R – How to best handle role based permissions using Forms Authentication on the ASP.NET web application

asp.netforms-authentication

I'm using the ASP.NET Login Controls and Forms Authentication for membership/credentials for an ASP.NET web application.

I've got two roles:

  • Users
  • Administrators

I want pages to be viewable by four different groups:

  • Everyone (Default, Help)
  • Anonymous (CreateUser, Login, PasswordRecovery)
  • Users (ChangePassword, DataEntry)
  • Administrators (Report)

Expanding on the example in the ASP.NET HOW DO I Video Series: Membership and Roles, I've put those page files into such folders:

Visual Studio Solution Explorer

And I used the ASP.NET Web Site Administration Tool to set up access rules for each folder.

It works but seems kludgy to me and it creates issues when Login.aspx is not at the root and with the ReturnUrl parameter of Login.aspx.

Is there a better way to do this? Is there perhaps a simple way I can set permissions at the page level rather than at the folder level?

Best Answer

A couple solutions off the top of my head.

  1. You could set up restrictions for each page in your web.config file. This would allow you to have whatever folder hierarchy you wish to use. However, it will require that you keep the web.config file up to date whenever you add additional pages. The nice part of having the folder structure determine accessibility is that you don't have to think about it when you add in new pages.
  2. Have your pages inherit from custom classes (i.e. EveryonePage, UserPage, AdminPage, etc.) and put a role check in the Page_Load routine.
Related Topic