implementing asp.net role based security

Fort Wayne .Net User Group – First presented on January 8, 2008Dean WillsonSystemental, Inc.

About Me Work for Systemental, Inc as a

Consultant and Software Developer Software development to support

Corporate business process improvement since 2000 (Mostly to support Lean or Continuous Improvement Initiatives) .Net since 2004

Mfg. Eng. Technology degrees from Ball State University

Certified Six Sigma Black Belt

Scope of presentation Conceptual review

Provider Model Tools (development and maintenance)

Code examples Login Controls – Declarative Control

Templates Install/Config, Aspnetdb Web.config settings Code-behind User.IsInRole

Miscellaneous Global.asax populate IPrincipal

.Net Security Providers

Prebuilt Membership and Role Providers for managing security (and personalization). Built-in providers: SQL Server SQL Express (used during presentation) Active Directory

Provider based so you can create your own Custom providers (MySQL, XML, Custom)

Tools – Development & Maintenance Development

Login Controls CreateUserWizard Login, LoginView, LoginStatus, LoginName PasswordRecovery, ChangePassword

Maintenance WSAT – Web Site Administration Tool

(Visual Studio: Website ASP.Net Configuration)

Roll-Your-Own admin Peter Kellner’s Membership Editor

Code Samples

NUFWStarting website Initial project with Gridviews for two different roles HR and Sales

(in separate Panels) Objective is to add login and role based security functionality for

the two roles

NUFWFinished website After adding login and role based security (added during

presentation

NUFWAdv website Showed how to install the aspnetdb Membership database to

another existing database (AdventureWorks) then use it. More like a production deployment scenario. Note changes to connection string.

Shows use of global.asax to populate Roles into GenericPrincipal from an XML file while using the Membership db for the User Authentication

Web.config settings – con stringsApplication App_Data/aspnetdb.mdf (from the

machine.config):

<connectionStrings>

<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />

</connectionStrings>

If using SQL Server (full version or custom db/connection):

<connectionStrings>

<remove name="LocalSqlServer" />

<add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;User ID=USER;Password=PASS" providerName="System.Data.SqlClient" />

</connectionStrings>

Web.config –Authentication, Authorization<roleManager enabled="true" cookieTimeout="5000000"

createPersistentCookie="true" />

(from machine.config):

<roleManager>

  <providers>

    <add name="AspNetSqlRoleProvider“ connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, ..." />

  </providers>

</roleManager>

<authentication mode="Forms">

<forms loginUrl="Login.aspx" defaultUrl="Default.aspx"></forms>

</authentication>

Web.config – restrict access

<system.web>  <authorization>    <allow roles="Admin"/>    <deny users="*,?"/>  </authorization></system.web>

Custom Install Membership Database aspnetdb

Separate Membership database to be used by entire server

Add Membership to an existing database

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

Wizard – add membership DDL

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe –W

Next

Pick authentication method

Almost there

Done

Before and After the Wizard

Launch WSAT

WSAT – Web Site Admin Tool

Select Authentication type

Users, Roles, Access Rules

References

ASP.NET 2.0 Anthology Sitepoint 2007 ASP.Net 2.0 Membership, Roles, Forms Authentication,

and Security Resources by Scott Guthrie http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx

Peter Kellner’s Membership Editor http://msdn2.microsoft.com/en-us/library/aa478958.aspx

Introducing Microsoft Visual Basic 2005 For Developers Microsoft Press 2005

http://www.odetocode.com/Articles/428.aspx Security for Microsoft Visual Basic .Net Microsoft Press

2003

Thank you!

Websites http://www.systemental.com http://www.LeanProjectManager.com

Blog http://dean-o.blogspot.com/ http://practicalhoshin.blogspot.com

Twitter @deanwillson

Email dean@systemental.com

AD Provider<connectionStrings>

<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdo main,DC=test,DC=com" />

</connectionStrings>

<authorization>

<membership defaultProvider="MyADMembershipProvider"> <providers>

<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="testdomain\administrator" connectionPassword="password"/>

</providers> </membership> </authorization>

Finished