Create Custom RoleProvider for ASP.NET Role Permissions and Security
by David Hayden ( Microsoft MVP C# ), Filed: ASP.NET 2.0
Note: It is recommended that you read the following post, Create Custom Membership Provider for ASP.NET Website Security, before reading this tutorial for a complete understanding of the topic and scenario.
Most ASP.NET Applications implement roles to deal with role permissions and security. Often the permissions a user has on the website is based on the roles that the user is assigned to. User roles might be anything from “Guest”,”User”, “Admin”, etc.
Just like with a Custom MembershipProvider in ASP.NET, one can create a Custom RoleProvider to be used by the web application. A Custom RoleProvider inherits from the abstract base class RoleProvider and has a number of optional methods and properties that can be overrriden. However, as with a Custom MembershipProvider, implementing the details of a method or property is completely optional depending on the needs of the application. In this tutorial I am going to create a simple roleprovider, called SimpleRoleProvider, that shows just how easy it is to get started with a custom roleprovider.
In my case, I am only going to implement one method, GetRolesForUser, which is all I need to provide role based security in conjunction with the Custom MembershipProvider I built in the following tutorial:
Create Custom Membership Provider for ASP.NET Website Security
First thing first, I need to enable the RoleManager in web.config and tell it that my SimpleRoleProvider Class will now be the provider responsible for provider role information:
<roleManager
enabled="true"
defaultProvider="SimpleRoleProvider">
<providers>
<clear/>
<add
name="SimpleRoleProvider"
type="Hayden.RoleProviders.SimpleRoleProvider, Hayden.RoleProviders"/>
</providers>
</roleManager>
I next need to create the Custom RoleProvider, where I essentially just want to give myself, with the username “Dave”, administrator privileges on the website. Normally you would not hardcode the roles in code, but again, this is an example of how easy it is to get started with a Custom RoleProvider. Here is my SimpleRoleProvider with all other methods and properties not shown throwing a NotImplementedException:
public class SimpleRoleProvider : RoleProvider
{
public override string[] GetRolesForUser(string username)
{
List<string> roles = new List<string>();
roles.Add("Guest");
if (username.Equals("Dave"))
roles.Add("Admin");
return roles.ToArray();
}
}
Everyone is given a "Guest" Role, but only the username "Dave" has an additional role of "Admin".
To test this out, let's add security on Page1.aspx that only allows users in the “Admin” Role to view / use the page:
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
public partial class Page1 : System.Web.UI.Page
{
// ...
}
When a user logs in and gets redirected to Page1.aspx, the GetRolesForUser Method in SimpleRoleProvider will be called to verify the user is assigned to the “Admin” Role. If so, the page works fine. If not, a SecurityException will be thrown, not allowing the page to be viewed. In the case shown above, the page will only be available to username “Dave”.
And that is the 5 minute review on how to get started with a Custom RoleProvider for your ASP.NET Websites. ASP.NET comes with a few built-in providers, like SqlRoleProvider, but it is just as easy to role your own.
by David Hayden ( Microsoft MVP C# ), Filed: ASP.NET 2.0