Limiting user access in ASP.NET

Protecting privileged directories in ASP.NET requires strong authorization methods. Expert Dan Cornell breaks down the best techniques for access control in .NET 2.0 applications.

In ASP.NET how can I limit access to certain directories to only users who have logged in with different roles? For example, how can I limit access to Admin/, Customer/ and Client/ directories to users who have logged in with those roles?

ASP.NET provides robust URL-based authorization capabilities allowing you to control access to directories by users,...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

roles and even by HTTP verbs (GET, POST, and so on).

First, you need to set up your application to use either Forms or Windows authentication and configure the system to have three different roles: Admin, Customer and Client. In Windows authentication these will map to user groups and in Forms authentication those groups must be set up manually. See "Forms Authentication differences in ASP.NET 2.0" for more information on the disparities in Forms authentication between ASP.NET 1.1 and ASP.NET 2.0.

Once you have your Web application set up to authenticate users, you need to tell ASP.NET to require specific authorization in order to access resources. Web.config files supply configuration information for the directory in which they are located and all resources below them. By setting up a proper <authorization> tag in the web.config file you can control what users are allowed access to the directories.

ASP.NET security resources:

How to create a secure login page using ASP.NET

Discover the power of .NET's code access security

Authentication & authorization: Secure ID and user privileges

Forms Authentication -- Professional ASP.NET 2.0 Security, Membership and Role Management

To allow access only to users with the Admin role for the Admin/ directory, the <authorization> tag should be set up as follows:

This will allow users with a role of Admin to access files in the Admin/ directory and will disallow all others.

Here is a great MSDN reference article with more specifics and syntax information for URL authentication.

This was last published in September 2006

Dig Deeper on Building security into the SDLC (Software development life cycle)

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

Related Resources

Dig Deeper on Building security into the SDLC (Software development life cycle)

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.