WebPartManager.IsAuthorized Method (Type, String, String, Boolean)


The .NET API Reference documentation has a new home. Visit the .NET API Browser on docs.microsoft.com to see the new experience.

Carries out the final steps in determining whether a control is authorized to be added to a page.

Namespace:   System.Web.UI.WebControls.WebParts
Assembly:  System.Web (in System.Web.dll)

public virtual bool IsAuthorized(
	Type type,
	string path,
	string authorizationFilter,
	bool isShared


Type: System.Type

The Type of the control being checked for authorization.

Type: System.String

The relative application path to the source file for the control being authorized, if the control is a user control.

Type: System.String

An arbitrary string value assigned to the AuthorizationFilter property of a WebPart control, used to authorize whether a control can be added to a page.

Type: System.Boolean

Indicates whether the control being checked for authorization is a shared control, meaning that it is visible to many or all users of the application, and its IsShared property value is set to true.

Return Value

Type: System.Boolean

A Boolean value that indicates whether a control is authorized to be added to a page.

Exception Condition

type is null.


type is a user control, and path is either null or an empty string ("").

- or -

type is not a user control, and path has a value assigned to it.

The IsAuthorized(Type, String, String, Boolean) overload method carries out the final steps in determining whether a control is authorized to be added to a page. The method ensures that type is a valid type, and that path has a value only if the control being checked is a user control. Then it calls the critical OnAuthorizeWebPart method, which raises the AuthorizeWebPart event.

Notes to Inheritors:

This method can be overridden by inheriting from the WebPartManager class, if you want to provide additional handling when checking authorization. You might want to override the method to check for certain values in the authorizationFilter parameter, and based on the value, return a Boolean value that determines whether the control will be added to a page.

For page developers who also want to check for authorization filters and provide custom handling, there is an option for doing this inline in an .aspx page, or in a code-behind file, without having to inherit from any classes. You can declare an alternate event handler in the page for the OnAuthorizeWebPart method of the WebPartManager control. For more details and an example, see the OnAuthorizeWebPart method.

The following code example demonstrates how to override the IsAuthorized method to determine whether a control is authorized to be added to a page.

The first step is to create a filter that can potentially exclude a control. The following Web page contains three ASP.NET server controls in an <asp:webpartzone> element. Notice that the first and second controls have their AuthorizationFilter properties set to different values, and the third does not assign the property. This authorization value can be checked at run time, and the control can be added to the page if the filter matches criteria set by the developer.

<%@ Page Language="C#" %>
<%@ Register Namespace="Samples.AspNet.CS.Controls" 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<script runat="server">

  protected void Page_Load(object sender, EventArgs e)
    foreach (WebPart part in mgr1.WebParts)
      if (mgr1.IsAuthorized(part))
        part.ExportMode = WebPartExportMode.All;


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
    <form id="form1" runat="server">
      <aspSample:MyManagerAuthorize ID="mgr1" runat="server"  />
      <asp:WebPartZone ID="WebPartZone1" runat="server">
            Title="Favorite Links"
            <asp:ListItem Value="http://msdn.microsoft.com">
            <asp:ListItem Value="http://www.asp.net">
            <asp:ListItem Value="http://www.msn.com">
          <asp:Label ID="Label1" runat="server" 
            Text="Hello World"
            AuthorizationFilter="user" />
          <asp:Calendar ID="Calendar1" runat="server"></asp:Calendar>
      <hr />
      <asp:Literal ID="Literal1" runat="server"></asp:Literal>

The second step is to override the IsAuthorized(Type, String, String, Boolean) method, and create custom handling for authorization filters. Note that the code first checks whether the property has a value, so that any control that does not assign the AuthorizationFilter property will be added automatically. If a control has a filter, the code returns true only if the filter value is equal to admin. This demonstrates a simple mechanism you can use for displaying certain controls to certain users, depending on their role. While a full example using roles is beyond the scope of this topic, you could use the same logic as the overridden method in this code example, except that you could check whether the current user is in a role that matches the authorization filter value, and then add the control only for that user. This would enable you to create pages where some users would see all the controls, and other users would see only selected controls. This is how the logic that checks the filter might look if you used roles:

[Visual Basic]

If Roles.IsUserInRole(Page.User.Identity.Name, authorizationFilter) Then
  return True
  return False
End If


if(Roles.IsUserInRole(Page.User.Identity.Name, authorizationFilter))
    return true;
    return false;

For the code example to run, you must compile this source code. You can compile it explicitly and put the resulting assembly in your Web site's Bin folder or the global assembly cache. Alternatively, you can put the source code in your site's App_Code folder, where it will be dynamically compiled at run time. This code example uses the dynamic compile method. For a walkthrough that demonstrates how to compile, see Walkthrough: Developing and Using a Custom Web Server Control.

using System;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

namespace Samples.AspNet.CS.Controls
  public class MyManagerAuthorize : WebPartManager
    public override bool IsAuthorized(Type type, string path, string authorizationFilter, bool isShared)
      if (!String.IsNullOrEmpty(authorizationFilter))
        if (authorizationFilter == "admin")
          return true;
          return false;
        return true;


After you load the page in a browser, note that the first control is displayed, because it matches the criteria in the overridden method. The second control is not added to the page, because its filter value is excluded. The third control is added, because it does not have its AuthorizationFilter property set. If you change the property value on the second control to match that of the first control, and then run the page again, the second control is added as well.

.NET Framework
Available since 2.0
Return to top