Walkthrough: Managing Web Site Users with Roles
A typical requirement for Web sites is to allow only some users (authenticated users) to see certain pages. In ASP.NET, you can use roles to manage user access to Web pages. Roles enable you to apply the same access rules to a group of users, such as managers, administrators, members, and so on. To use roles, you create new roles, assign individual users to one or more roles, and then grant access permissions to the role. Every user in that role is granted the permissions that are defined for that role. For example, you can create an administrator role add users to the role and set up access rules that allow only users in the role to see administrator’s page. Users who are authenticated but are not assigned to the administrator role will not be able to access the pages that you configure only for administrators.
Tasks illustrated in this walkthrough include the following:
Creating an ASP.NET Web site project.
Creating folders and pages that have restricted access.
Configuring the Web site with membership and roles.
Adding users to the Web site.
Assigning users to roles.
Changing access rules.
Prerequisites
In order to complete this walkthrough, you will need:
Visual Studio or Visual Web Developer Express.
SQL Server Express installed locally on your computer.
Creating an ASP.NET Web Site Project
You will start by creating an ASP.NET Web site project. By default, when you create a new Web Site project in Visual Studio, the project includes many of the elements that are required in order to create a site that supports membership (authentication). In this walkthrough, you will use the built-in membership features and then extend those features by adding roles.
Note
This walkthrough uses a Web site project. You could use a Web application project instead. For information about the difference between these Web project types, see Web Application Projects versus Web Site Projects in Visual Studio.
To create a new ASP.NET Web site
Start Visual Studio or Visual Web Developer.
In the File menu, click New Web Site. (If you do not see this option, click New, and then click Web Site.)
The New Web Site dialog box is displayed.
Under Installed Templates, click Visual Basic or Visual C# and then select ASP.NET Web Site.
In the Web Location box, select File System and enter the name of the folder where you want to keep the pages of the Web site. For example, enter the folder name C:\Websites\RolesWebsite and then click OK.
Visual Studio creates the folder and opens the Default.aspx page in Source view. Notice that the root Web site contains several files and folders including the Account folder, a Web.config file, an About.aspx page, an Default.aspx page, and a Site.master page. These pages and folders are already configured to use ASP.NET membership.
Press CTRL+F5 to run the page.
The home page is displayed in the browser. Notice the menu items (Home and About), and notice the Log In link. Later in the walkthrough, you will add additional menu items and web pages to the Website.
Close the browser.
Creating Folders and Pages
In order to work with roles, you will create two folders where you can keep pages that have restricted access. One folder will contain pages that every authenticated user can access (but that are not available to anonymous users). The other folder will contain pages that can be accessed by users who are both authenticated (logged in) and who are assigned to the administrator role. Anonymous users and users who are logged in but are not in the administrator role will not be able to access the second page. Later in the walkthrough, you will apply access rules to these folders to restrict which users can access which folder.
To create folders for restricted access
In Solution Explorer, right-click the root of your Web site, click New Folder, and then name the folder AdminPages.
This folder will contain a page that is accessible to only users who are assigned to the Admin role. You will create roles later in the walkthrough.
Right-click the root of your Web site, click New Folder, and then name the folder MembersPages.
This folder will contain a page that is accessible to all users who are logged in.
To add pages to the folders
In Solution Explorer, right-click the AdminPages folder and select Add New Item.
Select a Web Form, and in the Name box, enter Admin.aspx. Select the Select master page box, and then click Add.
In the Select a Master Page dialog box, under Contents of folder, select Site.master, and then click OK.
Switch to Design view and add text such as Welcome to the administrators page. The exact text is not important. You can add any text that lets you identify the page.
In the Formatting toolbar, use the Block Format drop-down list to format the text as Heading 1.
Save and close the Admin.aspx page.
Right-click the MembersPages folder and select Add New Item.
Add a second Web Form page, name it Members.aspx, and select Site.master as its master page.
Switch to Design view, add text such as Welcome to the Members page, and style it as a heading.
Save and close the Members.aspx page.
Open the Default.aspx page and switch to Design view.
Add text such as Welcome to my home page. page.
Save and close the Default.aspx page.
Open the Site.master page.
Switch to Design view and change the heading of the Site.master to a heading such as My Roles Web site.
Linking to the Restricted Pages
Next, you will add menu items (tabs) on the master page that link to the administrators page and the members page that you just added. This will let you test access to those pages later in the walkthrough.
To link to the restricted pages
On the Site.master page, right-click the Menu control that contains the Home and About menu items, and then click Show Smart Tag.
The Menu Tasks dialog box is displayed.
Under Menu Tasks, click Edit Menu Items….
The Menu Item Editor is displayed.
Under Items, click the Add a root item icon (the first icon from the left) in the toolbar.
A new item is created in the menu tree.
Select New Item.
In the Properties window of the Menu Item Editor, set the text property to Members.
In the properties window, click NavigateUrl and then click the ellipsis (...) button.
The Select URL dialog box is displayed.
Under Project folders, click MembersPages.
Under Contents of folder, select Members.aspx and then click OK.
Use the same technique to add another menu item. This time, set the text property to Administrators and the NavigateUrl property to ~AdminPages/admin.aspx.
