Role Based Authorization

In this article we will tell you how to do role based authorization.

This article is very useful for security purposes.

Suppose we have the three folders in our web site AdminUser, ClientUser and PartnerUser. In that folder there are some aspx pages. I want that the user with admin rights to be able to see the the aspx pages in the AdminUser folder. If the admin user attempts to open the pages that are in the ClientUser folder and the PartnerUser folder then the website automatically redirects the admin user to the login page. Similarly, the client and partner users can only access the pages in which they have rights.

To do role based security please use the following procedure.

1. User Credential store in web.config

For Admin User

<!--Path: folder path -->

<location path="AdminUser">

  <system.web>

    <authorization>

      <!-- Allow user who have Admin role can access the AdminUser folder aspx pages -->

      <allow roles="Admin"/>

      <!-- Other user can not access AdminUser folder aspx pages -->

      <deny users="*"/>

    </authorization>

  </system.web>

</location>

For Client User
 

<!--Path: folder path -->

<location path="ClientUser">

  <system.web>

    <authorization>

      <!-- Allow user who have Client role can access the ClientUser folder aspx pages -->

      <allow roles="Client"/>

      <!-- Other user can not access ClientUser folder aspx pages -->

      <deny users="*"/>

    </authorization>

  </system.web>

</location>

For Partner User
 

<!--Path: folder path -->

<location path="PartnerUser">

  <system.web>

    <authorization>

      <!-- Allow user who have Partner role can access the PartenerUser folder aspx pages -->

      <allow roles="Partner"/>

      <!-- Other user can not access Partner folder aspx pages -->

      <deny users="*"/>

    </authorization>

  </system.web>

</location>


2. In Global.asax in the Application_AuthenticateRequest event create the security principal for the user role

        // Check that the request has been authenticated
        if (Request.IsAuthenticated)
        {
            // Get the role from the ticket
            string[] role = new string[1];
            role[0] = ((FormsIdentity)Context.User.Identity).Ticket.UserData;
 
            // Create a new GenericPrincipal with the role information
            System.Security.Principal.GenericPrincipal newPrincipal = new System.Security.Principal.GenericPrincipal(Context.User.Identity, role);
 
            // Add the principal to the security context, which replaces the current GenericPrincipal
            Context.User = newPrincipal;
        }


3. If the user's login and user password are correct then generate the FormsAuthenticationTicket and save it in the cookie.

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, //Version UserID.ToString(),
//Username DateTime.Now, //Time issued DateTime.Now.AddMinutes(180), // Expiration
time true, // Persistent? UserRole); // User data string, in our case, to hold the
role string encryptedTicket = FormsAuthentication.Encrypt(ticket); HttpCookie authenticationCookie
= new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); Response.Cookies.Add(authenticationCookie);
 

Now if the admin user has successfully logged in can not access the ClienUser and if he tries to change the URL then he will be redirected to the login page.