Roles Roles Roles Roles Class
Manages user membership in roles for authorization checking in an ASP.NET application. This class cannot be inherited.
public ref class Roles abstract sealed
public static class Roles
type Roles = class
Public Class Roles
The following example shows the Web.config file for an application configured to use both ASP.NET membership and ASP.NET roles and to use the SqlRoleProvider to store membership and role information in a SQL Server database. Users are authenticated with forms authentication and only users in the Administrators role are allowed access to the application.
<configuration> <connectionStrings> <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> <authentication mode="Forms" > <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" /> </authentication> <authorization> <deny users="?" /> <allow roles="Administrators" /> <deny users="*" /> </authorization> <membership defaultProvider="AspNetSqlProvider" userIsOnlineTimeWindow="15"> </membership> <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="true" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <clear /> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlServices" applicationName="SampleApplication" /> </providers> </roleManager> </system.web> </configuration>
The following code example programmatically checks whether the logged-on user is in the Administrators role before allowing the user to view other users' roles.
ASP.NET role management enables you to manage authorization for your application based on groups of users, referred to as roles. By assigning users to roles, you can control access to different parts or features of your Web application based on role instead of, or in addition to, specifying authorization based on user name. For example, an employee application might have roles such as Managers, Employees, Directors, and so on, where different privileges are specified for each role.
Users can belong to more than one role. For example, if your site is a discussion forum, some users might be in the role of both Members and Moderators. You might define each role to have different privileges on the site, and a user who is in both roles would then have both sets of privileges.
To enable role management for your ASP.NET application, use the roleManager element of the
system.web section in the Web.config file for your application, as shown in the following example.
<configuration> <connectionStrings> <add name="SqlServices" connectionString="Data Source=localhost;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> <authentication mode="Forms" > <forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" /> </authentication> <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="SqlServices" applicationName="SampleApplication" /> </providers> </roleManager> </system.web> </configuration>
You can specify authorization rules in the configuration file for your Web application or programmatically in your code. For example, the following section from a Web.config file requires users to log on (by denying anonymous users), and then allows only users in the Administrators role to have access.
<authorization> <deny users="?" /> <allow roles="Administrators" /> <deny users="*" /> </authorization>
If you use the
authorization section in your application's Web.config file to specify authorization based on roles, users of your application must supply an authenticated user identity. You can authenticate users by using either Windows or Forms authentication. Anonymous users cannot be assigned to a role. Roles can be used independently of, or in conjunction with, the ASP.NET Membership classes.
To verify role membership programmatically, you can use the Roles class or the Page.User property with the IsUserInRole method, or you can use the Page.User property with the IPrincipal.IsInRole method. For sample code that programmatically checks role membership, see the Example section in this topic.
The Roles class also enables you to create and delete roles and to add users to or remove users from roles.
If you have configured your application to use the WindowsTokenRoleProvider class, you cannot modify roles or role membership. The WindowsTokenRoleProvider class verifies membership in Windows security groups only. In this case, you must use Windows user account management rather than ASP.NET roles to create and delete groups and manage group membership.
You can store role information in several data sources.
You can use the WindowsTokenRoleProvider class to retrieve role information based on membership in Windows groups.
You can store role information in a SQL Server database by using the SqlRoleProvider class.
If you have existing role information, or want to store role information in and retrieve role information from a data source other than Windows, an Authorization Store, or SQL Server, you can implement a custom role provider by creating a class that inherits the RoleProvider abstract class. For more information, see Implementing a Role Provider.
If a user's browser accepts cookies, you can store role information for that user in a cookie on the user's computer. On each page request, ASP.NET reads the role information for that user from the cookie. This can improve application performance by reducing the amount of communication required with the data source to retrieve role information. If the role information for a user is too long to store in a cookie, ASP.NET stores just the most recently used role information in the cookie and then looks up additional role information in the data source as required. If the user's browser does not support cookies or cookies are disabled, role information is not cached in a cookie.
You can improve the reliability of the role names cached in a cookie by specifying a CookieProtectionValue property when you configure ASP.NET roles. The default CookieProtectionValue is
All, which encrypts role names in the cookie and validates that the cookie contents have not been altered.
|ApplicationName ApplicationName ApplicationName ApplicationName||
Gets or sets the name of the application to store and retrieve role information for.
|CacheRolesInCookie CacheRolesInCookie CacheRolesInCookie CacheRolesInCookie||
Gets a value indicating whether the current user's roles are cached in a cookie.
|CookieName CookieName CookieName CookieName||
Gets the name of the cookie where role names are cached.
|CookiePath CookiePath CookiePath CookiePath||
Gets the path for the cached role names cookie.
|CookieProtectionValue CookieProtectionValue CookieProtectionValue CookieProtectionValue||
Gets a value that indicates how role names cached in a cookie are protected.
|CookieRequireSSL CookieRequireSSL CookieRequireSSL CookieRequireSSL||
Gets a value indicating whether the role names cookie requires SSL in order to be returned to the server.
|CookieSlidingExpiration CookieSlidingExpiration CookieSlidingExpiration CookieSlidingExpiration||
Indicates whether the role names cookie expiration date and time will be reset periodically.
|CookieTimeout CookieTimeout CookieTimeout CookieTimeout||
Gets the number of minutes before the roles cookie expires.
|CreatePersistentCookie CreatePersistentCookie CreatePersistentCookie CreatePersistentCookie||
Gets a value indicating whether the role-names cookie is session-based or persistent.
|Domain Domain Domain Domain||
Gets the value of the domain of the role-names cookie.
|Enabled Enabled Enabled Enabled||
Gets or sets a value indicating whether role management is enabled for the current Web application.
|MaxCachedResults MaxCachedResults MaxCachedResults MaxCachedResults||
Gets the maximum number of role names to be cached for a user.
|Provider Provider Provider Provider||
Gets the default role provider for the application.
|Providers Providers Providers Providers||
Gets a collection of the role providers for the ASP.NET application.