oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

ASP.NET Forms Security, Part 2

by Jesse Liberty

In my previous column, I showed how to add web form security to your ASP.NET 2.0 application, and how to add users. In this follow up, I'll demonstrate how easy it is to create and manage roles.

Roles are essentially groups of users with specific permissions. For example, you might create roles such as Managers, Users, Administrators, Guests, and so forth. Users are assigned to one or more roles, and based on their membership in those roles, each user will have access to the appropriate parts of your application. Within any given page, the user may see different data or different controls based on the role to which the user belongs.

To illustrate this, we'll recreate the example program from the previous column, but build on it to add roles and role management.

Implementing Roles

This time, just to see another way to do things, create a new web project before you create the virtual directory. Name your new project "SecurityRoles."

Open IIS manager and create a virtual directory that points to the directory with the default.aspx file for your new application. Once the virtual directory is created, highlight it and click Properties. In the Properties window, click on the ASP.NET tab, and then click Edit Configuration. Click on the Authentication Tab, set the Authentication Mode to Forms, and click Role Management Enabled, as shown in Figure 1.

Figure 1.

If you return to the directory you created, you'll find that a web.config file has been created for you, with a configuration section in which the authentication mode is set to Forms.

<?xml version="1.0" encoding="utf-8"?>
    <?authentication mode="Forms" /?>
    <?roleManager enabled="true" /?>

You can, of course, create and edit this file by hand, if you prefer.

Add the existing pages from the previous article. Begin by copying the .aspx and aspx.cs files from the earlier project into your new directory, using Windows Explorer. Once the files are physically copied, right-click on the new project in the Solution Explorer and choose Add Existing Item. Add the .aspx files as shown in Figure 2 (the .cs files will come along automatically).

Figure 2.

Related Reading

Programming ASP.NET
By Jesse Liberty, Dan Hurwitz

Once you've added these files to your new project, modify the default page by adding two hyperlinks, one with the text Add User and a second with the text ManageRoles. Set the first link to redirect the user to the AddUser page you imported. Be sure to set the ContinueDesitnationPageURL on the AddUser page to the default page, so that you return to the default page after adding each user.

Set the default page as the start page for the project. Run the application, and navigate to the AddUser page, where you will add a few test user accounts.

The ManageRoles link on the default page will navigate to a new page you'll create named ManageRoles.aspx. To create the ManageRoles page, start with the example provided in the MSDN documentation for the May Community Preview.*

Copy the provided sample code into your ManageRoles page. Now you'll make a few changes. Put the HTML in the ManageRoles.aspx file and the code (without the script tags) into ManageRoles.aspx.cs (just delete the script and end script tags).

Once the code is in place, go to the HTML in the .aspx page and find the column with the asp:Button whose ID is AddUsersButton. Replace that td element and its contents with the following HTML:

<td valign="top" visible="false">
        <asp:Button Text="Add User(s) to Role" id="btnAddUsersToRole"
        runat="server" OnClick="AddUsers_OnClick" />
        <asp:Button Text="Create new Role" id="btnCreateRole"
         runat="server" OnClick="CreateRole_OnClick" 
         Width="170px" Height="24px" />
        <asp:Panel ID="pnlCreateRole" Runat="server" Width="259px" 
          Height="79px" Visible="False" BackColor="#E0E0E0">
          <br />
          <asp:Label ID="Label2" Runat="server" 
           Text="New Role:" Width="72px" Height="19px"/>
          <asp:TextBox ID="txtNewRole" Runat="server"/> <br />
            <br />
          <asp:Button ID="btnAddRole" Runat="server" Text="Add"
           OnClick="btnAddRole_Click" Width="64px" Height="24px" /><br />

This replacement HTML creates a table within the cell, in which you have added the button that was in the sample (Add User(s) to Role) and a new button (Create new Role) as well as a panel. In the panel are a label (New Role), a text box, and a button (Add). That panel will be set to invisible until you click the Create New Role button. When the user adds a role to the text box and clicks Add, the role will be added and the panel closed. You'll need an event handler for the Create New Role button:
void CreateRole_OnClick(object sender, EventArgs e)
  pnlCreateRole.Visible = true;

The heart of the work is done in the event handler for the Add button within the panel. Assuming there is a text, you check to ensure that the role does not already exist, and then you create the new role with the static method CreateRole:
void btnAddRole_Click(object sender, EventArgs e)
  // make sure you have some text in the name of hte role
  if (txtNewRole.Text.Length > 0)
    string newRole = txtNewRole.Text;

    // if the role does not already exist, add it
    // rebind the RolesListBox to show the new role
    if (Roles.RoleExists(newRole) == false)

You then get all the roles again and rebind the list box to show the new role.
rolesArray = Roles.GetAllRoles();
      RolesListBox.DataSource = rolesArray;

Finally, you "close" the panel.
pnlCreateRole.Visible = false;

When you open the form, the panel is invisible. Clicking on a role will display all of the users in that role, as shown in Figure 3.

Pages: 1, 2

Next Pagearrow