ASP.Net page security

Results 1 to 2 of 2

Thread: ASP.Net page security

  1. #1
    Join Date
    Dec 1969

    Default ASP.Net page security

    I need some tips on the best way to security individual .net pages against a SQL table. Each page has the javascript menu to access other .net pages. However, while the pages are in the same directory, not every user should be able to access each page. Any help would be appreciated. Thank You.

  2. #2
    Join Date
    Dec 1969

    Default RE: ASP.Net page security

    If you have the users in a database it would probably be easy to assign roles to the users and just use the built in page security that is built into (via FormsAuthentication and the use of roles). But of course this would require that you put all the given pages for a given role in its specific folder and setting the privilges in the web.config.<BR><BR><BR>Example after you preform your Authentication then can check authorization settings you have specifed in your web.config...<BR><BR>&#060;location path="adminPages/managers"&#062;<BR> &#060;system.web&#062;<BR> &#060;authorization&#062;<BR> &#060;allow roles="managers" /&#062;<BR> &#060;deny users="?" /&#062;<BR> &#060;/authorization&#062;<BR> &#060;/system.web&#062;<BR>&#060;/location&#062;<BR><BR>&#060;location path="adminPages/salesmen"&#062;<BR> &#060;system.web&#062;<BR> &#060;authorization&#062;<BR> &#060;allow roles="salesmen" /&#062;<BR> &#060;deny users="?" /&#062;<BR> &#060;/authorization&#062;<BR> &#060;/system.web&#062;<BR>&#060;/location&#062;<BR><BR><BR>The two locations added in the web.config above will allow you to put pages in their respective folders and then only surfers that get authenticated and are in the proper role can access the pages. will handle it for you and notify the user if they dont have permission to view that page. But this only works for the pages you put in the folders that you have set authorization on... in the example above that would be the managers and the salesmen.... and of course these roles have to be in your sql database and then injected into the context of the current user so the system can check it otherwise no one will be able to see the protected pages not even the managers and salesmen. Hope this makes sense msdn has some pretty good articles on this and a google search always returns pretty good links on this type on thing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts