asp.Net C# site.Master - Exclude Default.aspx page?

Question

Say there are 2 types of users: regular user (folks not specified in the project) and Admin (defined in security role). I have a c# web app project that follows a site.Master for layout and for security roles (Admin only access).

However, I would like to make the Default.aspx page open to both Admin AND regular users. At the moment, if you are a regular user and attempt to access Default.aspx, you will be rerouted to the "AccessDenied.aspx" page, which is how it should be if they were given a link to any of the other pages.

1. Is there a way to suppress that functionality within the same site.Master page for just Default.aspx? I would like to stick with 1 master page, and still want to reference the original "site.Master" so that I don't have to duplicate the layout, etc.

2. If there is, is it also possible to have regular users see only the Default.aspx page with a "Home" link on the menu (while the Admin would see Home, Admin, etc. other tabs for dropdown)?

In the code behind I handle the reroute to the Access Denied page by checking the security role of the user accessing the page. Is there a way to say "If user is on Default.aspx page, ignore this reroute" ?

Answer 1

I think mixing security with MasterPage is not a great idea - .NET has great security framework, so why not leverage that ? Assuming following schema:

• signed-in users can see Default.aspx
• admins can see anything under /Admin folder
• signed-in users can't see /Admin folder
• anonymous users can't see anything but

Web.config:

<location path="Admin">
  <system.web>
    <authorization>
      <allow roles="Admin"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>
<location path="Default.aspx">
  <system.web>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="Login.aspx" defaultUrl="Default.aspx" cookieless="UseCookies" />
  </authentication>
  <anonymousIdentification enabled="true"/>
  <roleManager enabled="true" defaultProvider="MyRoleProvider">
    <providers>
      <add name="MyRoleProvider" type="MyNamespace.MyRoleProvider, WebApplication1"/>
    </providers>
  </roleManager>
  <membership defaultProvider="MyMembershipProvider">
    <providers>
      <add name="MyMembershipProvider" type="MyNamespace.MyMembershipProvider, WebApplication1"/>
    </providers>
  </membership>
</system.web>

MyMembershipProvider & MyRoleProvider class:

namespace MyNamespace {
  public class MyMembershipProvider : System.Web.Security.MembershipProvider {
    // override at least ApplicationName, CreateUser and ValidateUser 
    // you can throw NotImplementedException for rest
  }
  public class MyRoleProvider : System.Web.Security.RoleProvider {
    // override at least GetAllRoles(), GetRolesForUser() and RoleExists
    // you can throw NotImplementedException for rest
  }
}

Login.aspx :

// after validation that username&password is correct call
FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, chxRememberMe.Checked);

Congratulations - now you have hooked up to standard .NET web security provider model. Now you can enjoy it like:

<asp:LoginView ID="MasterLoginView" runat="server">
  <AnonymousTemplate>
    Welcome: Guest
  </AnonymousTemplate>
  <LoggedInTemplate>
    Welcome:
   <asp:LoginName ID="MasterLoginName" runat="server" />
  </LoggedInTemplate>
</asp:LoginView>

or

<asp:LoginView ID="MasterLoginView" runat="server">
  <RoleGroups>
    <asp:RoleGroup Roles="Admin">
      <ContentTemplate>
        Welcome mighty admin
      </ContentTemplate>
    </asp:RoleGroup>
  </RoleGroups>
</asp:LoginView>

Also if you're using Sitemap provider for the site links, when you enable security trimming .NET will use this provider to calculate which links can be displayed to users, etc.