Results 1 to 5 of 5

Threaded View

  1. #1

    Thread Starter
    ASP.NET Moderator gep13's Avatar
    Join Date
    Nov 2004
    The Granite City

    Restrict Access to your website using ASP.Net Membership Provider

    NOTE: The attached sample application was written in Visual Studio 2008 Team System Edition
    NOTE: Due to the size of the database that was created, I have scripted the database as an SQL File, which you should be able to restore from.

    When you use the built in ASP.Net Providers (i.e. Membership, Roles and Profile) you have the ability to make use of the built in controls within the Framework, such as Login, LoginView, CreateUserWizards etc.

    If you use the Menu control, in conjunction with the Roles allocated to a user, then you can limit access to particular areas of your site.

    For instance, within the web.config file, you could put the following entries within the configuration node:

      <location path="Entry">
            <allow roles="Operator,StoreKeeper"/>
            <deny users="*"/>
      <location path="Update">
            <allow roles="Operator"/>
            <deny users="*"/>
      <location path="View">
            <allow roles="Operator,Manager,StoreKeeper"/>
            <deny users="*"/>
    The above means that access to a folder named Entry in the root of the website is restricted to all users apart from members of the Operator and StoreKeeper role.

    Access to a folder called Update in the root of the website is restricted to all users apart from members of the Operator Role.

    Access to a folder called View in the root of the website is restricted to all users apart from members of the Operator, Manager and StoreKeeper role.

    In addition to the above, it is also possible to restrict access to a particular page of the website, not just pages within a directory. This can be achieved as follows:

      <location path="AddEditPost.aspx">
                <allow roles="Administrators,Editors,Moderators,Posters" /> 
                <deny users="*"/>
    Here, access to the AddEditPost.aspx page is restricted to everyone except from members of the Administrators, Editors, Moderators and Posters role.

    It is possible to place individual web.config files into each of the above folders and restrict the access in each of these configuration files, or, you can place all your location nodes in the main web.config file of your application (this is the approach that I have taken in the attached sample.

    In order to complete this technique, entries need to be made in the web.sitemap as follows:

    <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
      <siteMapNode url="Default.aspx" title="Home">
        <siteMapNode title="Entry" url="Entry/Entry.aspx" description="Entry">
          <siteMapNode url="Entry/EntryMaterialMaster.aspx" title="Material Master" description="Material Master" />
          <siteMapNode url="Entry/EntryVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
          <siteMapNode url="Entry/EntryLocationMaster.aspx" title="Location Master" description="Location Master" />
          <siteMapNode url="Entry/EntryStoreMaster.aspx" title="Store Master" description="Store Master" />
          <siteMapNode url="Entry/EntryRackMaster.aspx" title="Rack Master" description="Rack Master" />
          <siteMapNode url="Entry/EntryTransactions.aspx" title="Transactions" description="Transactions" />
        <siteMapNode title="Update" url="Update/Update.aspx" description="Update">
          <siteMapNode url="Update/UpdateMaterialMaster.aspx" title="Material Master" description="Material Master" />
          <siteMapNode url="Update/UpdateVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
          <siteMapNode url="Update/UpdatePriceMaster.aspx" title="Price Master" description="Price Master" />
          <siteMapNode url="Update/UpdateLocationMaster.aspx" title="Location Master" description="Location Master" />
          <siteMapNode url="Update/UpdateStoreMaster.aspx" title="Store Master" description="Store Master" />
          <siteMapNode url="Update/UpdateRackMaster.aspx" title="Rack Master" description="Rack Master" />
          <siteMapNode url="Update/UpdateTransactions.aspx" title="Transactions" description="Transactions" />
        <siteMapNode title="View" url="View/View.aspx" description="View">
          <siteMapNode url="View/ViewMaterialMaster.aspx" title="Material Master" description="Material Master" />
          <siteMapNode url="View/ViewVendorMaster.aspx" title="Vendor Master" description="Vendor Master" />
          <siteMapNode url="View/ViewPriceMaster.aspx" title="Price Master" description="Price Master" />
          <siteMapNode url="View/ViewLocationMaster.aspx" title="Location Master" description="Location Master" />
          <siteMapNode url="View/ViewStoreMaster.aspx" title="Store Master" description="Store Master" />
          <siteMapNode url="View/ViewRackMaster.aspx" title="Rack Master" description="Rack Master" />
          <siteMapNode url="View/ViewReports.aspx" title="Reports" description="Reports" />
    With this in place, any menu on your website, which uses the web.sitemap as it's datasource will dynamically change which nodes are visible based on the roles of the currently logged in user.

    Attached to this thread is a complete (basic) sample which shows this in operation. You should be able to log into the website using the following credentials:

    UserName Password
    manage manage1#
    operate operate1#
    store store1#

    The "manage" user is a member of the Manager Role, the "operate" user a member of the Operator Role, and the "store" user a member of the StoreKeeper Role.

    Things to watch out for in the sample application is the configuration element in the web.config for the XmlSiteMapProvider, namely:

        <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
            <add name="XmlSiteMapProvider" description="SiteMap provider which reads in .sitemap XML files." type="System.Web.XmlSiteMapProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" siteMapFile="web.sitemap" securityTrimmingEnabled="true"/>
    Here I have enabled the securityTrimmingEnabled property. Basically what this does it tells the siteMapProvider to not show any nodes that the currently logged in user does not have access to. If this property were left as false, then the user would be able to see all nodes, it is just that when they clicked on them they would be redirected to the login page. To me, this isn't very intuitive. If the user doesn't have access to a page, then they shouldn't see a link to it.

    Let me know if you have any question about the above.

    Attached Files Attached Files

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts


Click Here to Expand Forum to Full Width

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.