Manages user membership in roles for authorization checking in an ASP.NET application. This class cannot be inherited.
Assembly: System.Web (in System.Web.dll)
Thetype exposes the following members.
|ApplicationName||Gets or sets the name of the application to store and retrieve role information for.|
|CacheRolesInCookie||Gets a value indicating whether the current user's roles are cached in a cookie.|
|CookieName||Gets the name of the cookie where role names are cached.|
|CookiePath||Gets the path for the cached role names cookie.|
|CookieProtectionValue||Gets a value that indicates how role names cached in a cookie are protected.|
|CookieRequireSSL||Gets a value indicating whether the role names cookie requires SSL in order to be returned to the server.|
|CookieSlidingExpiration||Indicates whether the role names cookie expiration date and time will be reset periodically.|
|CookieTimeout||Gets the number of minutes before the roles cookie expires.|
|CreatePersistentCookie||Gets a value indicating whether the role-names cookie is session-based or persistent.|
|Domain||Gets the value of the domain of the role-names cookie.|
|Enabled||Gets or sets a value indicating whether role management is enabled for the current Web application.|
|MaxCachedResults||Gets the maximum number of role names to be cached for a user.|
|Provider||Gets the default role provider for the application.|
|Providers||Gets a collection of the role providers for the ASP.NET application.|
|AddUsersToRole||Adds the specified users to the specified role.|
|AddUsersToRoles||Adds the specified users to the specified roles.|
|AddUserToRole||Adds the specified user to the specified role.|
|AddUserToRoles||Adds the specified user to the specified roles.|
|CreateRole||Adds a new role to the data source.|
|DeleteCookie||Deletes the cookie where role names are cached.|
|DeleteRole(String)||Removes a role from the data source.|
|DeleteRole(String, Boolean)||Removes a role from the data source.|
|FindUsersInRole||Gets a list of users in a specified role where the user name contains the specified user name to match.|
|GetAllRoles||Gets a list of all the roles for the application.|
|GetRolesForUser()||Gets a list of the roles that the currently logged-on user is in.|
|GetRolesForUser(String)||Gets a list of the roles that a user is in.|
|GetUsersInRole||Gets a list of users in the specified role.|
|IsUserInRole(String)||Gets a value indicating whether the currently logged-on user is in the specified role.|
|IsUserInRole(String, String)||Gets a value indicating whether the specified user is in the specified role.|
|RemoveUserFromRole||Removes the specified user from the specified role.|
|RemoveUserFromRoles||Removes the specified user from the specified roles.|
|RemoveUsersFromRole||Removes the specified users from the specified role.|
|RemoveUsersFromRoles||Removes the specified user names from the specified roles.|
|RoleExists||Gets a value indicating whether the specified role name already exists in the role data source.|
ASP.NET role management enables you to manage authorization for your application based on groups of users, referred to as roles. By assigning users to roles, you can control access to different parts or features of your Web application based on role instead of, or in addition to, specifying authorization based on user name. For example, an employee application might have roles such as Managers, Employees, Directors, and so on, where different privileges are specified for each role.
Users can belong to more than one role. For example, if your site is a discussion forum, some users might be in the role of both Members and Moderators. You might define each role to have different privileges on the site, and a user who is in both roles would then have both sets of privileges.
To enable role management for your ASP.NET application, use the roleManager element of the system.web section in the Web.config file for your application, as shown in the following example.
<configuration> <connectionStrings> <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> <authentication mode="Forms" > <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" /> </authentication> <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlServices" applicationName="SampleApplication" /> </providers> </roleManager> </system.web> </configuration>
You can specify authorization rules in the configuration file for your Web application or programmatically in your code. For example, the following authorization section from a Web.config file requires users to log on (by denying anonymous users), and then allows only users in the Administrators role to have access.
<authorization> <deny users="?" /> <allow roles="Administrators" /> <deny users="*" /> </authorization>
If you use the authorization section in your application's Web.config file to specify authorization based on roles, users of your application must supply an authenticated user identity. You can authenticate users by using either Windows or Forms authentication. Anonymous users cannot be assigned to a role. Roles can be used independently of, or in conjunction with, the ASP.NET Membership classes.
To verify role membership programmatically, you can use the class or the Page.User property with the IsUserInRole method, or you can use the Page.User property with the IPrincipal.IsInRole method. For sample code that programmatically checks role membership, see the Example section in this topic.
The class also enables you to create and delete roles and to add users to or remove users from roles.
If you have configured your application to use the WindowsTokenRoleProvider class, you cannot modify roles or role membership. The WindowsTokenRoleProvider class verifies membership in Windows security groups only. In this case, you must use Windows user account management rather than ASP.NET roles to create and delete groups and manage group membership.
You can store role information in several data sources.
You can use the WindowsTokenRoleProvider class to retrieve role information based on membership in Windows groups.
You can store role information in a SQL Server database by using the SqlRoleProvider class.
If you have existing role information, or want to store role information in and retrieve role information from a data source other than Windows, an Authorization Store, or SQL Server, you can implement a custom role provider by creating a class that inherits the RoleProvider abstract class. For more information, see Implementing a Role Provider.
If a user's browser accepts cookies, you can store role information for that user in a cookie on the user's computer. On each page request, ASP.NET reads the role information for that user from the cookie. This can improve application performance by reducing the amount of communication required with the data source to retrieve role information. If the role information for a user is too long to store in a cookie, ASP.NET stores just the most recently used role information in the cookie and then looks up additional role information in the data source as required. If the user's browser does not support cookies or cookies are disabled, role information is not cached in a cookie.
You can improve the reliability of the role names cached in a cookie by specifying a CookieProtectionValue property when you configure ASP.NET roles. The default CookieProtectionValue is All, which encrypts role names in the cookie and validates that the cookie contents have not been altered.
The following example shows the Web.config file for an application configured to use both ASP.NET membership and ASP.NET roles and to use the SqlRoleProvider to store membership and role information in a SQL Server database. Users are authenticated with forms authentication and only users in the Administrators role are allowed access to the application.
<configuration> <connectionStrings> <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> <authentication mode="Forms" > <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" /> </authentication> <authorization> <deny users="?" /> <allow roles="Administrators" /> <deny users="*" /> </authorization> <membership defaultProvider="AspNetSqlProvider" userIsOnlineTimeWindow="15"> </membership> <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="true" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <clear /> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlServices" applicationName="SampleApplication" /> </providers> </roleManager> </system.web> </configuration>
The following code example programmatically checks whether the logged-on user is in the Administrators role before allowing the user to view other users' roles.