Authorization In Asp.Net -Best Authorization Implementation In Web.Config file

Introduction
In this article we will learn what is authorization and uses of authorization in asp.net. Setting up the authorization to allow and deny the particular user using web.config.

Previous Updates

In previous articles we have learnt Showing what is connection pooling in c# . Bind multiple dropdown list using single method call using c#. Read Excel file in C#  And Display in Grid. How high quality content affects your Website. Why every business needed digital Marketing and Why digital marketing Required. 

What is Authorization
Authorization is the process of allowing and deny the resource from a particular user. In asp.net you can understand  authorization in very simpler words.Authorization means does he have access to a particular resource on the IIS website. A resource can be an ASP.NET web page, media files (MP4, GIF, JPEG etc), compressed file (ZIP, RAR) etc.

When the user starts accessing resources like pages, ASPDOTNETauthentication, videos etc, he is checked whether he has the necessary access for the resources. The process of identifying the rights for resources is termed as ‘Authorization.

Implement Authorization In Asp.Net
While you are working with asp.net web application , you worked with web.config file. Mainly as per normal use we use web.config for global connection string declaration for database connectivity.
Now in web.config file under configuration section you will find system.web section. And you will find that there is Authentication mode but no Authorization mode is there.

<configuration> <system.web> <authentication mode="None" /> </system.web> </configuration>

Change the Authentication mode from None to Forms to implement authorization. Now i am displaying how the authorization code written in web.config file.
Under authorization you need to add Deny user section. It will deny the anonymous users.

<configuration> <system.web> <authentication mode="Forms"> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>

The above given code is works whenever user's account created  by administrator to accessing the application.
But many times we need to restrict the particular user from accessing few pages or resource or allowing access to only that user who have their login in application.

<configuration> <system.web> <authentication mode="Forms"/> <authorization> <deny users="?"/>  <!--Restrict Access for anonymous users --> </authorization> </system.web> <location path="RegForm.aspx"> <!--RegForm.aspx page path(You can replace you page name with this name. --> <system.web> <authorization> <allow users="*"/> <!—This * symbol will allow everyone to the RegForm.aspx page--> </authorization> </system.web> </location> </configuration>

Here location path aspx page name . You can change according your requirements. Gave it a correct path.
In above code you will learn how to gave access of perticular page to everyone . Now you will see gave access to Particular user.

<configuration> <system.web> <authorization> <allow users="GurujiPoint"/>  <!-- Allow only GuujiPoint --> <deny users="*"/>  <!--Deny other users --> </authorization> </system.web> </configuration>

In above given code you learn how to give access to particular user and deny other users . And now  
Allow only one user for one particular page and restrict others from doing this.

<configuration> <location path="RegForm.aspx"> <system.web> <authorization> <allow users="GurujiPoint"/> <deny users="*"/>  </authorization> </system.web> </location> </configuration>

Till now you learnt how to allow user to access particular page , how to gave access to particular user of whole application and how to gave access to a particular user of a single particular page.

Now will see how can we allow users to particular Role. Like Admin, Customer, Client, User etc.

<system.web> <authorization> <allow roles="ADMIN"/> <!--Only Admin User Can Access--> <deny users="*"/> <!--Deny everyone else--> </authorization> </system.web>

Now we have another condition like how to allow users in particular role to access folders. 

For example think about a scenario where i have two or more than two folders which is Administration and other one is Employee Folder. Now i want to give access of both Administration and Employee folders to the Admin and Employee can only access the Employee Folder.

<configuration> <location path="AdministrationFolder"> <system.web> <authorization> <allow roles="Admin"/> <!-- Allows only Admin role users--> <deny users="*"/> <!--Deny everyone else Admin role Users--> </authorization> </system.web> </location> <location path="EmployeeFolder"> <system.web> <authorization> <allow roles="Admin, Employee"/> <!--Allow users in Admin and Employee roles--> <deny users="*"/> <!--Deny rest of all--> </authorization> </system.web> </location> </configuration>

By using all these method you can implement all the Authorization process. But one thing to remember here that allow statement always before the deny statement because if we place deny statement first and then allow statement in this situation allow statement properties won’t work.