmethod in theglobal.asaxcode-behind to recover the user role information and build a user principal object.Set the user principal object to the
Context.Userproperty to provide ASP.NET the data it needs to perform page-by-page authentication.
The code we’ve written to illustrate this solution
appears in Example 8-6 through Example 8-10. The <authentication>
and <authorization> elements of
web.config are shown in Example 8-6. The login page code-behind where the
authentication cookie is created is shown in Example 8-7 (VB) and Example 8-8 (C#).
(See Recipe 8.1 for the
.aspx file for a typical login page.) The
Application_AuthenticateRequest method in the
code-behind for global.asax is shown in Example 8-9 (VB) and Example 8-10 (C#).
Discussion
The approach we favor for this recipe builds on Recipe 8.2 but quickly takes a tack of its own
based on the addition and use of user roles. The
<authentication> and
<authorization> elements ...
Get ASP.NET Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
