locked
restrict access to webpage based on roles RRS feed

  • Question

  • User-1585918428 posted
    Hi, I use my own MS Access database to store visitors' username, password, roles etc. And then in my login page, I use "FormsAuthentication.RedirectFromLoginPage(txt_usernameText.Trim, False)" to login and direct users to dedicated webpage of my site. so in my web.config, i use <allow users="abcd"> to restrict user to access certain webpage in my site. apparently the number of users increased, so i want to group them in terms of roles, and use "FormsAuthentication.RedirectFromLoginPage(txt_usernameText.Trim, False)" + <allow roles="visitor1"> to restrict them to access certain webpage in my site. so,my question is how do i use "FormsAuthentication.RedirectFromLoginPage(txt_usernameText.Trim, False)" for "roles" in terms of "username"? thanks in advance....
    Thursday, October 10, 2019 9:08 AM

All replies

  • User61956409 posted

    Hi garfchong,

    To implement role-based authorization with Forms authentication, you can refer to this article.

    https://www.codeproject.com/Articles/2905/Role-based-Security-with-Forms-Authentication

    In web.config, grant access to users based on role with authorization rules

    <location path="AdminPages">
      <system.web>
        <authorization>
          <allow roles="admin" />
          <deny users="*" />
        </authorization>
      </system.web>
    </location>
    
    <location path="UserPages">
      <system.web>
        <authorization>
          <allow roles="user" />
          <deny users="*" />
        </authorization>
      </system.web>
    </location>

    In Global.asax

    protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        if (HttpContext.Current.User != null)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    FormsIdentity id =
                        (FormsIdentity)HttpContext.Current.User.Identity;
    
                    FormsAuthenticationTicket ticket = id.Ticket;
    
                    string userData = ticket.UserData;
                    string[] roles = userData.Split(',');
                    HttpContext.Current.User = new GenericPrincipal(id, roles);
                }
            }
        }
    }

    With Regards,

    Fei Han

    Friday, October 11, 2019 3:24 AM
  • User-1780421697 posted

    When user logged in to your application, you can check the Role in Master page startup and restrict the user to access the page, Other option is State Management like Session or Cookie or some other state management type that will store role information of user and you can check state at any time.

    Usually, use BaseClass for this operation which have httpcontext parameterized constructor which can get user information and redirect user or show hide information base on user role.

    Tuesday, November 12, 2019 10:27 AM