How to Implementing Role Based Security in ASP.NET

S.Vinothkumar · #1 (**permalink**) 03-29-2008, 12:23 AM

Implementing Role Based Security in ASP.NET

Here is thread for how to implementing Role Based Security in ASP.NET.

S.Vinothkumar · #2 (**permalink**) 03-29-2008, 12:26 AM

ASP.NET allows three main ways to authenticating the user of the application. They are - Windows Authentication, Forms Based Authentication and Passport Authentication. Out of these three Windows and Forms authentications are most commonly used for intranet and internet applications respectively. Authentication involves validating that the user is what he claims to be. In many applications this is not just enough. You also need to grant access rights to the user based on his category. This process is referred to as authorization. The category I just mentioned is nothing but the role of the user. In this article we will see how to use Windows as well as Custom roles to authorize users of your application.

S.Vinothkumar · #3 (**permalink**) 03-31-2008, 03:03 AM

Identities

Identities are nothing but the users of your application and allow you to obtain information about that user. The classes (GenericIdentity and WindowsIdentity) and interfaces (IIdentity) required for working with Identities reside in the System.Security.Principal Namespace.

S.Vinothkumar · #4 (**permalink**) 03-31-2008, 03:03 AM

Roles

A role is nothing but a set of access rights that is assigned to the user. One user may have one or more roles. You must be familiar with Windows roles such as Administrator and Guest.

S.Vinothkumar · #5 (**permalink**) 03-31-2008, 03:05 AM

Principals

A Principal is combination of the identity and role(s) of the user. The classes and interfaces related to Principals (GenericPrincipal, WindowsPrincipal and IPrincipal) can be found in System.Security.Principal Namespace.

amansundar · #6 (**permalink**) 03-31-2008, 09:34 PM

When to authorize a user?

Note that you should authorize a user only after authenticating. The Request.IsAuthenticated property tells you whether the user is authenticated or not. You should check this in Application_AuthenticateRequest event handler in Global.asax. This event is fired for each request at the time of authenticating the user. If the user is already authenticated by windows or forms authentications then you follow above steps .

S.Vinothkumar · #7 (**permalink**) 03-31-2008, 09:34 PM

Authentication in ASP.NET
ASP.NET provides three ways to authenticate your users.

They are:

- Windows
- Forms
- Passport

Out of these three the first two are commonly used in ASP.NET applications.

S.Vinothkumar · #8 (**permalink**) 03-31-2008, 09:42 PM

Role based security and Windows Authentication

When you use Windows authentication to authenticate a user, you also have roles for that user based on its Windows group. For example, a user User1 might belong to group Administrators and the same role can be used in ASP.NET applications. You can check whether a user belongs to a particular role or not you need to write something like this:

Code:

if(User.IsInRole("BUILTIN\Administrators")
{
   //display all options
}
else
{
   //display limited options
}

Here, the IsInRole() method is used to check whether a given user has a given role. Note how we used BUILTIN for local users. If you are authenticating domain users you may write something like MYDOMAIN\Administrators. Also, note that here we didn't created any identity or principal object ourselves. Windows and ASP.NET automatically did that for us.

S.Vinothkumar · #9 (**permalink**) 03-31-2008, 09:44 PM

Role based security and Forms authentication

If you are authenticating users via Forms authentication then you need to take care of some extra steps. These steps are:

- Create a user identity
- Create an array of roles
- Create a principal based on user identity and list of roles
- Attach the principal to the current authenticated user

S.Vinothkumar · #10 (**permalink**) 03-31-2008, 09:47 PM

Create a user identity

User identity is represented by a class that implements IIdentity interface. .NET comes with a class GenericIdentity that is a simple implementation of IIdentity interface. Here, we will create a user identity using GenericIdentity class.

Code:

GenericIdentity gi=new GenericIdentity(User.Identity)

Here, we used the same identity object as created by forms authentication (User.Identity) but you can use your own ideality instead.

S.Vinothkumar · #11 (**permalink**) 04-02-2008, 03:37 AM

Hi,
Create an array of roles

Next, we need to create an string array containing roles to which the user belongs.

string[] roles={"clerk","manager"};

S.Vinothkumar · #12 (**permalink**) 04-02-2008, 03:43 AM

Create a principal based on user identity and list of roles

We will now create a principal based on the identity and role information that we have. .NET provides a class called GenericPrincipal that represents a simple implementation of IPrincipal.

Code:

GenericPrincipal gp=new GenericPrincipal(gi,roles);

S.Vinothkumar · #13 (**permalink**) 04-02-2008, 03:52 AM

Attach the principal to the current authenticated user

Finally, we need to attach the principal we just created to the ASP.NET application. The way you do this is as follows:

Code:

Context.User = gp;

Here, Context.User represents the current principal of the application. You are replacing it with your own principal (gp). Note that code for all above steps will typically go in Application_AuthenticateRequest event handler inside Global.asax.

S.Vinothkumar · #14 (**permalink**) 04-02-2008, 03:53 AM

Authorizing the user

Once you have done this, authorizing a user is same as in Windows authentication.

Code:

if(User.IsInRole("manager")
{
   //display all options
}
else
{
   //display limited options
}

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Implementing soap using PHP	Falcon	PHP Programming	58	05-02-2008 02:54 AM
Product-based Company and Projects-based Company :	vigneshgets	Software Testing	0	01-15-2008 10:03 PM
# What is the role of the DataReader class in ADO.NET connections?	anbuchezhians	VB.NET Programming	1	07-27-2007 01:44 AM
What's the role of documentation in QA?	devarajan.v	Software Testing	1	07-17-2007 07:16 AM
Implementing Crystal Report in Web Application	oxygen	C# Programming	0	07-15-2007 10:40 PM