7.8. Authorizing Classic ASP with ASP.NET
You have seen that forms authentication is already working with classic ASP application, in part because there is a URL authorization rule that denies access to anonymous users. In effect, you already have the basics of authorization working. The sample application, though, can be modified a bit more to include more extensive authorization rules.
For example, let's say there is an administrative folder for the ASP application that should only grant access to users that are in the "Administrators" role. You can create a URL authorization rule that protects the ASP subdirectory.
<location path="ASPAdminPages">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Now, whenever an attempt is made to access a classic ASP page in the ASPAdminPages subdirectory, ASP.NET's URL authorization will enforce this rule. Using the ASP.NET Configuration tool available from inside of Visual Studio, you can enable the Role Manager feature, create a new role called "Administrators" and add a user to the new role. The only change that occurs in configuration is the addition of the <roleManager /> element (by default Role Manager is not enabled, hence the need to turn it on):
<roleManager enabled="true" />
As with the Membership feature, the default Role Manager provider uses the LocalSqlServer connection string. Because this was changed earlier, Role Manager will automatically associate ...
