Aspdotnet-Suresh

aspdotnet-suresh offers C#.net articles and tutorials,csharp dot net,asp.net articles and tutorials,VB.NET Articles,Gridview articles,code examples of asp.net 2.0 /3.5,AJAX,SQL Server Articles,examples of .net technologies

what is authorization in asp.net | authorization rules in web.config to allow or deny resources to particular user or role in asp.net.

Dec 4, 2013
Introduction:

In this article I will explain what is authorization in asp.net, uses of authorization and I will explain setting authorization rules in web.config to allow or deny resources for particular user or role in asp.net.


Description:

Today I am writing this post to explain about authorization concept in asp.net. In one of the interview interviewer has asked question like what is authorization in asp.net and how we can use authorization concept to allow or deny resources to particular user or role in asp.net.

What is an authorization in asp.net?

Authorization is process of allowing or denying particular resources to user or role in asp.net.

We will discuss this topic with example first create new website and check everything with examples

Once we create website open web.config file and check how it would be if you observe in configuration section under system.web section we are able to see only authentication mode there is no authorization mode exists that would be just like this

<configuration>
<system.web>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Windows" />
</system.web>
</configuration>
Here we need to change authentication mode to “Forms” to implement authorization concept in web.config file. After change authentication mode we need to add authorization in system.web section to implement our custom requirements like allow or deny resources to particular user / role.  
Now we will start with section like deny anonymous user’s access to website i.e. the persons whoever login into our website only those are able to access application.  

<configuration>
<system.web>
<authentication mode="Forms">
</authentication>
<authorization>
<deny users="?"/><!--will deny anonymous users-->
</authorization>
</system.web>
</configuration>
(Note: The above situation is used whenever user’s accounts created by some administrator to access the application.)

In some situations we will get requirement like we need to allow users to access the particular page and restrict other pages access only to logged/authenticated users.

Example: I have website now I want to allow all users to access only Registration page to register in website and allow only logged / authenticated users to access remaining pages in website.

In this situation we need to write the code like this

<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>  <!--This will restrict anonymous user access-->
</authorization>
</system.web>
<location path="Registration.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="*"/> <!-- This will allow users to access to everyone to Registeration.aspx-->
</authorization>
</system.web>
</location>
</configuration>
Here location path should be your page path my page exists in root folder of application that’s why I given direct path if your page exists in another folder we need to change location path should be like this ~/UserDetails/Registration.aspx.

Till now we seen how to allow authenticate users to access webpage now we will discuss how to allow only particular user to access website and deny all other users

In this situation we need to write the code in web.config file like this

<configuration>
<system.web>
<authorization>
<allow users="SureshDasari"/>  <!-- It will allow only SureshDasari -->
<deny users="*"/>  <!--Deny others -->
</authorization>
</system.web>
</configuration>
If we observe above code it will allow only user “SureshDasari” and deny all other users to access that application. If we want to give permission for more users just add usernames separated with comma like “SureshDasari,Mahesh,Madhav,etc” 

Now if we want to allow only one user to access particular page and deny access to other users to particular page write the code like this

<configuration>
<location path="Registration.aspx"> <!-- Path of your Registration.aspx page -->
<system.web>
<authorization>
<allow users="SureshDasari"/>
<deny users="*"/> <!—deny all other users -->
</authorization>
</system.web>
</location>
</configuration>
Upto now we learn how to allow or deny resources to users now will see how we can see how we can allow users in particular role?

Now we have different roles like Admin, Customer, and Technician etc... If we want to allow only admin roles to access the application and deny permission for all the roles then we need to write the code in web.config like this

 <system.web>
<authorization>
<allow roles="Admin"/> <!--Allows users in Admin role-->
<deny users="*"/> <!--Deny everyone else-->
</authorization>
</system.web>
Now we have another condition like how to allow users in particular role to access folders.

Example: I have two folders one is Administrator folder and another one is Customer folder. Now I want give permissions like Admin role users are able to access both the folders and Customer role users are able to access only Customer folder for that we need to set the condition like this in web.config file.

