implementing asp.net role based security
TRANSCRIPT
Fort Wayne .Net User Group – First presented on January 8, 2008Dean WillsonSystemental, Inc.
About Me Work for Systemental, Inc as a
Consultant and Software Developer Software development to support
Corporate business process improvement since 2000 (Mostly to support Lean or Continuous Improvement Initiatives) .Net since 2004
Mfg. Eng. Technology degrees from Ball State University
Certified Six Sigma Black Belt
Scope of presentation Conceptual review
Provider Model Tools (development and maintenance)
Code examples Login Controls – Declarative Control
Templates Install/Config, Aspnetdb Web.config settings Code-behind User.IsInRole
Miscellaneous Global.asax populate IPrincipal
.Net Security Providers
Prebuilt Membership and Role Providers for managing security (and personalization). Built-in providers: SQL Server SQL Express (used during presentation) Active Directory
Provider based so you can create your own Custom providers (MySQL, XML, Custom)
Tools – Development & Maintenance Development
Login Controls CreateUserWizard Login, LoginView, LoginStatus, LoginName PasswordRecovery, ChangePassword
Maintenance WSAT – Web Site Administration Tool
(Visual Studio: Website ASP.Net Configuration)
Roll-Your-Own admin Peter Kellner’s Membership Editor
Code Samples
NUFWStarting website Initial project with Gridviews for two different roles HR and Sales
(in separate Panels) Objective is to add login and role based security functionality for
the two roles
NUFWFinished website After adding login and role based security (added during
presentation
NUFWAdv website Showed how to install the aspnetdb Membership database to
another existing database (AdventureWorks) then use it. More like a production deployment scenario. Note changes to connection string.
Shows use of global.asax to populate Roles into GenericPrincipal from an XML file while using the Membership db for the User Authentication
Web.config settings – con stringsApplication App_Data/aspnetdb.mdf (from the
machine.config):
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />
</connectionStrings>
If using SQL Server (full version or custom db/connection):
<connectionStrings>
<remove name="LocalSqlServer" />
<add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;User ID=USER;Password=PASS" providerName="System.Data.SqlClient" />
</connectionStrings>
Web.config –Authentication, Authorization<roleManager enabled="true" cookieTimeout="5000000"
createPersistentCookie="true" />
(from machine.config):
<roleManager>
<providers>
<add name="AspNetSqlRoleProvider“ connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, ..." />
</providers>
</roleManager>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Default.aspx"></forms>
</authentication>
Web.config – restrict access
<system.web> <authorization> <allow roles="Admin"/> <deny users="*,?"/> </authorization></system.web>
Custom Install Membership Database aspnetdb
Separate Membership database to be used by entire server
Add Membership to an existing database
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
Wizard – add membership DDL
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe –W
Next
Pick authentication method
Almost there
Done
Before and After the Wizard
Launch WSAT
WSAT – Web Site Admin Tool
Select Authentication type
Users, Roles, Access Rules
References
ASP.NET 2.0 Anthology Sitepoint 2007 ASP.Net 2.0 Membership, Roles, Forms Authentication,
and Security Resources by Scott Guthrie http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
Peter Kellner’s Membership Editor http://msdn2.microsoft.com/en-us/library/aa478958.aspx
Introducing Microsoft Visual Basic 2005 For Developers Microsoft Press 2005
http://www.odetocode.com/Articles/428.aspx Security for Microsoft Visual Basic .Net Microsoft Press
2003
Thank you!
Websites http://www.systemental.com http://www.LeanProjectManager.com
Blog http://dean-o.blogspot.com/ http://practicalhoshin.blogspot.com
Twitter @deanwillson
Email [email protected]
AD Provider<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdo main,DC=test,DC=com" />
</connectionStrings>
<authorization>
<membership defaultProvider="MyADMembershipProvider"> <providers>
<add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="testdomain\administrator" connectionPassword="password"/>
</providers> </membership> </authorization>
Finished