This is the last part of the ASP.NET tutorial series on role-based security and user authentication web development. In the third part, we finished creating the important ASP.NET login and user registration pages, and established a consistent and well-defined navigation menu. In this part, we'll create user access rules based on the types of users who will visit this website, and build these rules into the site.
Contributed by Codex-M Rating: / 12 August 24, 2010
The website has three basic types of users. These are the website administrator or supervisor; registered workers for the company; and anonymous users (or normal website visitors). For each type, we will need to formulate different user access rules.
The completed website pages and directories have the following files/folders:
For our example, you need to formulate the following user access rules:
Rule #1. The administrator is allowed to view all of the files and folders in the website. This includes the power to read and edit the website's contents.
Rule #2. The registered workers are only allowed to read the Viewtasks.aspx content, which contains the list of tasks assigned to them from their supervisor. However, they are denied access to the administrator and other administrative folders (like App_Data).
Rule #3. Anonymous users are allowed to visit the home page (as are registered workers and administrators); however, anonymous users are denied access to viewing the registeredworkers and administrator directories.
Despite this limitation, anonymous users can view the following required ASP.NET web pages:
CreateNewUser.aspx, because they might be workers of the company that have not yet registered.
login.aspx, because they might be registered workers or administrators who have not yet logged in to the website.
ThankYou.aspx, which an anonymous user will see upon successful completion of the new worker registration process.
Implementing the User Access Rules in the Website Administration Tool
Now that you have successfully formulated the user access rules, let’s implement them using the Website Administration Tool. To do this, follow the procedures below:
Step 1: Launch the aspnetloginexercise website project in Visual Web Developer.
Step 2: Go to Website -> ASP.NET Configuration.
Step 3: Under “Welcome to the Web Site Administration tool,” click “Security.”
Step 4: Under “Access Rules,” click “Create Access Rules.”
Step 5: Okay, let’s implement Rule #1 first, as discussed above. Under “Add New Access Rule,” do steps 6 through 9 below, in order.
Step 6: Under “Select a directory for this rule,” click the “administrator” folder first.
Step 7: Under “Rule applies to:” select “Administrator.”
Step 8: Under “Permission,” select “Allow.”
Step 9: Click OK.
You have just created rule #1, affecting the “administrator” folder. Now, since the website administrator is allowed to access all folders, repeat Step 6 through Step 9 for the App_data and registeredworkers folders. (For example, click “App_Data,” then select “Administrator” under “Role” and set the permission to “Allow;” finally, click OK).
To make sure you have performed the above steps correctly, click “Manage Access Rules” under “Access rules.” Make sure that the administrator is “allowed” to access these three folders: “administrator,” “App_data” and “registeredworkers.” See the sample screen shot below:
Click each of the folders (administrator, App_data and registeredworkers) to make sure that the “Administrator” is configured to allow access to all of them.
Implementing User Access Rules for Registered Workers
In the previous section, you completed the user role configuration for administrators. Now, you need to configure for registered workers as well. Let’s implement Rule #2 as stated previously.
However, bear in mind that there is only one user role currently available in the Website Administration tool, and that is the “Administrator” role. Before you can assign access rules, you need to create a new role for registered workers. Let’s name it “RegisteredUsers.” To do this, follow the steps below:
Step 1. Under the “Security” tab in the Website Administration tool, click “Create or Manage roles.”
Step 2. Under “New role name,” type RegisteredUsers.
Step 3. There are now two user roles defined by your website (Administrator and RegisteredUsers). See the screen shot below:
Step 4. Click “Back.”
Since the RegisteredUsers role has been created, let’s define an access rule for it using Rule #2. The following are the steps:
Step 1. Under “Access rules,” click “Create Access rules.”
Step 2. Since the registered workers are denied access for administrator and App_data, click “administrator” first under “Select a directory for this rule.”
Step 3. Under “Rule applies to:” select “RegisteredUsers.”
Step 4. Under “Permission,” select “Deny.”
Step 5. Click OK.
