Page 1 of 6 In Part 1 of this series you learned how to create a Forms-based authentication scheme for a single type of user. In this part, you'll learn how to extend your scheme so that you can authenticate two different kinds of users by assigning them different roles.
Part 1: Forms Authentication for a single type of user
Part 2: Forms Authentication for multiple roles
Appendix A: Setup the Testing Server and Create the Database Connection
Part 1: Forms Authentication for a single type of user
Part 2: Forms Authentication for multiple roles
Up to now, your authentication scheme has allowed for just a single type of login: members. Logged in members are allowed to access restricted pages that reside in the "members" folder. Whenever you have members, however, you invariably need a super-user to manage all members' accounts. This is the manager account, and it's the only user with unrestricted access to the pages in the "manager" folder (typically, this folder contains pages that allow the manager to administer the members' accounts). The manager can access member-only pages, too, of course.
Forms authentication in ASP.NET supports multiple roles but requires additional programming:
In the next section, you'll take a look at the changes needed in the web.config file.
The site manager needs exclusive access to pages in the manager folder and to pages in the members folder; likewise, logged in members must have access to pages in the members folder. Table 1 shows the modifications required for the web.config file to support this more complex authentication scheme.
Because you have two separate folders with restricted-access pages, you need two separate the <location> tags to define the folders' paths.
Table 1. Modifications Required for web.config
| Replace this code: |
|---|
<!-- Require authorization for all -->
<!-- files in the "member" folder -->
<location path="members">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location> |
| With this code: |
<!-- Require authorization for all --> <!-- files in the "manager" folder --> <location path="manager"> <system.web> <authorization> <allow roles="manager" /> <deny users="*" /> </authorization> </system.web> </location> <!-- Require authorization for --> <!-- all files in the"member" --> <!-- subdirectory. Note the --> <!-- multiple values for the --> <!-- <allow roles> tag. This --> <!-- allows a person logged in --> <!-- as a manager to see the --> <!-- member pages too. --> <location path="members"> <system.web> <authorization> <allow roles="member, manager" /> <deny users="*" /> </authorization> </system.web> </location> |
Look at the code snippet on the right side of Table 1. The path in the first <location> tag indicates that the following authorization rules apply to pages within the manager directory only. Upon login, the <authorization> tag allows any user in a manager role to access files and denies all other users (shown by the * in the code), even if the page has authenticated the user with any role other than the manager role.
The second location path specifies the members directory. The <authorization> tag allows access by any user in the member and/or manager roles and denies all other users (shown again by the *).
The code that you replace (left side of Table 1) applies to the unique case of a single type of login with no specific role assigned to it. The question mark in the <deny users> tag means that all unauthenticated users are denied access.
Now let's look at how roles are assigned.
Keywords
Forms authentication, FormsAuthenticationTicket, ASP.NET, Dreamweaver, DataSet, SQL Server, C#, roles
