Previously to .net 2.0, asp.net developers had to choose between windows or form authentication to implement membership. In form authentication, the data storage had to be created, the business logic to manage the roles and permissions, and the presentation layer for login logout had also to be created.
Now in 2.0 and beyond, the membership API is enhances and replaces previous authentication and ahtorization features, and has Membership and roles built in, can be used on any with any datastore, can create custom membership and roles providers, the provider allows to to store in any asource.
Password management is taken care of in terms of storing reseeting and reminding. User authentication. Controls make it simple to use these features, they are exensible and templated.
Also provides a full featured api so your own membership management can interact with it Typically, add and delete roles, retrieve lists of users in each role, retrieve list of roles for each user, cache role information in an encrypted cookie, avoids costly database lookups each time a user moves from one page to another.
Security Services Stack
1-Integreated server controls: LoginView, PasswordRecovery, ChangePassword, Login, LoginStatus, LoginName, CreateUser
2-Membership and role manager API
3-Data Storage (either SQL Server or user defined)
By default is stored in SQLExpress (App_Data\aspnetdb.mdf), and in SQL server in aspnetdb. An xml provider can be created and used to store in a xml file.
If using SQL server to store Membership data, scripts need to be ran on the server, they can be found at c:\windows\Microsft.NET\framerwork\v2.0.0xxxxx and run aspnet_regsql.exe with the proper options, or just run the scripts manually, InstallCommon.sql, InstallMembership.sql, InstallRoles.sql.
SETTING UP CONFIGURATION
It's possible to use the web based configuration tool.
Proviader tab: Before confdiguring security settings, the app_data folder is empty
In the providders tab, it is possible to use a signle one for the whole app, or multiple ones.
Security Tab: use wizard or configure members and roles manualy. Select Auth Type: From the internet will use forms base auth, from the local network would use microsoft built in authentication. Roles: By default roles aren't enabled. To create or manage roles, just name it and click add. Each of these roles have a hyperlink. Then users can be added, giving a name password, email security question and then assign them to the exisitng roles. The link allows to manage users afterwords.
Web.config: in the System.Web element was added a element and the element. Lower in the file, the element indicates the type of Auth used, for example Forms or windows. Also a element is added which provides a customized login page.
Data: The data is store in App_Data by default, the database name ASPNetDB.MDF, it's possible to double click it and investigate it(it will open the server explorer). Typicaly open the user table to validate users were created as expected.
The Membership table will contained hashed password, question, but nothing that can be retrived and give away information, everything sensitive is hashed.
AspNetSqlMembershipProvider: is defined in Machine.config, provider includes multiple properties that can be configured and the security elements can also be coppied to the apps local web.config to override machine.config, and customize the provider the app without affecting other apps on the server. C:\ windows\microsoft.net\framework\v2.0...\config\ to open the machine.config. There is also a .comment files with more comments on this file. The provider describes how strong the
password should be, if they can be retrived or reset, max attempt, and the name of the provider. The element contains that allows to add connection strings defined later in the file, this identifies the DB used by this provider. This string can use asp.net environment variables like |DataDirectory| to refer to the appfolder.
Role Manager: replaces complex authorization code by mappign users-to-role. Roles Manager can be used seperately, roles arent tied to membership. It's not necessay to use the Membership API to use the RoleManager API.
Access Rules: determine which roles can access which folders of the site. Create access rules, to allow the Administratorsrole to a folder, for example the Admin folder, this role has to be set to allowed, AND then all users have to be set to Deny. When doing this, a new web.config file, local to the Admin folder, it will contain an element with and sub-elements. Attempting to open a page in there will redirect to the login page, which will then have a ReturnURL that will redirect to the wanted page after Authenticaiton is completed.
Cookies: Cookies no longer required to track users across the site. The attribute of the
Now in 2.0 and beyond, the membership API is enhances and replaces previous authentication and ahtorization features, and has Membership and roles built in, can be used on any with any datastore, can create custom membership and roles providers, the provider allows to to store in any asource.
Password management is taken care of in terms of storing reseeting and reminding. User authentication. Controls make it simple to use these features, they are exensible and templated.
Also provides a full featured api so your own membership management can interact with it Typically, add and delete roles, retrieve lists of users in each role, retrieve list of roles for each user, cache role information in an encrypted cookie, avoids costly database lookups each time a user moves from one page to another.
Security Services Stack
1-Integreated server controls: LoginView, PasswordRecovery, ChangePassword, Login, LoginStatus, LoginName, CreateUser
2-Membership and role manager API
3-Data Storage (either SQL Server or user defined)
By default is stored in SQLExpress (App_Data\aspnetdb.mdf), and in SQL server in aspnetdb. An xml provider can be created and used to store in a xml file.
If using SQL server to store Membership data, scripts need to be ran on the server, they can be found at c:\windows\Microsft.NET\framerwork\v2.0.0xxxxx and run aspnet_regsql.exe with the proper options, or just run the scripts manually, InstallCommon.sql, InstallMembership.sql, InstallRoles.sql.
SETTING UP CONFIGURATION
It's possible to use the web based configuration tool.
Proviader tab: Before confdiguring security settings, the app_data folder is empty
In the providders tab, it is possible to use a signle one for the whole app, or multiple ones.
Security Tab: use wizard or configure members and roles manualy. Select Auth Type: From the internet will use forms base auth, from the local network would use microsoft built in authentication. Roles: By default roles aren't enabled. To create or manage roles, just name it and click add. Each of these roles have a
Web.config: in the System.Web element was added a
Data: The data is store in App_Data by default, the database name ASPNetDB.MDF, it's possible to double click it and investigate it(it will open the server explorer). Typicaly open the user table to validate users were created as expected.
The Membership table will contained hashed password, question, but nothing that can be retrived and give away information, everything sensitive is hashed.
AspNetSqlMembershipProvider: is defined in Machine.config, provider includes multiple properties that can be configured and the security elements can also be coppied to the apps local web.config to override machine.config, and customize the provider the app without affecting other apps on the server. C:\ windows\microsoft.net\framework\v2.0...\config\ to open the machine.config. There is also a .comment files with more comments on this file. The provider describes how strong the
password should be, if they can be retrived or reset, max attempt, and the name of the provider. The
Role Manager: replaces complex authorization code by mappign users-to-role. Roles Manager can be used seperately, roles arent tied to membership. It's not necessay to use the Membership API to use the RoleManager API.
Access Rules: determine which roles can access which folders of the site. Create access rules, to allow the Administratorsrole to a folder, for example the Admin folder, this role has to be set to allowed, AND then all users have to be set to Deny. When doing this, a new web.config file, local to the Admin folder, it will contain an
Cookies: Cookies no longer required to track users across the site. The
Comments
Post a Comment