ASP.NET 2.0: Best Way To Set Up Access Based On Roles

[va]

Using the Web Site Administration Tool Security Tab, I wanted to:

1) Deny access to certain web pages based on a user's logged in Role

PROBLEM: But the Web Site Administration Tool Security Tab forces me to
deny access only by directory not actual web page files. Should I just
segregate the web page files into different directrories?

2) Have SiteNavigation and SiteMapData properly correspond and only show
allowable pages on the site based on role

PROBLEM: No idea how to do this?


Thanks

 

[Dominick Baier [DevelopMentor]]

hi,

start here:
http://66.129.71.130/QuickStartv20/aspnet/doc/security/default.aspx

 

[MikeS]

1.Set up your location tags in web config (or using the UI) to protect
the pages themselves.

path="mypage.aspx"
allow roles="Admin"
deny users="*"

2. Set the securityTrimmingEnabled="true" attribute on your sitemap
provider to exclude nodes that a role can't use.

You can also add a roles attribute to your site map nodes but that just
excludes them and does not protect them like 1 above, as far as I know.

3. Profit

 

[va]

Mike,

Thank you so much. I got caught up in the new stuff and forgot the told
approaches!

 

[Yendi]

Hi Mike,

Is there a way to declare the url the user has to be redirected when
he's not authorized to view certain page? Rigth now, I'm doing it
exactly as you said, and is's redirecting to login.aspx... but I want
it to go to... let's say... noAccess.aspx. Can I do that?

Thanks.

 

[Dominick Baier [DevelopMentor]]

Hi,

no - you will always redirect to the login page.

You can however on the login page detect if the user is already logged in
- if he is - then the redirect is most like a noacess problem - if he is
not authenticated - then it seems to be a logon...

 

[MikeS]

Dominick has a good suggestions, and there are others.

http://weblogs.asp.net/pwilson/archive/2004/05/11/129844.aspx

Me, I just wouldn't show them a link they can't visit and if they visit
it, it is OK to boot them.

Otherwise, if you want to show the link as a tease for premium content
maybe disable the link or change it's navurl based on whether the user
has rights to the content., perhaps with a custom sitemap provider or
web control.

 

[MikeS]

Short of all that, it looks like you can set your sitemap up to show
different links to different user types.

<siteMapNode url="default.aspx" title="Home" >
<siteMapNode title="Premium" url="noaccess.aspx?wanted=premium"
/>
<siteMapNode title="Premium" url="premium.aspx" />
</siteMapNode>

You have to have location tags in web.config restricting premium.aspx
to the "premium" role and restricting noaccess.aspx to the "regular"
role as well as securityTrimmingEnabled set on the provider. This makes
for double sitemap entries for each premium offering (but I could not
get a custom provider and/or SiteMapResolve to do this for me). Note
that noaccess.aspx can be used repeatedly in the map if the querystring
is changed to make the url unique, besides, you can use that to figure
out why they got bounced. Also note that the user can only be in one
role or the other.

 

[MikeS]

Moreover...

If you want to do without the location tags in web.config you could set
up the sitemap using the roles I described like so.

<siteMapNode url="default.aspx" title="Home">
<siteMapNode title="Premium" roles="premium">
<siteMapNode title="Blog" url="blog.aspx" />
<siteMapNode title="Email" url="email.aspx" />
</siteMapNode>
<siteMapNode title="Premium" roles="regular">
<siteMapNode title="Blog" url="noaccess.aspx?what=blog" />
<siteMapNode title="Email" url="noaccess.aspx?what=email" />
</siteMapNode>
</siteMapNode>