ASP.NET Security Infrastructure


Before you learn how to take advantage of ASP.NET's credential-management and security with non-ASP.NET applications, you need to learn a bit about the ASP.NET user credential management infrastructure. Out of the box, ASP.NET applications can store their custom user credentials in either SQL Server or SQL Server Express, or in Active Directory. That said, the credential-management architecture is that of a provider model, and you can easily add other storage options (such as an Access database). .NET 2.0 installs web site administration pages under \Inetpub\wwwroot\aspnet_webadmin\<version number>.

ASP.NET developers can configure their application directly from within Visual Studio 2005. When selecting ASP.NET Configuration from the Web Site menu, Visual Studio 2005 will browse to the ASP.NET administration pages and allow you to configure various parameters, including security configuration (see Figure B-1). You can configure the following aspects for your application:

  • Select which store to use, such as an SQL Server or SQL Server Express. The information stored is credentials (username and password) and role-membership. You can even choose to use one repository for credentials and another for role membership.

  • Create new users and delete existing ones.

  • Create new roles and delete existing ones.

  • Allocate users to roles.

  • Additional features not relevant to this appendix.

Note that the same database tables are used to store the user information from multiple ASP.NET applications. As a result, each user or role record is also associated with a particular application name.

To use the SQL Server provider, run the setup file aspnet_regsql.exe, found under \WINDOWS\Microsoft.NET\Framework\<Version>\. The setup program will create a new database called aspnetdb, containing the tables and stored procedures required to manage the credentials.

Figure B-1. ASP.NET application security configuration pages


ASP.NET Custom Authentication and Authorization

At runtime, ASP.NET can authenticate the callers using the credentials in the database. The easiest way to add that functionality to your web application is to drag-and-drop a Login control from the Security tab of the Visual Studio 2005 Toolbox onto a web form. The Login control collects a username and password from the user and authenticates the user using a class called MembershipProvider, defined as:

     public abstract class MembershipProvider : ProviderBase     {        public abstract string ApplicationName{get;set;}        public abstract bool ValidateUser(string name,string password);        //Additional members     }

MembershipProvider's goal in the ASP.NET provider model is to encapsulate the actual provider used and the details of the actual data access. MembershipProvider makes it possible to change the membership provider without affecting the application. Depending on the configured security provider, the Login control uses a concrete data access class like SqlMembershipProvider when using SQL Server or SQL Server Express:

     public class SqlMembershipProvider : MembershipProvider     {...}

However, the Login control interacts only with MembershipProvider's base functionality. The Login control obtains the required membership provider by accessing the Provider static property of the Membership class, defined as:

     public static class Membership     {        public static string ApplicationName{get;set;}        public static MembershipProvider Provider{get;}        public static bool ValidateUser(string userName,string password);        //Additional members     }

Membership offers many members, which support every aspect of user management. Membership.Provider retrieves the type of the configured provider from the web application configuration file.

Because all membership providers derive from the abstract class MembershipProvider, if you write your own custom credential provider you need to derive from MembershipProvider as well.


The only two members of Membership that are relevant to this appendix are the ApplicationName property, used to set and retrieve the application name, and the ValidateUser( ) method, which authenticates the specified credentials against the store, returning true if they match and false otherwise. Membership.ValidateUser is shorthand for retrieving and using the configured provider.

You can also apply role-based security to authorize operations or access to resources. The aspnetdb database contains allocations of users to roles. Once a user is authenticated, ASP.NET will set the User property of the HTTP context and of the page to a custom security principal object called RolePrincipal:

     public sealed class RolePrincipal : IPrincipal     {...}

RolePrincipal uses the abstract class RoleProvider:

     public abstract class RoleProvider : ProviderBase     {        public abstract string ApplicationName{get;set;}        public abstract bool IsUserInRole(string username,string roleName);        public abstract string[] GetRolesForUser(string userName);        //Additional members     }

The ApplicationName property of RoleProvider binds the role provider to the particular application. The IsUserInRole( ) method verifies the user's role membership. The GetrolesForUser( ) method returns all the roles a specified user is a member of.

Just as membership providers must derive from MembershipProvider, all role providers (including custom role providers) must derive from RoleProvider. Depending on the configured security provider, RolePrincipal uses a corresponding data access class such as SqlRoleProvider to authorize the caller:

     public class SqlRoleProvider : RoleProvider     {...}

You can obtain the required role provider by accessing the Provider static property of the Roles class, defined as:

     public static class Roles     {        public static string ApplicationName{get;set;}        public static string[] GetRolesForUser(string username);        public static bool IsUserInRole(string username,string roleName);        public static RoleProvider Provider{get;}        //Additional members     }

Both Roles.GetRolesForUser( ) and Roles.IsUserInRole( ) are shorthand, and they use the Roles.Provider property internally. Roles.Provider retrieves the type of the configured provider from the web application configuration file.



Programming. NET Components
Programming .NET Components, 2nd Edition
ISBN: 0596102070
EAN: 2147483647
Year: 2003
Pages: 145
Authors: Juval Lowy

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net