Role based authorization using LoginView control

This article disusses LoginView control, which is part of System.Web.UI.WebControls namespce , can be found with in Visual studio under ASP.NET Login tab.

LoginView control allows to display different content based on user's authentication status and role. This control contains three templates which can be used based on application requirement as outlined below.

AnonymousTemplate:- Specifies the template to display to users who are not logged into the web site. In other words unauthenticated users. Authenticated users or logged in Users will never see this template.

LoggedInTemplate:- Displays the template for authenticated users or loggedIn users.

RoleGroups:- Specifies the template to display to logged in users who are members of roles with defined role-group templates as shown below. Here content templates are bind to particular roles or role.

   1: <asp:LoginView ID="MasterLoginView" runat="server">

   2:                 <AnonymousTemplate>

   3:                     Welcome: Guest

   4:                 </AnonymousTemplate>

   5:                 <LoggedInTemplate>

   6:                     Welcome:

   7:                     <asp:LoginName ID="MasterLoginName" runat="server" />

   8:                 </LoggedInTemplate>

   9:             </asp:LoginView>

AnnonymousTemplate

In the  above LoginView control content with in AnonymousTemplate is shown to unauthenticated users with a message Welcome:Guest as specified with in template. The above snippet usually used on Master pages in combination of Login.aspx

LoggedInTemplate

Contents or controls with in LoggedIn Template are shown to all users who are logged into website. In other words ‘to all authenticated users’.

In the above example LoginName control is used, so the message Welcome :<LoginName> is shown to logged users.

RoleGroups

   1: <asp:LoginView ID="lvUserRecord" runat="server">

   2:             <RoleGroups>

   3:                 <asp:RoleGroup Roles="Admin">

   4:                     <ContentTemplate>

   5:                         <asp:Button ID="btnEditUser" runat="server" Text="Edit" OnClick="btnEditUser_Click" />

   6:                         <asp:Button ID="btnUpdate" runat="server" Text="Update" OnClick="btnUpdate_Click"

   7:                             OnClientClick="return confirm('Are you sure you want to update this record?');" />

   8:                         <asp:Button ID="btnCancel" runat="server" Text="Cancel" OnClick="btnCancel_Click" />

   9:                     </ContentTemplate>

  10:                 </asp:RoleGroup>

  11:             </RoleGroups>

  12:         </asp:LoginView>

  13:         <asp:Button ID="btnPrint" runat="server" Text="Print" OnClick="btnPrint_Click" />

  14:         <asp:Button ID="btnDownLoad" runat="server" Text="DownLoad" OnClick="btnDownLoad_Click" />

Example:- It is required to display a button or set of buttons to authorized users only.

Solution:- Can be called as control based authorization, where authorized users with a role can view the button controls that are specified with in RoleGroup contentTemplate.

How it works?
When the above LoginView is used on a page, button controls (Edit, Update and Cancel) are shown to only users who are with in Admin role. When the other users get to the page these button controls are hidden consequently the functionality is limited/authorized to users in Admin role only.

LoginView control provides granular level of authorization with minimum effort from developer. It is quite feasible to implement content and control level authorization in web application.

Resources

• http://quickstart.developerfusion.co.uk/QuickStart/aspnet/doc/ctrlref/login/loginview.aspx
• http://www.codedigest.com/Articles/ASPNET/78_LoginView_Controls_with_Roles_in_ASPNet_20.aspx
• http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.loginview.aspx