2
votes

I have some .aspx pages in my asp.net web application which only admin can only see and some .aspx pages which all users can see. How can i restrict normal users accessing the pages intended for admin ?

More over I'm not implementing the authorization from the asp.net what i mean to say is i'm implementing the authentication by myself using sessions and flag variables. How can i restrict content to users dependent on the privileges in this scenario ?

4

4 Answers

8
votes

Put these pages in a directory of their own and use a web.config in this directory to restrict access to them.

<configuration>
   <system.web>
      <authorization>
         <allow roles="Admins"/>
         <deny users="*"/>
      </authorization>
   </system.web>
</configuration>

Do not reinvent the wheel!

2
votes

I would probably create a custom function, of course public method, which contains all the logic based on the roles [as you have mentioned that you don't want to go with membership feature of asp.net] to allow deny the user to access pages. This method will check the user eligibility for the page, for better logic you can keep the key for all pages in web.Config.

You can create the key in

   <appsetting>


 <add key="Page1" value="ViewOrders.aspx"/>
<add key="Page2" value="DeleteOrders.aspx"/>

Now, you can create a for/foreach loop in the method to iterate key value for the page name. I said this because it will be easier for you to add pages later and assign them roles accordingly.

Edit

Perhaps, you would like to see this http://mywsat.codeplex.com/

1
votes

If you are using your own, you may want to create a custom role provider, and have it return roles for the user from session, that may be able then to bridge both gaps...

HTH.

0
votes

Know this is a bit old but just in case someone else is using Membership. Use this in your web.config:

<configuration>
  <!-- Only administrators may access AdminTools.aspx -->
  <location path="AdminTools.aspx">
    <system.web>
      <authorization>
        <allow roles="Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
</configuration>

reference: Build Your Own ASP.NET 2.0 Web Site Using C# VB, Second Edition Christian Daire, Zak Ruvalcaba