Walkthrough: Managing Web Site Users with Roles
Many ASP.NET applications involve membership — authenticating users so that they have access to restricted resources, such as members-only pages. If the application will support many users, or if the list of users is likely to change over time, consider establishing roles to manage user access. A role is the name of a group, such as managers, sales, or members. After establishing roles, you can assign individual users to a role. Then, you can grant permissions to a role, and every user in that role inherits the permissions you have assigned. Roles are therefore an efficient way to manage permissions for groups of users.
During this walkthrough, you will learn how to:
Establish roles for an application.
Assign users to roles.
Create rules (permissions) that selectively grant or deny access to pages for different rules.
Programmatically determine whether a user is in a particular role and which roles the current user is in.
Prerequisites
In order to complete this walkthrough, you will need:
Visual Studio.
The .NET Framework.
IIS installed locally on your computer.
SQL Server Express Edition installed locally on your computer.
A way to identify individual users.
Note
In working applications, you can identify users in various ways, including by their Windows user account. However, in this walkthrough, users will identify themselves by logging in to your site. Therefore, this walkthrough requires that you have a site configured to use ASP.NET membership. If you have a site already configured with membership, you can use that site as a starting point for this walkthrough.
Configuring a Web Site, Membership, and Roles
Before you work with ASP.NET roles, you must have a Web site available, and configure the site to enable membership and set up user roles. If you have completed the topic Walkthrough: Creating a Web Site with Membership and User Login, you can use the Web site that you configured in that walkthrough.
If you do not already have a Web site available, use the following procedure to create one. Otherwise, go to the next section "Creating Folders for Member-Only Pages."
To create a local IIS Web site
Open Visual Studio.
On the File menu, click NewWeb Site.
The New Web Site dialog box appears.
Under Visual Studio installed templates, select ASP.NET Web Site.
In the Location list box, select File System.
Click Browse, and then select a directory for your application, such as C:\RolesWebSite.
In the Languages box, click the programming language that you prefer to work in.
The programming language you choose will be the default for your Web site, but you can set the programming languages for each page individually.
Click OK in the New Web Site dialog box.
Visual Web Developer creates the Web site and a new page named Default.aspx.
Creating Folders for Member-Only Pages
In order to work with roles, you will need to create two folders, MemberPages and GuestPages, where you can keep pages that have restricted access.
Note
If you are re-using the Web site from the membership walkthrough, you probably already have this folder and can skip step 1 of the following procedure.
To create folders for restricted access
In Solution Explorer, right-click the root of your Web site, click New Folder, and then name the folder MemberPages.
This folder will contain a page that is accessible to only some of your users.
Right-click the root of your Web site, click New Folder, and then name the folder GuestPages.
This folder will contain a page accessible to any logged-in user (but not to anonymous users).
Configuring the Web Site for Membership and Roles
After creating the basic Web site, you can configure it to use membership and roles.
To configure the Web site for membership and roles
On the Web site menu, click ASP.NET Configuration.
Select the Security tab, click the link to Use the security Setup Wizard to configure security step by step, and then click Next.
Proceed to Step 2 of the wizard and select the From the Internet option.
The wizard displays a page where you can select the authentication method that your Web site will use.
This option specifies that your application will use Forms authentication, where users will log into the application using a login page that you will create later in this walkthrough.
Click Next.
The wizard displays a message stating that user information will be stored using Advanced provider settings. Your application will use the default provider, which stores membership information in a SQL Server Express Edition database file in the App_Data folder of your Web site.
Click Next again.
In Step 4: Define Roles, select the Enable roles for this Web site check box, and then click Next.
When prompted, create two roles, members and guests, and then click Next.
In Step 5: Add New Users, create three users named member1, guest1, and memberGuest.
You can assign any strong passwords you like, but be sure to remember them. Passwords must be at least 7 characters long, and at least one of the characters must be non-alphanumeric. For the e-mail address, use your own. (You will not be sending e-mail messages in this walkthrough.)
Note
Do not close the Web Site Administration Tool yet.
The Web site that you are creating will allow users to gain access to different pages according to their roles. Therefore, you need to create some access rules that determine which roles have access to which folders.
To set up access rules for the site folders
In the security wizard of the Web Site Administration Tool, click Next.
Step 6: Add New Access Rules displays a page where you can create rules that determine which roles (or users) can gain access to the pages in your Web site.
Under Select a directory for this rule, expand the root node, and then click GuestPages.
Under Rule applies to, select Anonymous Users.
Under Permission, select Deny.
The rule you are creating denies access to anonymous users — that is, users who have not logged in.
Click Add This Rule.
The new rule is displayed in the grid at the bottom of the page. When users request a page from the GuestPages directory, the rules are checked in order, from top to bottom, to determine whether the user is allowed access to the page. If the user is not logged in, the pages in this folder will not be displayed.
Under Select a directory for this rule, click MemberPages.
Under Rule applies to, select Role, and then in the drop-down list, click members.
Under Permission, select Allow.
The rule you are creating grants access permissions for the MemberPages folder to anyone in the members role.
Click Add This Rule.
Under Select a directory for this rule, click MemberPages.
Under Rule applies to, select All Users.
Under Permission, select Deny.
Click Add This Rule.
The second rule for the MemberPages folder makes sure that no one except users in the members role can gain access to the folder. The rules are processed in order, from top to bottom, as you see them in the grid.
