Limiting user access in ASP.NET
Protecting privileged directories in ASP.NET requires strong authorization methods. Expert Dan Cornell breaks down the best techniques for access control in .NET 2.0 applications.
ASP.NET provides robust URL-based authorization capabilities allowing you to control access to directories by users, roles and even by HTTP verbs (GET, POST, and so on).
First, you need to set up your application to use either Forms or Windows authentication and configure the system to have three different roles: Admin, Customer and Client. In Windows authentication these will map to user groups and in Forms authentication those groups must be set up manually. See "Forms Authentication differences in ASP.NET 2.0" for more information on the disparities in Forms authentication between ASP.NET 1.1 and ASP.NET 2.0.
Once you have your Web application set up to authenticate users, you need to tell ASP.NET to require specific authorization in order to access resources. Web.config files supply configuration information for the directory in which they are located and all resources below them. By setting up a proper <authorization> tag in the web.config file you can control what users are allowed access to the directories.
|
![]() |
To allow access only to users with the Admin role for the Admin/ directory, the <authorization> tag should be set up as follows:
<authorization><allow roles="Admin" />
<deny roles="*" />
</authorization>
This will allow users with a role of Admin to access files in the Admin/ directory and will disallow all others.
Here is a great MSDN reference article with more specifics and syntax information for URL authentication.