Setting up security for web application with ASP.Net Web Site Administration Tool
Using ASP.Net Web Site Administration Tool for Security SetupMicrosoft Visual Studio has a built-in ASP.Net Website Administration Tool that helps you set up andedit users, roles, and permissions for your web site or application with minimal code writing. Assumingthat you already have a website and now need to implement security for it, this article will show youhow you can use ASP.Net Website Administration tool to implement this task.We used this tool for our social media marketing product development, but for the purpose of thisarticle, I created another test application called WebApplication1 that has all the default folders and filesand just added one extra folder called “Admin.” See below.The first step is to identify what database to use and application services (membership, roles, etc.) toadd to your application. By default, the Web Site Administration Tool configures and uses a local MicrosoftSQL Server Standard Edition database in the App_Data folder for the Web site. If you, however, do not have adatabase defined in the App_Data folder, one easy way to add it is discussed in this article:Adding Membership and Roles to your MVC or ASP.Net Web Site – Application Services,http://computerscribe.com/blogs/BlogPost?id=11Note that if you use Visual Studio 2010 and .Net framework 4.0, the membership configuration isautomatically added to your web.config and you just need to modify the database connection string.To fire up the Website Administration Tool, go to Visual Studio, select your project and click on Project -> ASP.Net Configuration. The page that opens up looks like this
Figure 1 – ASP.Net Web Site Administration ToolThe first step that I recommend is to test your database connection. Click on Provider Configuration andeither select a single provider (first link) or different providers (second link). For my case, I need only oneprovider, so I click the first link. This will take me to the second page where I can click on “Test” tovalidate my database connection. Once you have successfully established a database connection, you’reready for security setup.If you want to work with roles (recommended), you first need to enable and create new roles. The stepsto create new roles are straightforward so I will not discuss them here. For my test, I created two roles:Admin and User.Once roles were created, you are ready to create users. Note: to create users, you do not need to haveroles. However, I find that setting up access rules is easier with roles than with users. Again, the stepsfor creating users are self-explanatory so I just went ahead and created two users: Admin1 and User1without showing you how it’s been done.The final step in the Security tab is to set up access rules. This is the place where you set permissions tothe whole site or individual folders for roles and users. For example, if I want to give everyone access tothe Account folder, I can select the folder, and make sure “All users” and “Allow” are selected as shownbelow.
Figure 2 – Setting up Access Rules for the Account folderFor the Admin folder, I want to give access only to the Admin role. To do this, I select the folder, choose“Admin” role, select “Allow” and click “OK”. See Figure 3 below. Note: every time you click “OK”, you willbe taken back to the previous page and to add a new rule, you have to click on “Create access rules”again. I found this annoying and confusing at first, so I wanted to point it out.Figure 3 – Allowing Access to the Admin folder for Admin RoleWhat I also need to do is to deny access from everyone else, so I choose “All users” and “Deny” and click“OK”
Figure 4 – Denying Access to the Admin folder for all other usersNow we’re ready for testing. Press F5 to start the debugger. You can log in as either the user or adminrole and see that you have no problem accessing the Account folder. If you, however, log in as “User1”and try to go to the Admin folder (by typing http://locahost/WebApplication1/Admin in the addressbar), you’d be kicked back to the log in page because you don’t have permission for this folder. Now ifyou switch to “Admin1”, you are not redirected to the login page and can access the folder. See Figure 5below.Figure 5 – Admin Role can access the Admin page in the Admin folderSetting up access rules for individual pages in the application or for controls (e.g. links, textboxes,dropdown list, gridview, etc.) on the pages cannot be done via this tool and is beyond the scope of thisarticle, so I’ll leave it to you for your own exploration.