In this tutorial we will explore ASP.NET’s Website Administration Tool to create users, manage roles, and demonstrate how you can control which user accounts have access to certain web pages.

Creating the Default.aspx Page

For this tutorial we will need to create a simple home page that allows us to login and contains a link to our secure admin page. At this point in the tutorial I have created a new ASP.NET Empty Web Site in Microsoft Visual Web Developer. To begin setting up our home page, add a new Web Form to the project named Default.aspx and open it up to Design mode. Then:

  1. Drag and drop a HyperLink Control onto the Web Form.
  2. 1.1.  Change the Text property of the HyperLink to ‘Admin Page’.
    1.2.  Change the NavigateUrl property of the HyperLink to ‘Secure/Admin.aspx’.

  3. Expand the Login tab in your toolbox.

  4. SS1.gif

  5. Drag and drop a Login Control under the Admin Page HyperLink.

Creating the Admin.aspx Page

Next, we are going to add in a simple page called Admin.aspx that we will secure and only let Administrators access. To do this:

  1. Click the ASP.NET Configuration icon in the Solution Explorer to open up the ASP.NET Website Administration Tool.
  2. In the ASP.NET Website Administration Tool click the Security tab.
  3. Under the Roles header click Enable roles.
  4. Under the Roles header click Create or Manage roles.

  5. SS2.gif

  6. Type ‘Administrator’ in the New role name TextBox and click Add Role.
  7. Type ‘User’ in the New role name TextBox and click Add Role.

Now we have added two different roles to distinguish between our ordinary users and administrators. Next we need to create accounts that utilize these roles.

Enabling and Creating Users

Next, we are going to create two users, Admin and User. To do this:

  1. In the ASP.NET Website Administration Tool click the Security tab.
  2. Under the Users header click Select authentication type.
  3. Select From the internet and click Done.
  4. Under the Users header click Create user.
  5. Create a new account called ‘Admin’ making sure that under Select roles for this user the Administrator role is checked.

  6. SS3.gif

  7. Create a new account called ‘User’ making sure that under Select roles for this user the User role is checked.

Managing Access Rules

Next, we are going to set permissions so that only users with an Administrator account can access pages in the Secure folder that we added earlier. To do this:

  1. In the ASP.NET Website Administration Tool click the Security tab.
  2. Under the Access Rules header click Manage access rules.
  3. Under the Manage Access Rules header select our Security folder.
  4. Click Add new access rule.
  5. Make sure that Role is selected and that Administrator is selected in the DropDownList.
  6. Under Permission select Allow.
  7. Click OK.
  8. Click Add new access rule.
  9. Make sure that All users is selected.
  10. Under Permission select Deny.
  11. Click OK.

What this has done is made it so that all users excluding Administrators are denied access to the Secure folder. In this case, our Admin.aspx page is in that folder so only an Administrator account will be able to access this.

Testing

Next, we want to test this out to make sure it is working. Go ahead and load up the Default.aspx page and:

  1. Click the Admin Page link. Notice that it tells us the page cannot be found. This is because we do not currently have access to it because we are not logged in.
  2. Navigate back to the Default.aspx page.
  3. Login using the User account we created.
  4. Click the Admin Page link. Notice it still cannot be found, even though we are logged in to an account we still are not an Administrator.
  5. Navigate back to the Default.aspx page.
  6. Login using the Admin account we created.
  7. Click the Admin Page link. Notice you see the Welcome Admin message meaning the page loaded successfully.

The Default.aspx source looks like this:

The Admin.aspx source looks like this:

Download Source Files