ASP.NET C# - Setting up Role Based Security with Forms Authentication

Question

I inherited an ASP.NET C# application that is not totally working. I have been told to use Form Authentication to prevent unauthorized users from accessing certain subdirectories.

I am having a problem understanding Forms Authentication. This is a public internet site and all users will have access to the main part of the site. However there is a subdirectory that is restricted to certain users. I know that a user is valid because they will enter a user name and password and I will look them up in a database. I have added these lines to the web.config file of the subdirectory.

<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
        <authorization>
      <allow roles="Administrators, Examiners"/>
            <deny users="*"/>
        </authorization>
    </system.web>

The question is how do I set in my code that the user belongs to a certain role.

Here is the pseudo code.

If user name and password match then

Set this users role to Examiners.

I don’t know the code I need to set the user to a role.

Answer 1

go through the link given below

[http://www.asp.net/web-forms/tutorials/security]

Answer 2

Take a look at your membership database.

• You can create your own membership database by Creating the Membership Schema in SQL Server here. There you will find a table with the name aspnet_roles. Within this table you can define different roles.
• There is also a great tutorial for using the built in Membership Provide Tool in Visual Studio to maintain your membership database that you shuold look into as well.

To make a start here you go with the login method:

protected void LoginButton_Click(object sender, EventArgs e)
{
 // Validate the user against the Membership framework user store
 if (Membership.ValidateUser(UserName.Text, Password.Text))
 {
 // Log the user into the site
 FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked);
 }
 // If we reach here, the user's credentials were invalid
 InvalidCredentialsMessage.Visible = true;
}

you can check the user credentials within the authenticate method:

protected void myLogin_Authenticate(object sender, AuthenticateEventArgs e)
{
 // Get the email address entered
 TextBox EmailTextBox = myLogin.FindControl("Email") as TextBox;
 string email = EmailTextBox.Text.Trim();

 // Verify that the username/password pair is valid
 if (Membership.ValidateUser(myLogin.UserName, myLogin.Password))
 {
 // Username/password are valid, check email
 MembershipUser usrInfo = Membership.GetUser(myLogin.UserName);
 if (usrInfo != null && string.Compare(usrInfo.Email, email, true) == 0)
 {
 // Email matches, the credentials are valid
 e.Authenticated = true;
 }
 else
 {
 // Email address is invalid...
 e.Authenticated = false;
 }
 }
 else
 {
 // Username/password are not valid...
 e.Authenticated = false;
 }
}

For redirection depending on a specific role use this code:

protected void Login1_LoggedIn(object sender, EventArgs e)
{
    if (Roles.IsUserInRole(Login1.UserName, "Admin"))
    {
         Response.Redirect("~/Admin/Default.aspx");
    }
    else if (Roles.IsUserInRole(Login1.UserName, "Examiner"))
    {
         Response.Redirect("~/Examiner/Default.aspx");
    }
    else
    {
         Response.Redirect("~/Login.aspx");
    }
}

Answer 3

You will need to implement a membership and role provider that works with your database. The membership provider will authenticate the user and track which user is logged in. The role provider will determine what permissions the user has.

It sounds like you are approaching the problem from the wrong direction as far as the .NET membership and role providers goes. Instead of you authenticating your users and then telling Microsoft's membership and role library who is logged in and what permissions they have, the .NET framework will authenticate your users by using a membership provider, and the framework will also tell your application what permissions a user has by using the role provider. You will essentially build plugins for the membership and role providers.

See here for more information on implementing a membership provider, and here for similar information on implementing a role provider.

Answer 4

Everything you need to know about forms authentication is covered in this asp.net security tutorial series. It is very basic and step by step so hope you may not have any problem in following it.