Click OK to close the dialog box.
The following illustration shows the Add a root item icon in the Add Menu Item Editor.
Configuring the Web Site for Membership and Roles
The next step is to configure ASP.NET membership and roles. You can use the Web Site Administration Tool, which provides a wizard-like interface for making configuration settings. When you complete the configuration, a SQL Server database named Aspnetdb.mdf is created in the App_Data folder of the project. The database contains membership information for this Web site.
To configure the Web site for membership and roles
On the Website menu, click ASP.NET Configuration.
The Web Site Administration Tool is displayed in a browser window.
Select the Security tab, click the Use the security Setup Wizard to configure security step by step link, and then click Next.
Select the From the Internet option.
This option specifies that your application will use ASP.NET forms authentication, where users will log in to the Web site by using a login page that is part of your site. (The login page was added to the site automatically when you created the Web site earlier in the walkthrough.)
Click Next.
The wizard displays a message stating that user information will be stored using Advanced provider settings. Your application will use the default provider, which stores membership information in a SQL Server Express database file in the App_Data folder of your Web site.
Click Next.
Under Define Roles, select the Enable roles for this Web site check box, and then click Next.
Under Create New Role, in the New Role Name box enter Admin, and then click Add Role.
In the New Role Name box enter Member and then click Add Role
The roles you just created appear under Existing Roles.
The following illustration shows the Create New Role page.
Later in the walkthrough, you will create users and assign them to the roles you just created.
Note
Leave the Web Site Administration Tool open.
Adding Users
You can now add users and assign them to roles. In this walkthrough, you will create two users and assign one to the Admin role and the other to the Member role.
To add users
In the Web Site Administration Tool, click Next. The Create User page is displayed.
Enter information that defines a user of your Web site. Use the following values as guidelines. (You can use any values that you want, but be sure to note your entries. You will use these entries later in the walkthrough.)
User Name admin1 (without spaces), or a sample name.
Password A password. A strong password is required (one that can include uppercase and lowercase letters, punctuation, non-alphanumeric characters and that is at least eight characters long).
E-mail Your personal email address. This is useful if you later must search for a user in the Web Site Administration Tool
Select Active User.
Click Create User and then click Continue.
Enter information that defines another user named member1 and then click Create User.
Click Finish to return to the home page of the Web Site Administration Tool.
Setting up Access Rules for the Site Folders
The Web site you are creating will allow users to access to pages according to their roles. Therefore, you need to create access rules for the folders that contain the pages you want to protect and set which roles can access which folders.
To set up access rules for the site folders
In the Web Site Administration Tool, click the Security tab.
In the Access Rules box, click Create access rules.
The Add New Access Rule page is displayed, where you can create rules that determine which roles can gain access to the pages in your Web site.
Under Select a directory for this rule, expand the root node.
Select the MembersPages folder.
Under Rule applies to, select Anonymous Users.
Under Permission, select Deny. This rule denies anonymous users access to the MembersPages folder. By default, ASP.NET allows all users to access all folders, so you must set a rule to exclude anonymous users.
Click Add This Rule. Notice that the new rule is displayed in the grid at the bottom of the page.
The following illustration shows the Add New Access Rule dialog box.
Under Select a directory for this rule, click the AdminPages folder.
Under Rule applies to, select Role, and then in the drop-down list, select Admin.
Under Permission, select Allow.
The rule you are creating grants access permissions for the AdminPages folder to anyone in the Admin role.
Click Add This Rule.
Under Select a directory for this rule, click AdminPages again.
Under Rule applies to, select All Users.
Under Permission, select Deny.
Click Add This Rule.
This rule for the AdminPages folder makes sure that all users except users in the Admin role can gain access to the AdminPages folder.All the rules are displayed in the grid at the bottom of the page. When users request a page in a folder, the rules for the folder are checked in order, from top to bottom. The rule at the top overrides the rule below and so on. By default, rules apply applies to the folder and to any subfolders (unless you create different rules for the subfolders).
Click Finish to return to the Security tab.
The number of users and roles you have created is displayed under the security tab (2 users and 2 roles).
Note
Leave the Web Site Administration Tool open.
Assigning Roles to Users
After you create access rules for folders, define roles, and create users, you can assign users to roles. You can assign a user to one or more roles. You will assign member1, the user you created earlier, to the Member role and the admin1 user to both the Admin and Member roles.
To assign roles
In the Security tab, under Users, click Manage users.
All the users you have created are displayed. If your Web site has many users, you can search for user by their user name or email address under Search for Users in the Web Site Administrator Tool.
In the admin1 row, click Edit roles.
Under Roles, select Admin and Member. This assigns both Admin and Member roles to the admin1 user. This user can access pages in both MembersPages and the AdminPages folders.
In the member1 row, click Edit roles and select Member. This rule allows users in this role to access the MembersPages folder but not the AdminPages folder.
The following illustration shows the Edit users page
Click Back to return to the Security tab.
Close the Web Site Administration Tool.
Testing the Web Site
To test the site, you can log in by using the credentials of the users you created (member1 and admin1) and then try to access pages in the restricted folders. You can also register a new user and then test which pages the new user can access.
