Section 4.2. Provide Forms-Based Security Without Code
4.2. Provide Forms-Based Security Without CodeOne of the most common tasks in building a publicly available web application is to create forms-based security, in which you allow your users to log in with a password (rather than, for example, not logging in, or using Windows-based authentication). Note: Now creating forms-based security, complete with login screens and password maintenance, is provided in a set of related ASP.NET controls. To make forms-based security work, you need to authenticate your users. In ASP.NET 2.0, adding this feature is greatly simplified by new controls that handle most of the plumbing for you. 4.2.1. How do I do that?To explore new support for forms-based security in ASP.NET 2.0, let's build a simple application. In this lab, you'll work through the following steps:
4.2.1.1 Set up the application databaseASP.NET 2.0 forms-based security is based on a set of tables that must be created in your database, typically SQL Server or SQL Server Express. Fortunately, ASP.NET provides a utility named aspnet_regsql.exe, located in the [Drive:]\Windows\Microsoft.NET\Framework\[versionNumber] folder on your web server, which sets up the tables for you. This utility program will create the required database and all its tables. The easiest way to use this utility is to run the aspnet_regsql.exe utility from the .NET command box, with no arguments. A wizard will be started that will walk you through the process. For more details, see the MSDN article "Installing the SQL Server Provider Database." 4.2.1.2 Create a folder as a virtual directory; set its security to FormsStart by creating an empty directory on your local drive. Call it FormsBasedSecurity. Open the IIS Manager and create a virtual directory to point to your new directory. Tip: To open IIS Manager from the Windows Start menu select Control Panel  Administrative Tools Internet Information Server.To create a virtual directory, click the server name (typically your local computer) and then click Web Sites. Right-click Default Web Site, choose New Virtual Directory, and work your way through the wizard, just as you did in ASP.NET 1.x.After you've created the virtual directory, right-click it within the IIS Administrator and choose Properties. Click the ASP.NET tab of the properties window, and then click Edit Configuration to open the ASP.NET Configuration Settings dialog. Within the ASP.NET Configuration Settings dialog click the Authentication tab, and within that tab set the "Authentication mode" to Forms and the "Membership provider class" to AspNetSqlMembershipProvider, as shown in Figure 4-7. Figure 4-7. Setting forms authentication Click the General tab, and if LocalSqlServer is not set to the database you use, set the connection parameters so that the data source is set to your database (for example, sqlexpress), as shown in Figure 4-8. Figure 4-8. Setting the connection parameters Click OK to close the dialogs and return to the directory you created, where you'll find a Web.config file containing the following XML: <?xml version="1.0" encoding="utf-8"?> <configuration> <connectionStrings> <remove name="LocalSqlServer" /> <add name="LocalSqlServer" connectionString="data source=.\sqlexpress; Integrated Security=SSPI;Initial Catalog=aspnetdb" /> </connectionStrings> <system.web> <authentication mode="Forms" /> <membership defaultProvider="AspNetSqlMembershipProvider" /> </system.web> </configuration> 4.2.1.3 Create the new web siteOpen Visual Studio 2005 and create a new web site in the same directory. Visual Studio will interrupt and tell you that the site already exists, as shown in Figure 4-9. Figure 4-9. Opening the existing web site Select "Open the existing Web site" and your application should open with its Web.config file in place. Tip: An alternative to using IIS for forms-based security is to use the ASP.NET Configuration Wizard. Select Website ASP.NET Configuration Wizard on the Visual Studio menu bar. Click the Security tab and choose your authentication type. Choosing "From the Internet" will set up your application for forms authentication, and choosing "From a local network" will set you up for Windows authentication.In this test application you will create three pages:
Begin by creating the AddUser web page and calling it AddUser.aspx, as shown in Figure 4-10. Figure 4-10. Creating a new .aspx page Tip: Selecting "Place code in separate file" causes Visual Studio to use the code-behind model, instead of placing the code in a script block in the same file as the one containing the web controls. 