Authorize Users

ASP.NET gives you a convenient means to authorize and deny access to resources in your ASP.NET application. You set up authorization in the <authorization> section of the web.config file. You can use the <deny/> tag to deny specific users access and use the <allow/> tag to authorize specific users. Note the use of ?, which is used to represent anonymous identities, and the use of *, which represents all entities. You can use commas to delimit users when you wish to specify multiple users in a single tag. You can also specify users in specific domains if you are using IIS's Integrated Windows Authentication by prefixing the domain name (for example, Domain\UserName).

If you want to be less granular with authorization, you can allow or deny Windows 2000 domain groups. This can be done with the roles attribute of the allow element. You can also control the actions that a user is allowed to perform. This is done with the verb attribute on the allow element. The verbs that we can control are get, head, and post. If you do not want a specific user to post data to the Web server but only request Web pages for viewing, you can specify the following:

<allow verb="GET" users="*" />

<deny verb="POST" users="Linda" />

AUTHORIZE USERS

AUTHORIZE USERS

D Open the web.config template file from the Code Templates directory.

0 Add an <allow/> tag and set the users attribute to Tommy, Deanna, Bobby.

0 Copy the files UserAuthorization Default.aspx and UserAuthorization Login.aspx from the CD-ROM to the Web site and request

UserAuthorization Default.aspx from the Web server.

0 Type an unauthorized user's name and goals for the password.

D Open the web.config template file from the Code Templates directory.

<authorization> tags; set users attribute to Danny.

0 Add an <allow/> tag and set the users attribute to Tommy, Deanna, Bobby.

0 Copy the files UserAuthorization Default.aspx and UserAuthorization Login.aspx from the CD-ROM to the Web site and request

UserAuthorization Default.aspx from the Web server.

0 Type an unauthorized user's name and goals for the password.

'—Q Click the Submit button.

SECURITY AND ASP.NET

With Forms-based authentication, you can log users out by removing their authentication cookie.

TYPE THIS:

<%@ Import Namespace="System.Web.Security 11 %>

<SCRIPT LANGUAGE="C#" RUNAT="Servern> void Page_Load(object Source, EventArgs e) {

labelUserName.Text = User.Identity.Name;} void Button_OnClick(Object sender, EventArgs E) { FormsAuthentication.SignOut();

Response.Redirect("UserAuthorizationLogin.aspx");} </SCRIPT> </HEAD> <BODY>

<FONT FACE ="Verdana">

<H3>Welcome to www.mylifetimegoals.com <ASP:LABEL ID= "labelUserName" RUNAT="Servern/>!</H3> <FORM RUNAT="Server">

<ASP:BUTTON ID="buttonSignout" TEXT="Signout" onClick=

"Button_OnClick" RUNAT="Server"/>

RESULT:

After logging in, you can click the Signout button to remove your authentication cookie and be redirected to the login page.

Click the Submit button.

-■ You are redirected back to the login page because the user is denied access.

—O Enter an authorized name and goals for the password.

Click the Submit button.

■ Access is given to view the default page.

Was this article helpful?

0 0

Post a comment