How to: Authorize Web Pages
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
Authorization determines whether an identity should be granted access to a specific resource. Using ASP.NET URL authorization, you can explicitly allow or deny access to a particular directory by user name or role. This means that you can use the ASP.NET authorization module when you need to check if your application’s URL authorization requirements are satisfied by either a user name or a role.
The Composite Web Application Block includes components that you can use to implement rule-based authorization for URLs and site map nodes. With rule-based authorization, you create custom rules and associate those rules with URLs and site map nodes. When a user attempts to access a resource, the rules are evaluated for that user and the user is either allowed or denied access to the resource.
By default, the Web Client Software Factory uses the Enterprise Library Security Application Block to perform the authorization check for a rule. For more information about the Security Application Block, see Security Application Block in the Microsoft patterns & practices Developer Center on MSDN.
This topic describes how to secure Web pages by using rule-based authorization.
This topic assumes that you have an existing Web client solution with ASP.NET authentication enabled.
For information about how to create a Web client solution, see How to: Create a Web Client Solution.
For more information about ASP.NET authentication, see Authentication in ASP.NET: .NET Security Guidance.
When you use the default authorization service provided by the Web Client Software Factory (which uses the Security Application Block to perform authorization checks for rules), you must define the authorization rules for your application in your application configuration file. Typically, the rules include the roles or users that are associated with the rules.
You can manually define rules by editing the Web.config file or using the Enterprise Library Configuration Editor. The Configuration Editor is used to create and modify configuration files. It has the same functionality as the stand-alone Enterprise Library Configuration Console, but it uses the Visual Studio Properties window to display application block properties and uses the errors list to display configuration errors.
The following procedure describes how to define rules using the Enterprise Library Configuration Editor.
|Note: To use the Enterprise Library Configuration Editor, you must have Enterprise Library 5.0 installed. For more information about Enterprise Library 5.0, including download information, see http://msdn.microsoft.com/entlib/.|
To define an authorization rule for a Web page using the Enterprise Library Configuration Editor
- In Solution Explorer, right-click the Web.config file in the root of your Web site, and then click Edit Enterprise Library Configuration to open the Enterprise Library Configuration Editor.
- Expand the Security Application Block node. The RuleProvider subnode represents the Authorization Rule Provider included in the Security Application Block. This provider uses rules that you define in the application configuration file. An authorization rule specifies the circumstances under which a user is authorized to perform a particular task.
- Right-click the RuleProvider node, point to New, and then click Add Authorization Rule to define a new rule.
- (Optional) Change the name of the rule. Figure 1 illustrates the Enterprise Library Configuration Editor with a rule named AllowViewAccount.
- Click on the ellipsis next to Rule to enter a rule expression in the Properties window for the rule. The following are examples of rule expressions:
- R:[Allowed Role] (where [Allowed Role] is a valid role for users). This rule will be satisfied if the current logged in user is a member of the given role.
- NOT I:?. This rule will be satisfied if the user is logged in.
Note: Note: For more information about defining rules, see “Entering Configuration Information” in Enterprise Library Help.
- Save the file.
The following procedure describes how to manually define an authorization rule by editing the Web.config file of your application.
To manually define an authorization rule for a Web page
- Open the Web.config file in the root of your Web site.
- Locate the securityConfiguration section. The Create Web Client Solution recipe defines this section when you run it.
<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance=""> <authorizationProviders> <add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=5.0.414.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" name="RuleProvider"> <rules> <!-- Add your own rules here: e.g.: <add expression="R:Administrator" name="AllowViewAccountsSummary"/> --> </rules> </add> </authorizationProviders> </securityConfiguration>
- Add rule expressions within the rules node. For more information about how to define rules, see Enterprise Library Help.
The following procedure describes how to associate a Web page with an authorization rule.
To associate a Web page with an authorization rule
- Open the Web.config file located in the folder where the Web page is located, and then add a rule XML element within the compositeWeb/authorization element. Define the following attributes for a rule XML element:
- Url. This is the URL that the rule is associated to.
- Rule. This is the name of the rule associated to the URL.
The following XML illustrates a rule that restricts access to the ViewAccount.aspx Web page to users for which the evaluation of the AllowViewAccount rule returns true.
You can use authorization rules to control whether a site map node can be viewed by the current user. For information about how to do this, see How to: Add Module Pages to the Site Map.