4.2.1.4 Add login controlsClick the Design tab for your .aspx page, and then click the Login tab in the Visual Studio Toolbox. Drag an instance of CreateUserWizard onto your page, as shown in Figure 4-11. Figure 4-11. The CreateUserWizard control The CreateUserWizard control will prompt the user for a username, a password (twice), an email address, and a security question and answer. All of this is configurable through the HTML that is created by this control. Click the control and scroll through the properties to find the ContinueDestinationPageURL property. Click the Browse button and choose the AddUser.aspx page so that you'll be brought back to the same page after the new user is confirmed. Finally, set the AddUser.aspx page as your Start page, and then test the application. After being prompted to update Web.config to allow debugging, you'll be brought to the Create User Wizard. Fill in the form, as shown in Figure 4-12. Figure 4-12. Filling in the Create User Wizard Click the Create User button. You should see a confirmation screen and a button marked Continue. Clicking Continue will bring you back to the Create Account form where you can add another user. Add a few users and test the built-in validation the wizard provides; you'll find that you can't enter the same username twice, that the two passwords must match, and that the required fields must have text. All of this is managed by FieldValidator controls within the HTML created by the Wizard control. 4.2.1.5 Verify that the user database is updatedStop your project and look at the Database Explorer, where you will find the tables within the aspnetdb database you created earlier, as shown in Figure 4-13. Figure 4-13. Personalized database tables 4.2.1.6 Create the Welcome pageWith your user database in place you are ready to create the Welcome page that will welcome the logged-in user. Create a new page called Default.aspx and drag a LoginStatus control from the Login section of the Toolbox. A link marked Login is placed on the page whose smart tag indicates that you are looking at the template you would see when no user is logged in, as shown in Figure 4-14. Figure 4-14. Not-logged-in view You can set the properties of the LoginStatus control to, for example, change the text of the link. You can also drop down the view window to see the link and text for logged-in status. Drag a LoginView control from the Toolbox and drop it onto the page below the LoginStatus control. Here you can enter text and controls that will be displayed based on whether the user is logged in. Notice that this control has two views: AnonymousTemplate and LoggedInTemplate. Which template is displayed depends on whether the user has logged in. Click the smart tag, confirm that the view is set to AnonymousTemplate, and type some text in the box, as shown in Figure 4-15. Figure 4-15. AnonymousTemplate view Now change the view on LoginView to LoggedInTemplate. Drag a LoginName control onto the template so that you can welcome the user by name, as shown in Figure 4-16. Figure 4-16. Using UserName to welcome the user 4.2.1.7 Create the Login pageYou are finally ready to create the Login page. Add a new page named Login.aspx. Change to Design view, and drag a Login control onto the page. Just for fun, click the Auto Format link from the smart tag, as shown in Figure 4-17. Figure 4-17. Creating the Login control Choose a look you like for the Login control. You're all set. Make sure the Default.aspx page is the Start page, and run the application. The default page will inform you that you are not logged in and will offer a link to the Login page. When you go to the Login page, enter a false login name and/or an incorrect password. The Login control informs you of the mistake, as shown in Figure 4-18. Figure 4-18. An incorrect login, caught Enter the correct name and password, and you are brought back to the Welcome page. Your status as logged in is noted, you are greeted by name, and you are offered the opportunity to log out. Note: You've created an entire login architecture without writing a line of code. 4.2.2. What about . . ....if users forget their passwords? The new PasswordRecovery control gives users a way to recover. Drag onto the form a PasswordRecovery control from the Login tab in the Toolbox (or create a link to a new page with this control). The user will be prompted first for a known username, and then with the question and answer you created earlier when you were creating a user, as shown in Figure 4-19. If they match, the password will be sent by email. Figure 4-19. Confirming the user's identity ...what if I want users to change their passwords? Add a ChangePassword control to your page (for example, to Default.aspx). The user will be prompted for the original password and then for the new password, as shown in Figure 4-20. Figure 4-20. Changing the user's password If all three fields are correct, the password will change in the database. Warning: For password recovery to work, you must place the sender's email address in the smtpMail config section, in the PasswordRecovery.MailDefinition.From field, or in the Sending Mail event handler. 4.2.3. Where can I learn more?For more information, see my article on forms-based security, titled "ASP.NET Forms" and available on O'Reilly's ONDotnet.com site at http://www.ondotnet.com. In addition, an excellent article in the June 2004 issue of MSDN Magazine, titled "Security Headaches? Take ASP.NET 2.0" and written by Keith Brown, is available online. Finally, you might want to read the article "ASP.NET Web Site Security" in the MSDN Library. |
EAN: 2147483647
Pages: 95