ASP.NET Role Provider vs Membership Provider

Question

Please refer to this post.

I have become able to configure my web.config file so that when an unauthenticated user requests a page, he is redirected to the Login.aspx page.

I have been able to do that by configuring web.config file and the following few lines of code:

protected void btnLogin_Click(object sender, EventArgs e)
        {
            string username = this.usernameTextBox.Text;
            string password = this.passwordTextBox.Text;

            bool success = Membership.ValidateUser(username.Trim(), password.Trim());

            if (success)
            {
                FormsAuthentication.SetAuthCookie(username, true);

                Ice_Web_Portal.BO.User user = Ice_Web_Portal.BO.User.GetUserByUserName(username);

                Ice_Web_Portal.BO.UserTypeEnum loginUserType = user.UserTypeEnum;

                if (loginUserType == UserTypeEnum.Student)
                {
                    Response.Redirect("~/Student/StudentControlPanel.aspx?username=" + username);
                }
                else if (loginUserType == UserTypeEnum.Teacher)
                {
                    Response.Redirect("~/Teacher/TeacherControlPanel.aspx?username=" + username);
                }
                else if(loginUserType == UserTypeEnum.Webmaster)
                {
                    Response.Redirect(@"~/Webmaster/WebmasterControlPanel.aspx");
                }
                else
                {
                    labLoginMessage.Text = "Sorry! Type of user couldn't be determined!";
                }
            }
            else
            {
                labLoginMessage.Text = Ice_Web_Portal.BO.User.LoginMessage;
            }
        }

But the problem I am having with this is that, once a user is Authenticated, he can access all pages in the entire web application.

But I need to restrict their area of page access according to their roles. I.e. when a user with a different role requests a page, he should be automatically redirected to the Login.aspx page.

There may be a technique in which I can check for specific user-roles in the Page_Load()-event and then redirect the user to the Login.aspx page if he is not in that role. But I don't want to do it in that way. I want to happen that automatically. I need to use only Role Provider framework and web.config file (as that was in the case of membership. I.e. I don't need to check membership in the Page_Load event. Web.config file is automatically blocking the access).

Can anyone tell me how can I incorporate Role feature in this so that specific users are confined within their specific Role-area?

What is the Code for generating the Authorization Ticket?

Answer 1

If you have a set of restricted files in a folder you can resitrict the Roles to that folder in the web.config:

eg:

<location path="TeacherAdmin" allowOverride="false">     
  <system.web>
    <authorization>
      <allow roles="Teacher"/>
      <deny users="*,?"/>     
    </authorization>     
  </system.web>     
</location>

Note: The path attribute can also point to a specific aspx page

Answer 2

add sections to web.config

  <location path="page-only-allowed-to-be-accessed-by-admin.aspx">
      <system.web>
         <authorization>
           <allow roles="admin"/>
           <deny users="*" />
         </authorization>
      </system.web>
   </location>

You may find this article interesting - the web.config demystified

EDIT:

The code for generating the Authorization ticket is in your code.

FormsAuthentication.SetAuthCookie(username, true);

which is implemented like so (using Red Gate's Reflector)

public static void SetAuthCookie(string userName, bool createPersistentCookie, string strCookiePath)
{
    Initialize();
    HttpContext current = HttpContext.Current;
    if (!current.Request.IsSecureConnection && RequireSSL)
    {
        throw new HttpException(SR.GetString("Connection_not_secure_creating_secure_cookie"));
    }
    bool flag = CookielessHelperClass.UseCookieless(current, false, CookieMode);
    HttpCookie cookie = GetAuthCookie(userName, createPersistentCookie, flag ? "/" : strCookiePath, !flag);
    if (!flag)
    {
        HttpContext.Current.Response.Cookies.Add(cookie);
        current.CookielessHelper.SetCookieValue('F', null);
    }
    else
    {
        current.CookielessHelper.SetCookieValue('F', cookie.Value);
    }
}

The RoleProvider will get the roles for a given user, so when the web.config is inspected for allowed or denied roles/users for a given section of your application, the RoleProvider will get the roles for the user and then check against the allowed/denied roles and authorize if appropriate.

Answer 3

Use the Role Provider.

Once you have setup the role provider, and assigned roles to your users, you can use the <authorization> section of Web.config to restrict access to your various resources based on role membership.

I suggest you use the SqlRoleProvider if you have an SQL Server available. It is very flexible in that it can assign roles to user names without the users having to be registered first - specifically, you don't need to also use the SqlMembershipProvider (or in fact any membership provider). Ie. if you add the role "Student" to the user name "John", the SqlRoleProvider will simply associate that role with that user name, and everything just works.

Good luck!