To test the Web site
In Solution Explorer, right-click the Default.aspx page and click Set as Start Page. This ensures that the Default.aspx is always displayed when you run the Web site in Visual Studio.
Press CTRL+F5.
Click the Members menu item (tab).
The login page (Login.aspx) is displayed, because access to the members page and the administrators page is denied for anonymous users.
Log in as member1.
Notice that the Log In link has changed to Log Out.
Click the Members menu item.
The Members.aspx page is displayed because the user name that you are logged in as has been authorized to access the page.
Click the Administrators menu item.
The Login.aspx page is displayed again, because access to the administrator’s page is denied for users who are not in the Admin role. The current user (member1) is in the Member role but not the Admin role.
Click the Log Out link to log out as the members1 user.
Click the Administrators menu item.
Log in as the admin1 user.
This time, the administrator’s page is displayed because the user name that you are logged in as has been authorized to access the page.
Click Members.
The members page is displayed because the user name that you are logged in as (admin1) has been authorized to access both the administrators pages and members pages. The user admin1 is assigned both the Admin and Member roles.
Log out and then click Log In.
On the login page, click Register, create a new user named guest1, and then click Create User.
Click Administrators. The Login.aspx page is displayed, because guest1 is not assigned to the Admin role.
Click Members. The members page is displayed. This new user has not been assigned to a role, but the members page is displayed because all authenticated users are allowed to access the MembersPages folder.
To make sure that only users who are in the Members role can access this folder, you must add a new rule to deny all users except users in the Member role. You will perform this task in the next section.
Close the browser.
Modifying Access Rules
In this section of the walkthrough, you will modify the roles and access rules that you created earlier to change who is authorized to see the members page and the administrators page.
In the first part, you will change rules to allow only users in the Member role (not just any authenticated user) to access the pages in MembersPages folder.
To modify access rules
In the Website menu, click ASP.NET Configuration.
Click the Security tab.
Under Access Rules, click Manage access rules.
Click the Add new access rule link.
Under Select a directory for this rule, select the MembersPages folder.
Under Rule applies to, select All users.
Under Permission, select Deny and then click OK.
This rule ensures that everyone is denied access to the MembersPages folder.
Click the Add new access rule link.
Select the MembersPages folder again.
Under Rule applies to, select Role and select Member from the drop-down list.
Under Permission, select Allow, click OK, and then click Done.
The rule you just created allows only users who are in the Member role to access the MembersPages folder. The member1 user is denied access to the MembersPages folder although member1 is assigned to Members role. This is because the rule that allows access to the Members role is lower in the list than the rule that denies all users access. To make sure that the member1 user can access the folder, you must move the rule that allows users who are assigned to Members role above the one that denies access to all users.
Return to the Security tab and click Manage access rules.
If the MembersPages folder is not selected, select it.
Under Users and Roles, click Member and click Move Up to move Member to the top of the list.
Click Done to return to the Security tab.
Managing Roles
The Web Site Administration Tool lets you modify roles and reassign users to roles. You can perform the following tasks in the tool:
Add or remove users from an existing role.
Assign users to a new role.
Add new roles.
Disable roles.
Delete roles.
In this walkthrough, you will perform the following tasks:
Remove the admin1 user from the Admin role.
Assign member1 user to the Admin role.
To remove a user from an existing role
In the Website Administration Tool, click the Security tab, and then under Roles, click Create or Mange roles.
Under Role Name, select the Admin role and click Manage.
All the members in the Admin role are displayed.
Under User Is In Role for the admin1 user, clear the check box to remove the admin1 user from the role.
Click Back.
To assign a user to a new role
Click Back to return to the Security tab.
Under Users, click Manage users.
Under User name, in the member1 user row, click Edit User.
The edit role page is displayed.
Under Roles, select the Admin and Member role and click Save. The member1 user is now in the Admin role and is allowed to access the AdminPages folder.
Click OK and then close the Website Administration Tool window.
Testing the Modified Web Site
You can now test the modified Web site.
To test the modified Web site
Press CTRL+F5 to run the Web site.
If you are logged in from a previous test, log out.
Log in as admin1 and then click the Administrators menu item.
The Login.aspx page is displayed because access to the administrators page is now denied for the admin1 user. The admin1 user is has been removed from the Admin role.
Log out and then log in as member1.
Click the Administrators menu. The administrator’s page is displayed because member1 is assigned to the Admin role.
Next Steps
This walkthrough has illustrated the basic functionality of ASP.NET role management. You might want to experiment with additional features of role management such as:
Work with Windows roles instead of custom roles that you create in the membership system.
Work programmatically with roles. For details, see Managing Authorization Using Roles.
Apply access rules to links that are displayed in the navigational structure of your Web site. For more information, see Walkthrough: Filtering Site-Map Nodes Based on Security Roles.
Create a custom provider that allows you to use an existing or custom data store for membership and role information. For more information, see Implementing a Role Provider.
See Also
Tasks
Walkthrough: Creating a Web Site with Membership and User Login
Walkthrough: Filtering Site-Map Nodes Based on Security Roles