<configuration>
<location path="AdminFolder">
<system.web>
<authorization>
<allow roles="Admin"/> <!—Allows Admin role Users-->
<deny users="*"/> <!--Deny everyone else Admin role Users-->
</authorization>
</system.web>
</location>
<location path="CustomerFolder">
<system.web>
<authorization>
<allow roles="Admin, Customers"/> <!--Allow users in Admin and Customers roles-->
<deny users="*"/> <!--Deny rest of all-->
</authorization>
</system.web>
</location>
</configuration>
In this way we can allow or deny resources to particular user or role by using authorization in web.config.

Note: Here one thing we need to remember that allow statement always before the deny statement because if we place deny statement first and then allow statement in this situation allow statement properties won’t work.

If you enjoyed this post, please support the blog below. It's FREE!

Get the latest Asp.net, C#.net, VB.NET, jQuery, Plugins & Code Snippets for FREE by subscribing to our Facebook, Twitter, RSS feed, or by email.

subscribe by rss Subscribe by RSS subscribe by email Subscribe by Email

26 comments :

Anonymous said...

Nice article on Authorization


Thanks Suresh!!!

bhawna said...

if any error occurs i want to display a static page.how to do it in asp.net

Anonymous said...

good article sir..

Anonymous said...

Gud Article Brother................keep on going.....congrats for ur award

Priyanka said...

Hi suresh ur articles are very good.I appreciate your work.pls post an article on State-management in asp.net.Explain different terms such as cookie,session,hidden fields,view state,query string etc..

shekar said...

Hi Suresh,

I have one doubt, Where I have to assign these users like Admin,Customer and technician and how the web.config file identifies this users and how I can use in code.

Suresh Dasari said...

@Shekar......
if you want to create roles and assign roles to users all these i explained clearly in membership check this post http://www.aspdotnet-suresh.com/search/label/Membership

Anonymous said...

Excellent post.

Unknown said...

thanks ..!!!!
thanks for your article.....!!!!
its very useful for me to develop my knowledge...!
(NANDRI SURESH)

Anonymous said...

Hi Suresh,I have a doubt here,
in the line: ,is sureshDasari an AD object or can be any username which we create in DB ? please let me know

Unknown said...

its very good artical good under stable. now tell me when user is deny a page custom error is display

Anonymous said...

Nice article suresh.. It solved my 80% of task. Now i want to ask that i have two login pages. Login.aspx and AdminLogin.aspx and i want to redirect deny users to AdminLogin.aspx page instead of Login.aspx.... Can you help me out ?

Unknown said...

plz post a simple approval application in asp.net with out workflow

Unknown said...

tanks for ur update...its very useful.

Anonymous said...

Hi suresh,

This is realy nice post to know about authorization concept clearly.

Thank you.

Unknown said...

Error 17 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS. C:\inetpub\wwwroot\SumitProject\AdminModule\Web.config 6



when i am using web.config authorization in asp.net it will give me above error

Unknown said...
This comment has been removed by the author.
Unknown said...

Hi Suresh, Your articles are very nice. I have a doubt. How to validate allow user and deny user in server side code ( Login.aspx.cs - C# ) ? How to check , logged user is allow or deny user ?

Here is the code added in web.config code










Mohammad Nawaz said...

nice one suresh keeep on going

Unknown said...

Nice tutorial suresh
It helped me alot.
Please keep it up.

Unknown said...

extremely helpful..thanks buddy

Anonymous said...

Thank u very much for sharing this. Please share articles on MVC also.

Anonymous said...

Excellent article sir................keep writing .. :-)

Anonymous said...

Very nice Article Suresh. Thank you so much. It helped me a lot to learn Asp.Net

Avinash Shrivastava said...

thanks sir it is very help full for us

dheeraj said...

hi sir...two folder 1 admin and 2. user folder admin inside add config file and writ tag


while
it valid all type of user..

Give your Valuable Comments

Note: Only a member of this blog may post a comment.

© 2015 Aspdotnet-Suresh.com. All Rights Reserved.
The content is copyrighted to Suresh Dasari and may not be reproduced on other websites without permission from the owner.