IN a business or product related website, its obvious that we have different types of users like admin/superadmin/normal user like that. When we develop web applications, we create hell lot of pages and then at some point of time we realise that an efficient methodology should be followed that nobody sees those pages their role doesnt permit.

Without getting into any fancy techniques and not going to any kind of form-authetication or any kind of binarymapping of pages using sql, we can implement this using straight forward simple .net technique itself.

1) Just know about HttpModule

2) Know about enumerators

3) have your Role id’s/constants set ready for checking

Thats it, create as much of number of string enumerator(s), as equal to the number of roles you have. Enter all page names as it is created with, in each of the respective enumerators under each role.

Write and httpmodule class file , in which you will check each role, and then check the filename/page the user requested for (ie, by using System.IO.GetFileName(Request.Url) method). Write a switch case for each role, and within another nesed switch case for allowed pages. Case statements can be commonly grouped for one single action and in else case you can redirect to ‘custom developed’ un-authorised notification page.

String comparison of enumerator is not so straight forward as integer. You must type cast the checking string value of page  name to the enumerator you are checking with.

One thought on “Preventing Unaouthorised access of pages based on Rolelevel – HttpModule implementation in ASP.net”

Leave a Reply