Remote Membership/Roles Management of ASP.NET 2.0 Applications

Peter Kellner recently published parts 3 and 4 of his popular how-to series on building a custom remote security management application for ASP.NET 2.0's Membership and Roles feature.  Part 3 covers Ajax enabling it with Atlas, and Part 4 covers adding personalization support with profiles.  You can find the entire series on MSDN here:

For more ASP.NET 2.0 Security Resources, please also check out my ASP.NET 2.0 Security Resources Page.

Hope this helps,

Scott

P.S. IIS 7.0 includes built-in support within its GUI Admin tool for ASP.NET 2.0 Membership and Role Management -- making both local and remote management of sites super easy.  It will work with any custom provider you've built (so it is not limited to only working with the built-in ones).  It also does all of its remote management using HTTP based web-services -- which means it can work through firewalls as well as in shared hosting environments.  I'll post some screen-shots of this in the near future showing it off (it is pretty darn cool).

 
Published Tuesday, July 18, 2006 8:58 AM by ScottGu
Filed under: ,

Comments

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Tuesday, July 18, 2006 1:03 PM by Peter Kellner
Hi Scott, Changes in the June CTP caused me to have to update the javascript namespaces referenced. If people want to run the code associated with the article (Part 3), the should grab the zip file off my blog at this URL: http://peterkellner.net/zdm_1_2/index.php?file=10 After I get some more testing on it, I'll forward it to the MSDN team so they can update the source on the actual article. I've had a many downloads off my blog and no reports of problems. Not sure what that means. Peter Kellner http://peterkellner.net

# Enabling Windows Authentication on Web Apps

Tuesday, July 18, 2006 3:45 PM by Albert Pascual Blog

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Tuesday, July 18, 2006 3:46 PM by Albert Pascual
When I need something I just come to this blog and always, that day is posted for me to use. This is called problem syncronization or something like that. Good job again! Al

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Tuesday, July 18, 2006 7:05 PM by yaip
Eagerly awaiting how to use it with IE 7. I have VS 2005 and IE 7 Beta 3.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Tuesday, July 18, 2006 8:47 PM by impu
Great job but I always like samples to be both C# and VB version ;) ... Regardless this article provides C#, I found it very useful. Thank you for sharing.

# Link Listing - July 18, 2006

Tuesday, July 18, 2006 9:59 PM by Christopher Steen
ASP.NET 2.0 UrlRewriting Fix [Via: Scott Watermasysk ] CSLAcontrib project online [Via: rocky@lhotka.net...

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Wednesday, July 19, 2006 2:02 AM by SoftMind
" IIS 7.0 includes built-in support within its GUI Admin tool for ASP.NET 2.0 Membership and Role Management -- making both local and remote management of sites super easy."............. I am Waiting for more information on this. This is really cool as well as a big relief. Pl. focus more in depth. Thanks

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Wednesday, July 19, 2006 6:52 AM by DotNetGuy
Hello, Can any one point out a VB version of the articles mentioned above. I need a working demo in VB version. The article in 4 stages is great but no use since its only in C#.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Thursday, July 20, 2006 3:16 AM by Majid Sahahbfar
Dear Scott, I've added a profile provider into the web config file but the Profile class is unknown in my codes and I have a compile error. by the way my project is an ASP.NET Web Application (not Web Site). How can I solve this. Thanks Stutt.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Thursday, July 20, 2006 6:27 AM by Tanmay Soni
Hello Scott, I have been reading your blog regularly and I find it the best professional resource. Thank you for great job! I am designing a web application in 2.0 (I m novice for 2.0, alhtough I have experience of 1.1). I would like to know your thoughts about the BEST user managment design considerations in 2.0. Please help. Thanks, Tanmay Soni.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Saturday, July 22, 2006 4:25 AM by Majid Shahabfar
Thanks Scutt, It seems current biuld of WAP doesn't support generating the ProfileCommon class automatically. How can we doing this manually?

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Saturday, July 22, 2006 11:57 AM by ScottGu

Hi Majid,

You can use this utility to automatically generate the ProfileCommon class for WAP projects: http://www.gotdotnet.com/workspaces/workspace.aspx?id=406eefba-2dd9-4d80-a48c-b4f135df4127

Hope this helps,

Scott

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Saturday, July 22, 2006 12:12 PM by ScottGu

Hi Tanmay,

In general I'd recommend using the built-in Membership API and providers in the box, unless you have a good reason to do otherwise.

The built-in providers follow good best-practices (per row SALT hashing, etc) and have been security reviewed thoroughly, and so will be more secure than custom implementations you might right yourself.

Having said that, if you have some custom need to store user information differently, the nice thing is that you can always drop-down and implement your own provider to plug-in.

This page of mine includes a bunch of great ASP.NET security resource links -- including links on how to build your own custom Membership providers if you want to go that route: http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

Hope this helps,

Scott

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Sunday, July 23, 2006 2:58 AM by Majid Sahahbfar
much appreciated Scutt

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Monday, July 24, 2006 3:18 AM by Tanmay Soni
Hi Scott, Thanks for response. I got the referred book - Professional ASP.NET 2.0 Security,Membership and Role management from Stefan. and have read much of it, it really helped me a lot. thanks for the advice. I see that I will be going with the built-in features provided. (thanks again for direction) Drilling down, I have only one question (very specific) with use of built-in functionalities. It is: How do I manage the below information: 1. I have many other attributes of User, then provided by built in functionalities. Do I have some way to add custom attributes/columns to User definition of built-in functionalities. 2. Is it fine if I create FKs in my other tables, that refer to User record, created by the built-in functionalities? Or anything you can suggest here as a best way? Awaiting for your comments... Thanks, Tanmay.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Monday, July 24, 2006 8:49 PM by ScottGu

Hi Tanmay,

In general for storing other properties about users we recommend using the "Profile" system within ASP.NET 2.0.  This allows you to associate properties about users, while still keeping them separate from the username/password in the database (which you often want to-do for security or scaling purposes).

This article right below provides a simple tutorial that shows a few things -- one of which is using the Profile API: http://weblogs.asp.net/scottgu/archive/2006/07/22/Recipe_3A00_-Dynamic-Site-Layout-and-Style-Personalization-with-ASP.NET--.aspx

Hope this helps,

Scott

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Tuesday, July 25, 2006 12:59 AM by Tanmay Soni
Hello Scott, Thank you for response. It really helped me. I will now proceed with concrete design and touch you along the road if required. Once again, it was great to talk to you (for the first time!). Thank you for your time. Tanmay.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Wednesday, July 26, 2006 4:54 AM by Tanmay Soni
Hello Scott, I went through the related material for Provider Model. I also gave special concern to your suggestion of using PROFILE provider for my question of storing additional attributes for a user. I observed that it requires to define the additional properties to store, within the web.config file like - that's great to see that provider model creates necessary columns in DB, as per config nodes. But I am worried at one point - what if I do not want to disclose the additional attribute names and the datatypes? Do we have any other possible way to provide which additional attributes I want to store for user, EXCEPT web.config section (as I mentioned above). At this point, I found one way - to have a table FKing into the ASPNET table - aspnet_Users. I am not sure how feasible is this and whether it is recomended way. Please guide. Thanks, Tanmay Soni.

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Friday, July 28, 2006 12:18 AM by ScottGu

Hi Tanmay,

You could optionally encrypt that web.config file section if you want to hide it entirely.  

Alternatively, you could just go against a database directly and bypass Profile altogether.

Hope this helps,

Scott

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Friday, July 28, 2006 3:00 AM by Tanmay Soni
Hello Scott, Thanks for response. Ok. So these are the possible ways, I wanted to know if I don't know about something offerred. Still, it's great that I know what is possible. Thanks, Tanmay Soni.

# Custom MembershipUser

Friday, July 28, 2006 4:32 AM by Martin
I am struggling here. We already have an API for logging in etc. for the desktop version of our product. A username might login a number of times but each session is assigned a sessionId. I am trying to create a custom MembershipProvder and MembershipUser to do this. But I cannot figure out how to get the current user and get their sessionid. The sessionid being the only unique thing. Thanks Martin

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Friday, July 28, 2006 9:51 PM by ScottGu

Hi Martin,

From within code you can get a User's session Id like so:

string sessionID = HttpContext.Current.Session.SessionID;

Hope this helps,

Scott

# Enabling Windows Authentication on Web Apps

Saturday, August 05, 2006 6:10 PM by Albert Pascual

I should just replicate Scott's Blog. This is the best article to implemented. I need to implemented

# Another Link Round-Up

Thursday, August 17, 2006 5:59 AM by Life, Universe and Everything according to Dirk

Remote Membership/Roles Management of ASP.NET 2.0 Applications Flickr-ing about with .NET VM Additions

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Thursday, August 24, 2006 9:38 AM by devx
hi everybody. I need to use sqlroleprovider in windows app. Does is possible?

# re: Remote Membership/Roles Management of ASP.NET 2.0 Applications

Friday, August 25, 2006 8:14 PM by ScottGu
Hi DevX, This blog post of mine shows how to use the SqlRoleProvider in an app with Windows Authentication: http://weblogs.asp.net/scottgu/archive/2006/07/23/Recipe_3A00_-Implementing-Role-Based-Security-with-ASP.NET-using-Windows-Authentication-and-SQL-Server.aspx Hope this helps, Scott