So far in all my posts, I have never mentioned anything about how to implement authentication/authorisation mechanisms in a web site. In all our professional web applications we do need some sort of mechanism to verify who users are and what privileges have in our site.
This is the first post in a series of posts investigating how to implement membership (authentication+authorisation) in ASP.Net applications.
We will look into the built-in web server security controls.We will look at the built-in providers and the provider architecture.
The membership and role providers were introduced in ASP.Net 2.0. Through that we can have role management,login functionality and many features out of the box like (password complexity,forgot your password,security question,password reset).
So if you are looking for a RAD solution when it comes to membership you can use the out of the box membership model that ships out of the box since ASP.Net 2.0. The default membership and login controls are not ideal for any situation. It depends on the authentication/authorisation requirements of your application.
I will start by showing you how to use the standard controls for a RAD of a membership web site.
We will use a hands on example to demonstrate that, as always.Bear in mind this is a beginner level post.
1) Launch Visual Studio 2005,2008/2010. Express editions will work fine. I am using Visual Studio 2010 Ultimate edition.
2) Create an empty asp.net web site. Choose an appropriate name.
3) Add an item to your website, a web form. Leave the default name.
4) Add the following markup in the default.aspx page (inside the form element)
<asp:LoginName ID="myLoginName" runat="server" BackColor="Silver"
BorderColor="#CC3300" Font-Bold="True" ForeColor="Blue" />.
Welcome to our home page!!!
5) Now we have to make some changes to our rather (empty) web.config file.We want to have Forms authentication and deny all anonymous requests.Add the following lines in the configuration file.
At this point it is important to highight these
- Default authentication is set to Windows
- Default authorisation is set to allow anomymoys access.
6) Now we have to add another item in our website, another web form. This is going to be our Login page. Name it Login.aspx page. Drag and drop the Login web server control on the form.In my case the markup looks like this
<asp:Login runat="server" BackColor="#E3EAEB" BorderColor="#E6E2D8"
BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
Font-Size="0.8em" ForeColor="#333333" TextLayout="TextOnTop">
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
<LoginButtonStyle BackColor="White" BorderColor="#C5BBAF" BorderStyle="Solid"
BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#1C5E55" />
<TextBoxStyle Font-Size="0.8em" />
<TitleTextStyle BackColor="#1C5E55" Font-Bold="True" Font-Size="0.9em"
7) Now go to the Visual Studio menu and choose Website->ASP.NET configuration
You will see a new web page loading. Refresh your solution in the Solution Explorer window. You will see the App_Data special folder added to your solution and inside the special folder you will see the ASPNETDB.MDF database.This is a SQL database.
8) Go back to your web configuration web page that was loaded when we clicked the Website->ASP.NET configuration.
Choose Security and enable roles. When you do that you will see changes in the web.config file. A new line will be added.
<roleManager enabled="true" />
9) Go back to the security page and add 2 new roles. I added "friends" and "Manager" as my two roles.
10) Now we must add some users to these roles.In the security tab (in the web environment), click "Create user". All this data is saved into the ASPNETDB.MDF database.
I created a new user and added him to the friends role. Make sure you use a strong password with 7 characters or more containing at least one non-alphanumeric character.
11) We will create another user and add him to the Manager role.
12) Launch your site. You will see that instead of seeing the Default.aspx page you will be redirected to the Login.aspx page.Remember we do not want any anonymous requests. We have an authentication system set up with no code.That is pretty impressive.
13) Try to login to your site using the credentials of the user that you have just created.As soon as we do that we are redirected to the Default.aspx page and our username is displayed to the page. In my case it displays
"You are nikolaosk. Welcome to our home page!!!"
So we write no code and we have great functionality. When someone types some credentials in the Login control, the OnAuthenticate method is called.
Then inside that method a call to the ValidateUser() method is made and under the hood a stored procedure is called (takes 2 paramaters : username,password) and that is how you are validated. The stored procedure and the tables are inside the ASPNETDB.MDF database. I urge you to have a look at the schema and data-objects of the ASPNETDB.MDF database.
Basically a call is made to the current membership provider. The default provider is "AspNetSqlMembershipProvider".
That is set up from the machine.config file. We can change that if we want by specifying another provider in our web.config file.
14) The way it works is like this.In the .aspx pages we add security controls or type our own custom code. These security controls know how to talk to the membership/role abstract classes.
Inside the web.config file we can select the authetication,authorisation settings and other things like the provider (SQL provider e.t.c). You can write your own provider.
I will continue with more posts on membership in ASP.Net.Stay tuned.
Hope it helps!!!