question

rlawrimore avatar image
0 Votes"
rlawrimore asked cooldadtx commented

C# Asp.net Azure Authorization Certain Pages

I am working on a simple website that will use Azure for authentication and authorization. I have 5 actual aspx pages. I need to have certain pages restricted so that based on who is logged into the site with there credentials they do or don't have access. I would like to use app roles from Azure to control this but need some help. I am not sure what to do to get this going and can only find examples of asp. core.

i have already created my roles on the app in Azure.
Admin
Non-Admin

Any help would be appreciated.

dotnet-csharpdotnet-aspnet-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cooldadtx avatar image
0 Votes"
cooldadtx answered cooldadtx commented

You didn't specify what version of ASP.NET you are using. For ASP.NET MVC (not Core) it is documented here. In general you will globally configure authentication. For controllers (or actions) that require different rules you'll use the Authorize attribute on the controller/action to specify the role(s) you need for that specific action/controller. If anyone needs access then you'll use AllowAnonymous instead. If your site mostly is for unauthenticated users then you would simply apply the Authorize attribute to the controllers/actions that need it. In general it is recommended that you isolate your controllers such those needing security are separate from those that don't.

For ASP.NET Core it is a similar process but APIs and MVC controllers are combined into one. Here's the article on implementing role-based in ASP.NET Core.

If you are using WebForms then the process is different. Security is configured in the web.config using the location elements.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am just using WebForms for my site. I can to basic authentication to the site and that works. I'm just not sure how to secure individual pages.

Thanks

0 Votes 0 ·

For Webforms you configure the site for the common auth. For sections of the site that need more secure access (such as an admin section) you should move the pages into a separate folder (e.g. Admin) and then add a location) attribute to the webconfig and set the security to restrict it to the role(s) you want. Basically it follows the same syntax as the root config's security but the location element limits it to only pages that match the folder.

For example the following (I believe) limits accessing pages under the Admin section to only administrators.

<location path="Admin">
   <system.web>
       <authorization>
            <allow roles="Admin" />
       </authorization>
   </system.web>
</location>


This assumes your role provider is properly configured. Refer to the docs for how authorization element works.

0 Votes 0 ·