Article ID: 306238 - Last Review: October 29, 2007 - Revision: 3.11

How To Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET

View products that this article applies to.
This article was previously published under Q306238

On This Page

Expand all | Collapse all

SUMMARY

This article describes how to implement role-based security in an ASP.NET application that implements forms-based authentication using Visual Basic .NET.

Back to the top

Requirements

This article assumes that you have already implemented forms-based authentication on an ASP.NET application. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
308157  (http://support.microsoft.com/kb/308157/EN-US/ ) How To Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET
Back to the top

Assign the Roles to the Authenticating User

Because forms users usually are not Microsoft Windows users, they do not have any roles associated with them by default. Thus, you must attach the roles of the authenticating user to that user's identity so that you can implement the role-based security inside your code.

Use the sample code in this section to implement role-based security in your application. This sample code assigns pre-specified roles to the authenticating user. Depending how you store your user data, you can implement your own method to retrieve the roles for that authenticated user and attach those roles to the authenticating user's identity, which is illustrated in the sample code to follow.

Copy the following code in your Global.asax file in your existing application to assign the roles to the authenticating user in the Application_AuthenticateRequest event handler: 
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
if (not(HttpContext.Current.User is Nothing)) then
    if HttpContext.Current.User.Identity.AuthenticationType = "Forms" then
        Dim id as System.Web.Security.FormsIdentity
        id = HttpContext.Current.User.Identity

        Dim MyRoles(2) As String
        MyRoles(0) = "Manager"
        MyRoles(1) = "Admin"
        HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,MyRoles) 
    End if
End if
End sub
Back to the top

Check the User Roles and Implement the Program Logic in Your ASPX Pages

The following steps demonstrate how to implement and control the program logic based on the roles to which the authenticating user belongs.
  1. Create a new .aspx page named Sample.aspx, and paste the following code:
    <%@ Page Language="VB" %>
<%@ Import Namespace="System.Web" %>

  <script runat=server>
    Sub Page_Load(Src As Object, E As EventArgs)
	if User.IsInRole("Admin") then
		Response.Write ("You are an Administrator")
	Else
		Response.Write ("You do not have any role assigned")
	End if
    End Sub

  </script>
  2. Save Sample.aspx in your existing application. Browse to the page to test it.
Back to the top

REFERENCES

For an overview on ASP.NET security, see the following article in the Microsoft Knowledge Base:
306590  (http://support.microsoft.com/kb/306590/EN-US/ ) INFO: ASP.NET Security Overview
For more information about role-based security, refer to the following .NET Framework Software Development Kit (SDK) documentation:
Role-Based Security
http://msdn.microsoft.com/en-us/library/52kd59t0(vs.71).aspx (http://msdn.microsoft.com/en-us/library/52kd59t0(vs.71).aspx)
The documentation and source code at the following MSDN Web site also contains information about role-based security:
IBuySpy Developer Solutions
http://msdn.microsoft.com/en-us/library/ms978480.aspx (http://msdn.microsoft.com/en-us/library/ms978480.aspx)
For more general information about ASP.NET, refer to the following MSDN newsgroup:
microsoft.public.dotnet.framework.aspnet (http://msdn.microsoft.com/newsgroups/default.aspx)
For more information, refer to the following books:
Reilly, Douglas J. Designing Microsoft ASP.NET Applications (http://www.microsoft.com/mspress/books/toc/5136.aspx) . Microsoft Press, 2001.

Esposito, Dino. Building Web Solutions with ASP.NET and ADO.NET (http://www.microsoft.com/MSPress/books/5727.aspx) . Microsoft Press, 2001.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
  • Microsoft Visual Basic .NET 2003 Standard Edition
  • Microsoft Visual Basic .NET 2002 Standard Edition
Back to the top
Keywords: 
kbproductlink kbhowtomaster kbsecurity KB306238
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations