UnauthorizedWebPart Class

Note: This class is new in the .NET Framework version 2.0.

Used to create a placeholder object whenever the WebPartManager control's IsAuthorized method returns false for a WebPart control. This class cannot be inherited.

Namespace: System.Web.UI.WebControls.WebParts
Assembly: System.Web (in system.web.dll)

public sealed class UnauthorizedWebPart : ProxyWebPart
public final class UnauthorizedWebPart extends ProxyWebPart
public final class UnauthorizedWebPart extends ProxyWebPart

The Web Parts control set provides an authorization mechanism for determining whether individual WebPart controls can be added to a page. Developers can optionally assign an arbitrary string to the AuthorizationFilter property on a WebPart control. When the WebPartManager control is adding controls to a page, it checks this filter value against criteria set by the developer, by using the IsAuthorized method, and returns false if a control is not authorized.


This mechanism also works with server controls and user controls that are placed in WebPartZoneBase zones, because these controls are wrapped with a GenericWebPart object at run time, and this object inherits the AuthorizationFilter property.

When a WebPart control is not authorized, the WebPartManager control inserts an UnauthorizedWebPart control into the control tree of the page in place of the unauthorized control. An UnauthorizedWebPart control in the control tree reserves the position of the unauthorized control in the page, and prevents any personalization data that a user might have previously applied to the WebPart control from being lost.

The UnauthorizedWebPart control is never displayed on a page in which it is inserted, nor does it appear in the source code for the rendered page. Developers can verify its presence in the page control tree by checking the WebParts property of the WebPartManager control.

The following code example demonstrates the use of the UnauthorizedWebPart control.

The first part of the code example is a custom WebPartManager control that overrides the IsAuthorized(WebPart) method to create custom authorization criteria. Any WebPart control that has its AuthorizationFilter property set to a specific value, or any control that has no value assigned to the property, will be authorized, and controls not meeting these criteria will not be authorized.

using System;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

namespace Samples.AspNet.CS.Controls
  public class MyManagerAuthorize : WebPartManager
    public override bool IsAuthorized(Type type, string path, string authorizationFilter, bool isShared)
      if (!String.IsNullOrEmpty(authorizationFilter))
        if (authorizationFilter == "admin")
          return true;
          return false;
        return true;


The second part of the code example is the Web page that hosts the custom WebPartManager control. There are three static server controls declared within the <asp:webpartzone> element. Although these controls are not actually WebPart controls, they will be wrapped with a GenericWebPart object at run time, so you can treat them as WebPart controls and thus assign values to their AuthorizationFilter properties. Notice that the BulletedList control has its filter set to the value that should enable it to be authorized, according to the criteria in the custom WebPartManager control. The Label control has a filter value that should cause it not to be authorized. The Calendar control does not assign a value to the property, so by default it should be authorized.

<%@ Page Language="C#" %>
<%@ Register TagPrefix="aspSample"
    Namespace="Samples.AspNet.CS.Controls" %>

<script runat="server">
  protected void Page_Load(object sender, EventArgs e)
    foreach (WebPart part in mgr1.WebParts)
      if (mgr1.IsAuthorized(part))
        part.ExportMode = WebPartExportMode.All;

  protected void Button1_Click(object sender, EventArgs e)
    Label2.Text = String.Empty;
    foreach (WebPart part in mgr1.WebParts)
      Label2.Text += part.ID + "<br />";

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
    <form id="form1" runat="server">
      <aspSample:MyManagerAuthorize ID="mgr1" runat="server" />
      <asp:WebPartZone ID="WebPartZone1" runat="server">
            Title="Favorite Links"
            <asp:ListItem Value="http://msdn.microsoft.com">
            <asp:ListItem Value="http://www.asp.net">
            <asp:ListItem Value="http://www.msn.com">
          <asp:Label ID="Label1" runat="server" 
            Text="Hello World"
            AuthorizationFilter="user" />
          <asp:Calendar ID="Calendar1" runat="server"></asp:Calendar>
      <hr />
      <asp:Button ID="Button1" runat="server" 
        Text="List WebPart Controls" OnClick="Button1_Click" />
      <br />
      <asp:Label ID="Label2" runat="server" 
        Text="" />

The third part of the code example is a setting you must add in the Web.config file to enable exporting Web Parts description files. Ensure that you have a Web.config file in the same directory as the Web page for this code example. Within the <system.web> section, make sure there is a <webParts> element with an enableExport attribute set to true, as in the following markup.

<webParts enableExport="true">



Load the page in a browser, and notice that the BulletedList and Calendar controls are rendered as expected, but the Label control is not rendered because it was not authorized. Clicking the List WebPart Controls button causes the WebPartManager control to list the IDs of all controls in its WebParts collection. Note that the ID for the Label control is listed, proving that an UnauthorizedWebPart control was added to the page control tree to hold its place, even though the label is not rendered in the page.

  • AspNetHostingPermission  for operating in a hosted environment. Demand value: LinkDemand; Permission value: Minimal.
  • AspNetHostingPermission  for operating in a hosted environment. Demand value: InheritanceDemand; Permission value: Minimal.


Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 98, Windows 2000 SP4, Windows Millennium Edition, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

.NET Framework

Supported in: 2.0

Community Additions