Repeat steps 2 through 5 by clicking “App_Data” under “Select a directory for this rule” instead of “administrator.”
Since registered workers are only allowed to access the “registeredworkers” directory, let’s configure this rule:
Step 1. Click “Create Access rules.”
Step 2. Click the “registeredworkers” directory.
Step 3. Under “Rule applies to:” select “RegisteredUsers.”
Access rules for anonymous users are covered under Rule #3. They are allowed to access publicly available ASP.NET web pages; however, they are restricted from visiting the administrator and registeredworkers directory. To implement this rule:
Step 1. Click “Create Access Rules.”
Step 2. Let’s start configuring the “administrator” directory first. Click it under “Select a directory for this rule.”
Step 3. Under “Rule applies to:” select “Anonymous users.”
Step 4. Under “Permission,” select “Deny.”
Step 5. Click OK.
Do the same for App_data and the registeredworkers folder, selecting “Deny” under “Permission.”
The user role configuration is now complete. You can confirm that you have correctly set the configuration by clicking “Manage Access Rules” and then looking at the screen shot below for the different access rules for every directory.
Adding Set of Workers under RegisteredUsers Profile
So far, no workers have been added under the “RegisteredUsers” profile. Let’s add the first set of workers -- Peter, John and Mary -- with the “RegisteredUsers” profile. To do this, follow the steps below:
Step 1. Under “Roles” in the Security tab, click “Create or Manage roles.”
Step 2. In the role name “RegisteredUsers,” click “Manage.”
Step 3. Under “Search for Users,” type the worker name and check “User Is in Role.”
Do that for Peter, John and Mary.
Step 4. Finally, click “Security” in the navigation menu of the website administration tool.
Step 5. Under “Users,” click “Manage users.”
Step 6. You should see the list of users for the website, with their specific roles. Click on “Edit roles” and you will see the roles assigned to the users.
Test the Website in the Browser
Let’s put the user role based security/authentication to a test.
First, we'll visit the website as an anonymous user. Close the website administration tool by closing the browser. Go to Default.aspx in Visual Web Developer, then open it in the browser by going to File -> View in Browser.
Since you are not yet logged in, your user profile is “Anonymous.” Let’s check to see if Rule #3 holds true. Try clicking the "view tasks," "assign tasks" and "edit tasks" links in the website navigation menu.
You might notice that every time you click those links, the website asks you to log in. You are not authorized to view the content unless you are an authenticated user of the website.
Anonymous users are denied access to “View tasks,” which is located in “registeredworkers” directory, as well as “Assign tasks” and “Edit tasks” from the “administrator” directory.
Second, we'll test the “Administrator” role. So let's log in as an administrator. You might notice that once you are logged in, you can view all of the content found on the website; that includes the administrative and registered workers directory.
Finally, we'll try logging in as a “Registered Worker.” We'll use Peter's login details, which we create din the first part of this tutorial:
User Name: Peter Password: zedRab2=ba@U
You will notice that Peter can only View tasks but cannot Assign or Edit tasks. This is because his user role is “RegisteredUsers,” which does not have access rights to administrative folders.
This is an example of ASP.NET role-based security.
Registering New Workers
Let’s register a new worker. Follow the steps below:
1. Click “Register New workers” in the website navigation menu.
2. Enter the following details:
User Name: Alexis Password: hgh^7hjho9 E-mail: alexistheworker@gmail.com Security question: What is your puppy name? Security Answer: Shark
3. Click “Create User” and “Continue.”
4. You will then see a thank you note:
5. Let’s make Alexis's account active using Website Administration tool.
6. Click “Security.”
7. Click “Manage users.”
You will notice that Alexis's account is still not checked under “Active.” To activate Alexis's account, we must check that box.
Under “Edit roles,” you can assign a role to Alexis. Since he is a worker, you need to check “RegisteredUsers.”
Now close the Website Administration tool and try logging in to the website using Alexis's active account. Alexis can now view the tasks (viewtasks.aspx) with access privileges as a registered worker.
/ 12 
Implement Gzip and Deflate Compression in ASP.Net
