asp.netsql-servervb.netwebforms

Restrict access to pages in an ASP.NET VB web forms application based on a user role and location from my SQL database?

I am using ASP.NET VB Web forms application.

I have created the user login credentials in my on premises SQL Server database.

I'd like to prevent users from navigating directly to a page without having the proper role/location is this possible?

Something like a page load event I am guessing but where do I store the users authenticated credentials from one page to the next?

Solution

  • Here's the way this works in general...

    The main page - perhaps one with a menu bar, etc.? You tend to allow/let everyone into that page.

    Then you create a role called, say, SalesGroup. And if you want ONLY those users within SalesGroup to use a specific page?

    Then you create (add) a new Folder (e.g., Sales).

    Now you can create/add as many ASP.NET pages to that Sales folder. But you ALSO have to add a web.config file to that folder.

    Now, users--regardless of whether they've logged in, can't use or see those pages unless they are a member of the given role (in our example, SalesGroup).

    So I would suggest the the main landing page be accessible by anyone. Or make the first/loading page a login screen (since everyone has to be able to use such pages).

    To secure a group of pages, as noted, we assume that those pages are placed in a folder (that would be a sub folder).

    Then you create a web.config file into that same folder, and you would have this:

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>

    <authorization>
            <allow roles="SalesGroup" />
        <deny users="*" />
        </authorization>
    </system.web>
</configuration>

    When a user tries to load any page in that folder, if they are NOT logged in, then they will be automatically re-directed to the login page. Once they login from there, then they will jump to the web page they originally tried to access.

    For example, I have some pages that I ONLY require that users be logged on, but I can test/check for roles in code. This gives finer ability to control and use Roles.

    In the Page_Load event, you often see code like this:

    If Roles.IsUserInRole("Staff") then
   ' this is for staff members - jump to staff page
   response.redirect("~/Staff/StaffInfo.aspx
End if

    You can redirect, show/hide, display things, etc. based on the roles a user might have.

    As noted, though, eve without any code you can still rest assured that any secured pages as per above can't be used unless the user is logged in, and they have the role(s) that you set in the web.config file.

    So, the base pages (say in the root of the site) will not be secured in most cases.