Section 5.3. Restrict Unauthorized Access to Pages


5.3. Restrict Unauthorized Access to Pages


Note: The Login controls are useful only if you restrict access to your pages in your site. Learn how to restrict user access to your ASP.NET application.

So far, you have seen how to add a new login page to your web site and how you can add users to your application. In order to ensure that users provide a valid login credential before they are allowed access to a specific part of your site, you need to configure ASP.NET to require that all users be authenticated before they are given access.

5.3.1. How do I do that?

In the earlier lab Section 5.1, you saw how to use the Login control to get a user's credentials. In this lab, you will learn how you can restrict access to certain pages based on the user's credentials. You will create a new folder in the existing project and then restrict access to this folder by modifying Web.config. When a page in the restricted folder is loaded, the login page will automatically be loaded to authenticate the user.

  1. Using the project created in the previous lab (C:\ASPNET20\chap-5-SecurityControls), add a new folder named Members (right-click the project name in Solution Explorer and then select Add Folder Regular Folder).

  2. Add a Web.config file to this folder (right-click the project name in Solution Explorer and then select Add New Item...; select Web Configuration File) and insert the following lines:

    <!-- Remove this line    <authentication mode="Windows" /> --> <authorization>    <deny users="?" /> </authorization>

  3. The <deny> element specifies which users to deny access to the current folder (Members, in this case). You can also use the <allow> element to specifically state which users have access to the current folder. The question mark (?) specifies that anonymous users, or nonauthenticated users, have access, while an asterisk (*) specifies that all users have access.

  4. Your Solution Explorer should now resemble the one shown in Figure 5-17.

    Figure 5-17. The Solution Explorer


  5. Select MemberDefault.aspx in Solution Explorer and press F5. You will be redirected to the Login.aspx page, as this page is accessible only to an authenticated user. Log in with the user account created in the last lab. If the authentication is successful, the MemberDefault.aspx page will be loaded.

5.3.2. What about...

...using a single Web.config file to specify the access permission of the entire web application?

Besides adding a separate Web.config file to each folder in your web application to specify the access permission for each folder, you can also use the <location> element in the Web.config file in the root folder. The following entry in the Web.config file in the root of the web application is equivalent to Step 3:

... </system.web> <location path="Members">    <system.web>          <authorization>             <deny users="?" />          </authorization>       </system.web>    </location> </configuration>

Using this method will eradicate the need to have multiple Web.config files in your project. You can use multiple <location> elements to specify the permission for each folder.

5.3.3. Where can I learn more?

Check out the MSDN Help topic on the <location> element to learn more about the use of this element in Web.config files.



ASP. NET 2.0(c) A Developer's Notebook 2005
ASP. NET 2.0(c) A Developer's Notebook 2005
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net