The LoginView and Other Controls
There are a few other security-related controls that ship with ASP.NET 2.0 that help to automate security-
The LoginView control is designed to show different content depending on the authentication and authorization level of the
The control is similar to a MultiView, which displays different templates that you can switch between programmatically (see Chapter 4). The LoginView control determines which template should be shown automatically based on the information known about the user making the request. This is really
One convenient place to use this control is when you have a Web site that allows anonymous users, but that provides specialized services for authenticated users. There are many Web sites like thisyou can browse around all you want, but at some point you might need to log in to access a particular feature.
Listing 5-8 shows how to use the LoginView control to display a login control if the user is anonymous (thus allowing them to log in). If the user has already been authenticated, there's no need to display the login control, so a welcome message is displayed instead. The welcome message uses the LoginName control, an extremely simple control whose output is the
Below the welcome message, I display a LoginStatus control. You'll find this control very useful on a master page, as it allows an authenticated user to log off and an anonymous user to log on. Because I'm already showing a login control to anonymous users in Listing 5-8, there's no need for a "login" button, which is why I only show the LoginStatus control to authenticated users, allowing them to log out.
Listing 5-8. The LoginView, LoginName, and LoginStatus controls
If you are using role-based security, you can add templates to the LoginView control that will be shown to users based on their role. Each role-based template is called a
, which is a bit of a funky name, but just think of it as a template that will only be shown if the user is in the associated role. For example, managers might be shown an extra set of links to pages that require higher privileges. Keep in mind that simply hiding links from a user won't stop a reasonably
In Visual Studio designer mode, the LoginView control only shows one template at a time. You can use the LoginView tasks pane to flip between templates in the designer, which is convenient for editing the templates visually. Press the Edit RoleGroups button to add templates that will be displayed based on roles (see Figure 5-10).
Figure 5-10. Switching views
The order of the RoleGroups you define can be important. If a user is in more than one RoleGroup, the first match wins, and the matching template will be displayed. So it is wise to arrange RoleGroups in order from high to low privilege, top to bottom. If none of the RoleGroups match, the LoggedInTemplate will be displayed, unless the user has not been authenticated, in which case the AnonymousTemplate will be shown.
The LoginView control fires two events as it switches between templates at runtime. ViewChanging fires before the controls from the old template are torn down, giving you a chance to extract their state. ViewChanged fires after the controls for the new template are created, giving you a chance to data bind or
One thing that might surprise you if you're new to templated controls like the LoginView is that you cannot access its child controls directly by name. For example, the login control in the AnonymousTemplate shown in Listing 5-8 is not added to your Web form as a member variable. If you want to access this control, you'll need to use the FindControl method on the LoginView control to look for the child control by name, as shown in Listing 5-9.
Listing 5-9. Accessing child controls
Note the check against User.Identity.IsAuthenticated to ensure that the anonymous template is actually showing. If it wasn't being shown, FindControl would not find any control named "login" and would return null.
And finally, there's the CreateUserWizard control (