Wednesday, February 20, 2008

Tip: Securing ASP pages in menu.

It comes to me recently that i have to control access a bunch of web pages for a new web site based on a set of roles that i have defined using the ASP.NET 2.0 Web Administrator Tool. ASP.NET 2.0 has provided the Authorization and SiteMap components that i can use to assign roles to a particular web page. Following are the steps to assign role to a particular directory and web page.

1. Add a new Web.config file into the directory that you want to control access. For example, I
put a config file into the Admin folder.
2. Modify the Web.config file to include the following statements:


1 <?xml version="1.0"?>


2 <configuration>


3 <system.web>


4 <authorization>


5 <allow roles="Administrator"/>


6 <deny users="*"/>


7 </authorization>


8 </system.web>


9 </configuration>




3. In the Web.siteMap file, add the following line. By adding "Administrator" as the roles for that particular web page, an admin login will display the "Admin Page" but not the "Game Page".



1 <?xml version="1.0" encoding="utf-8" ?>


2 <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >


3 <siteMapNode url="default.aspx" title="Home" description="" roles="Administrator, Agent">


4 <siteMapNode url="~/Admin/test1.aspx" title="Admin Page" description="" roles="Administrator"/>


5 <siteMapNode url="~/Game/test2.aspx" title="Game Page" description="" roles="Agent"/>


6 </siteMapNode>


7 </siteMap>