User Authorization

Asp.Net Authorization - Authorizing Users and Roles

In our previous topic, we talked about adding users to roles. 

By authorizing users and roles in the system, we can determine who can and cannot access which parts of the site.

For example, let's say we have a folder named admin. We can say that only users in the admin role can access the pages in this folder, other roles and users cannot access these pages.

The easiest way to block or allow users for a page or folder on the site is to do so in the web.config file.

As you know, there is a web.config configuration file in the root folder of asp.net websites. This file is an xml file containing the general settings of our site.

Now, to the folder named management in our site and the pages/files in this folder;

• Users in the role of admin and editor can access
• standard roles cannot access
• never logged in users can't access

Let's set it up. For this, it will be sufficient to add the following codes into the configuration node in our web.config file.

Do not delete any other code inside the Configuration node. To avoid confusion, you can paste the location node just before the configuration close.

If you are going to authorize more than one folder, you can duplicate the above location node for all of them.

Instead of the web.config file in the main folder, you can add a web.config file to the folders to be authorized and paste the location node above into these files. Thus, our main configuration file is not unnecessarily long.

For example, if you want to add a configuration file in the administration folder and paste the above codes into that file, you will need to make a very minor change:

The change is only in the path parameter. Since the web.config file is already in the administration folder, we deleted the folder name here.

EXERCISES