Role Based Forms Authentication in ASP.Net
a member of site alone will not entitle the user to access all the resources
of a website. Different types of users are allowed to access different
contents based on their roles. This method of access can be easily implemented
if the authentication used is Windows and each and every user of the site
has a windows login. But this is not the case in all scenarios. You are
required to provide role based authentication for even users without a
windows login. This is possible with role based forms authentication which
can be done easily. The algorithm for achieving the role based forms authentication
is given hereunder in this content.
For role based forms authentication you need to create a database for the users which will store the users password and their roles in the website. For example you might create a table named members with the userid, password, and roles as the fields in that table. While creating the roles you have to think over the types of roles that are required for your website and create accordingly. Once you create a table in a database the steps involved in achieving role based forms authentication would be:
the login page
the Application_AuthenticateRequest event handler in the Global.asax file
to get the stored role value and generate a new principal.
The above steps are performed to complete the role based authentication in ASP.Net. You should have organized your website content in folders based on user roles which makes it easy for you to grant permissions for the users to access those contents. A web.config file must be present in the root of the web applications directory for the role based forms authentication to function properly. It is possible to override the authorization in the web.config files in the sub-directories.
A sample code for the web.config file in the root directory of the web application would look something like given below:
This web.config file can be split so that you can delete some <location> block in the above code and have a separate web.config file for the sub-directories. In that case it is enough if you have only the <configuration>, <system.web>, <authorization>, <allow>, and <deny> elements in the web.config file in the sub-directory.