Usage
of Roles API to Perform Authorization in .NET
Authentication
and Authorization are two major dimensions of Security. Authentication
is used to identify if the person logging in is a valid user. Authorization
determines which all modules and actions are accessible to a particular
User. Authorization has the following classifications:
• User
Based Authorization determines if a module is accessible to a particular
user.
• Role Based Authorization determines if a module is accessible to
a particular role.
This article
will focus on Role Based Authorization and how it can be achieved using
Roles API.
What is
a Role?
Users can
be grouped together into a common category called Roles. Few examples
to roles are: administrators, supervisors, managers. Administrators will
have different authorization permissions when compared to supervisors.
But all administrators will have the same permissions.
In this case,
instead of configuring the same permission set across all administrator
users, you can group such Users into a role called administrator and define
permissions to the role instead of individual Users. You can add new users
or remove users from this role, based on which the corresponding permission
set mapped to the User will be modified.
How to
Enable Role Based Authorization in Your .NET Application?
If you want
to use Role Based Authorization in your application, make the following
entry in web.config file:
The above
example contains only the property “enabled” of roleManager.
In addition, roleManager includes many other properties which are mentioned
below:
• ApplicationName:
Name of the application which maintains the role information.
• CacheRolesInCookie: If this property is set to true, then User’s
roles will be cached in cookie and fetched from the cookie during every
page request.
• CookieName: Name of the Cookie in which roles of the User are cached.
• CookiePath: Path where the above mentioned cookie is placed.
• CookieProtectionValue: Indicates the value ensuring protection
of the Cookie.
• CookieRequireSSL: This property is assigned with the value true
if and only if the Cookie is used on an SSL Channel.
• CookieSlidingExpiration: Used to determine if the expiration date
and time of the cookie will be reset in periodical intervals.
• CookieTimeout: Specifies the time limit after which the cookie
will be expired.
• CreatePersistentCookie: Determines if the cookie is persistent
or it is session-based.
• Domain: Indicates the domain associated with the cookie.
• Enabled: Enables role based authorization for your application
when this property is set to true.
• MaxCachedResults: Indicates how many role names can be cached for
the User.
• Provider: Indicates role provider associated with the application,
by default.
• Providers: All the role providers supported by your application
are mentioned in this property.
Here is an
example which uses most of the properties of RoleManager Tag in web.config
file:
Role manager
is now enabled in your application. Assume that you have created a role
called Supervisor. How do you define permission for Supervisor to access
files in a particular folder? You can do it by using <allow roles =
“(role names comma separated)”> inside your web.config file.
Here’s an example:
As per this
example, only users with supervisor role and user named John can access
files from this location.
How to
Manage Roles in Your Coding?
You have
to create roles, assign users to roles and manage all role based activities.
How do you do that? You can perform role management in your coding using
methods of System.Web.Security.Roles class which represents the Roles
API. Given below are the methods provided by this class:
• CreateRole:
To create a new role.
• AddUserToRole: To associate single user to single role.
• AddUsersToRole: To add multiple users to a specified role.
• AddUsersToRoles: To add multiple users to multiple roles.
• AddUserToRoles: To add a single user to multiple roles.
• DeleteCookie: To delete the cookie containing the role names cached.
• DeleteRole: To remove an existing role.
• FindUsersInRole: To list down the Users associated with a role.
• GetAllRoles: To list down all roles defined for your application.
• GetRolesForUser: To list down all the roles associated with a particular
user.
• GetUsersInRole: To list down the Users associated with a role.
• IsUserInRole: To determine if the User belongs to the specified
role.
• RemoveUserFromRole: To remove the user from a particular role.
• RemoveUserFromRoles: To remove the user from multiple roles that
is specified.
• RemoveUsersFromRole: To remove multiple users from a particular
role.
• RemoveUsersFromRoles: To remove multiple users from multiple roles
specified.
• RoleExists: To check if the role exists already.
Here’s
an example covering few of these methods:
public void
manageRoles() {
if (!Roles.RoleExists("SupervisorRole")){
Roles.CreateRole("SupervisorRole");
}
Roles.AddUserToRole("TestUser1", "SupervisorRole");
Roles.AddUserToRoles("TestUser2", new string[] { "SupervisorRole",
"ManagerRole" });
Roles.AddUsersToRole( new string[] { " TestUser3", " TestUser4"
}, "ManagerRole");
Roles.AddUsersFromRoles(new string[] { " TestUser4", "
TestUser5" },
new string[] { "Role1", "Role2" });
Roles.RemoveUserFromRole("TestUser1", " SupervisorRole
");
Roles.RemoveUserFromRoles("TestUser2",
new string[] { "SupervisorRole", "ManagerRole" });
Roles.RemoveUsersFromRole( new string[] { " TestUser3", "
TestUser4" },
"ManagerRole");
Roles.RemoveUsersFromRoles(new string[] { " TestUser4", "
TestUser5" },
new string[] { "Role1", "Role2" });
if (Roles.IsUserInRole("SupervisorRole"))
{ /*do corresponding code*/}
}