The first rule (Allow) grants access to users in the role named members. The second rule (Deny) denies access to all other users. You can create as many Allow or Deny rules as you need for your application. When users request a page from the MemberPages directory, the rules are applied in order, from top to bottom, to determine whether the user is allowed access to the page.
Click Finish to return to the Security tab.
Note
Do not close the Web Site Administration Tool yet.
Assigning Users to Roles
You must perform one last configuration step: assigning the users you have created to roles.
To assign users to roles
On the Security tab of the Web Site Administration Tool, under Users, click Manage users.
In the row for guest1, click Edit Roles.
The Roles box is filled in with a list of available roles.
Select the guests check box to assign the user guest1 to the role guests.
In the row for member1, click Edit Roles and assign the user member1 to the role members.
Using the same technique, assign the user memberGuest to both the guests and members roles.
Close the Web Site Administration tool, and then do the following:
In Solution Explorer, click the refresh icon.
On the Web site menu, click ASP.NET Configuration to restart the Web Site Administration tool.
This ensures that the connection to the Membership database that was used by the Web Site Administration tool is closed.
Close the Web Site Administration tool again.
Adding Pages with Restricted Access
To test your membership and role settings, you need to create a way for users to log in so that you can identify them. You must also create some Web pages that will allow you to test the access rules you have created.
To create a default page for all users
Switch to Visual Studio.
Open or switch to the Default.aspx page, and then switch to Design view.
If you do not have a Default.aspx page, add one to the root of your Web site.
Note
Be sure to name the page Default.aspx; this name is used later in the walkthrough.
Add a heading with text, such as Welcome!
In the Toolbox, from the Login group, drag a LoginStatus control onto the page.
When clicked, the LoginStatus control takes users to the Login.aspx page if they have not already logged in.
From the Login group in the Toolbox, drag a LoginName control onto the page. Set the FormatString property to "Hello {0}."
The LoginName control will display the user's name if the user is logged in.
In the Toolbox, from the Standard group, drag a HyperLink control onto the page. In the Properties panel for the HyperLink control, set the Text property to Guests and Members and the href property to ~/GuestPages/Guests.aspx.
Note
You will create the Guests.aspx page later in this walkthrough.
In the Toolbox, from the Standard group, drag another HyperLink control onto the page. In the Properties panel for the HyperLink control, set the Text property to Members and the href property to ~/MemberPages/Members.aspx.
Note
You will create the Members.aspx page later in this walkthrough.
You now have a home page that is available to all users. From here, users can link to additional pages, some of which will be restricted. The next step is to create a simple login page.
To create a login page
In Solution Explorer, right-click the root folder of your Web site and select Add New Item. Add a Web Form named Login.aspx to your Web site.
In the Login.aspx page, switch to Design view.
In the Toolbox, from the Login group, drag a Login control onto the page.
In the Properties panel for the Login control, set the DestinationPageUrl property to ~/Default.aspx.
Finally, you need to create some pages that represent the restricted content of your site.
To create restricted pages
In Solution Explorer, right-click the GuestPages folder, click Add New Item, and add a Web Form named Guests.aspx in this folder.
Switch to Design view and add a heading to the Guests.aspx page, such as Welcome to the Guests page!
In the Toolbox, from the Standard group, drag a HyperLink control onto the page. In the Properties panel for the HyperLink control, set the Text property to Home and the href property to ~/Default.aspx.
In Solution Explorer, right-click the MemberPages folder, select Add New Item, and add a Web Form named Members.aspx.
Switch to Design view and add a heading to the Members.aspx page, such as Welcome to the Members page!
In the Toolbox, from the Standard group, drag a HyperLink control onto the page.
In the Properties panel for the HyperLink control, set the Text property to Home and the href property to ~/Default.aspx.
You do not have to add any code to the pages to restrict access to them. They are restricted because they reside in folders that are protected with access rules.
Testing Roles
Your site is now ready for testing.
To test roles
Switch to the Default.aspx page, and then press CTRL+F5 to run it.
Click Guests and Members.
You are redirected to the Login.aspx page because you are attempting to access a page that does not allow anonymous users.
Log in as guest1, who is in the role of guests.
After you log in successfully, you are redirected to the Guests.aspx page.
Click Home to return to the Default.aspx page.
The Default.aspx page displays the text Hello, guest1 where you put the LoginName control. In addition, the LoginStatus control has changed text from Login to Logout, because you are now logged in as guest1.
Click Guests and Members.
This time, you go straight to the Guests.aspx page because you are already logged in as a user in the role of guests.
Click Home to return to the Default.aspx page.
Click Members.
You are redirected to the Login.aspx page because guest1 does not have permissions for the Members.aspx page.
Log in either as member1 or as memberGuest.
You are redirected to the Members.aspx page because you are now logged in as a user in the role of members.
Click Home to return to the Default.aspx page.
The page now reflects your new login name.
Next Steps
This walkthrough illustrates the basic functionality of ASP.NET role management. You might want to experiment with additional features of role management. For example, you might want to:
Work with Windows roles instead of custom roles that you create in the membership system.
Work programmatically with roles. For details, see Managing Authorization Using Roles.
Alternatively, you can create a custom provider that allows you to use an existing or custom data store for membership and role information. For more information, see Implementing a Role Provider.
Apply access rules to links that are displayed in the navigational structure of your Web site. For more information, see Walkthrough: Filtering Site-Map Nodes Based on Security Roles.
See Also
Tasks
Walkthrough: Creating a Web Site with Membership and User Login
Walkthrough: Filtering Site-Map Nodes Based on Security Roles