Managing User Roles

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

8.2. Managing User Roles

In addition to being able to authenticate individual users and store Profile data for them, you probably need to understand what roles they are authorized for in the application. To simplify the process of checking application rights, ASP.NET provides the Membership and Roles feature. This allows you to configure groups for a Web application that map to business roles the way that you can in the operating system itself.

8.2.1. Configuring Role Management

Like the other application services, Role Management must be enabled. Instead of checking against the server back-end storage on each request, role management information can be cached in a browser cookie. The roleManager element of the web.config file lets you specify how much data to cache in the cookie and how long it is cached. You can also configure the service to encrypt the data, calculate a hash value to guard against tampering, or do both:

<roleManager enabled="true"
cacheRolesInCookie="true"
cookieSlidingExpiration="true"
cookieProtection="All" />

The options for the cookieProtection attribute of the roleManager element are All, Encryption, None, and Validation. I recommend against None as it equates to sharing with prying eyes any roles you have defined and lets a malicious user submit request with synthetic role values.

You can create the roles using code or via the .NET Role Manager element of the IIS 7 Administration tool. Figure 8-7 shows the addition of a new Sellers role to the Sample application.

Figure 8-7. Figure 8-7

A role by itself is not very useful. It is a user's membership in the role that provides utility. Figure 8-8 shows a new user being created using the Administration tool. It includes password recovery questions and answers in addition to email, password, and username.

Figure 8-8. Figure 8-8

You could write code in every page to check a user's membership in a role, but ASP.NET simplifies this by allowing directories to be limited to access by specific roles. In this code snippet from a web.config, the management subdirectory of the application is configured to allow access to Managers and Administrators.

<configuration>
  <location path="management">
    <system.web>
      <authorization>
        <allow roles="Managers,Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

8.2.2. Client-side Role Checks

ASP.NETAJAX allows you to validate role information from JavaScript. Like the other application services, it must be enabled for remote access in the system.web.extensions section of the web.config:

<system.web.extensions>
  <scripting>
    <webServices>
      <authenticationService enabled="true" requireSSL="false"/>
      <profileService enabled="true" />
      <roleService enabled="true"/>
    </webServices>
  </scripting>
</system.web.extensions>

The roles feature relies on the authentication feature. You can use methods of the JavaScript class to check that the current user is in a specific role, or you can load the complete set of roles for the user in a comma-delimited list.

function page_Load() {
    var roleList = Sys.Services.RoleService.get_roles();
    alert(roleList);
}

In code Listing 8-12 (UsingRoles.aspx), you can see the familiar pattern of calling an ASP.NET application service in an event handler in the page code and providing completion and failure callbacks.

Example 8-12. UsingRoles.aspx

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Using Profiles</title>
</head>
<body>
    <form id="form1" runat="server">
    <asp:ScriptManager runat="server" ID="scriptManager">
        <ProfileService/>
    </asp:ScriptManager>
    <div>
    </div>
    </form>
</body>

<script type="text/javascript">
function pageLoad() {
    Sys.Services.RoleService.load(loadCompletedCallback, failedCallback,
 null);
}

function loadCompletedCallback(result, context, methodName) {

if (Sys.Services.RoleService.isUserInRole("Managers")) {
        alert("Managers view enabled");
    }
}

function failedCallback(error, context, methodName) {
    var message = error.get_exceptionType() + "
" +
        error.get_message() + "
" +
        error.get_stackTrace();
    alert(message);
}
</script>
</html>

Roles and Membership are key features for scoping the information presented to user. Using them, you can provide a unique experience for users based on their rights within the application. With ASP.NET AJAX, you have greater flexibility to dynamically check membership and reduce page refreshes and server-side content rendering.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Managing User Roles

Create new playlist

Sign In