I’m using Forms Authentication and I want to restrict certain pages to certain roles. Right now everyone has access to the entire application once logged in.
But I’d like to restrict certain pages to certain roles. For example, the “view logs” page.
I’m thinking that my web.config file should look like this:
<location path="logs/view/">
<system.web>
<authorization>
<allow roles="super, admin"/>
</authorization>
</system.web>
But my issue is that, the way the underlying application is built, when user logs in successfully via an api call I am returned a “User” onbject and that user’s role is part of that object (User.Role == “admin”). I don’t really have a reference database table that tells the APP what role a user has.
How can I associate the
<allow roles="super, admin"/>
bit in my webconfig to the role property of the User object?
You can wire up to
AuthenticateRequestevent of theHttpApplicationinstance in your global.asax. In that context, you need to configure theIPrincipalimplementation to have the desired settings. The easiest way to do this will be by instantiating aRolePrincipaland setting theUserproperty of theHttpContext.Update I just looked up some sample implementations that I’ve posted on previous answers. There is one that is based on ASP.NET MVC and another based on Web Forms.
The Web Forms implementation wires up in the Global.asax: IsAuthenticated is false! weird behaviour + review question
The MVC implementation uses an action filter: Very simple single user login in ASP.NET MVC2?