The LoginView and Other Controls


There are a few other security-related controls that ship with ASP.NET 2.0 that help to automate security-related tasks. This section shows how to use the LoginView, LoginName, and LoginStatus controls.

The LoginView control is designed to show different content depending on the authentication and authorization level of the user making the request. It's independent of Membership; it only cares about the current IPrincipal and IIdentity that are being held in the HttpContext of the request, so it can be used with any authentication strategy, including integrated authentication.

The control is similar to a MultiView, which displays different templates that you can switch between programmatically (see Chapter 4). The LoginView control determines which template should be shown automatically based on the information known about the user making the request. This is really convenient if you want your user interface to change a bit depending on whether the user is anonymous, authenticated, or even in a particular role.

One convenient place to use this control is when you have a Web site that allows anonymous users, but that provides specialized services for authenticated users. There are many Web sites like thisyou can browse around all you want, but at some point you might need to log in to access a particular feature.

Listing 5-8 shows how to use the LoginView control to display a login control if the user is anonymous (thus allowing them to log in). If the user has already been authenticated, there's no need to display the login control, so a welcome message is displayed instead. The welcome message uses the LoginName control, an extremely simple control whose output is the name of the user (or blank if the user is not authenticated).

Below the welcome message, I display a LoginStatus control. You'll find this control very useful on a master page, as it allows an authenticated user to log off and an anonymous user to log on. Because I'm already showing a login control to anonymous users in Listing 5-8, there's no need for a "login" button, which is why I only show the LoginStatus control to authenticated users, allowing them to log out.

Listing 5-8. The LoginView, LoginName, and LoginStatus controls

<asp:LoginView  runat="server">     <LoggedInTemplate>         <h1>Welcome, <asp:LoginName  runat="server" /></h1>         <p><asp:LoginStatus  runat="server" /></p>     </LoggedInTemplate>     <AnonymousTemplate>         <asp:Login  runat="server"/>     </AnonymousTemplate> </asp:LoginView> 

If you are using role-based security, you can add templates to the LoginView control that will be shown to users based on their role. Each role-based template is called a RoleGroup, which is a bit of a funky name, but just think of it as a template that will only be shown if the user is in the associated role. For example, managers might be shown an extra set of links to pages that require higher privileges. Keep in mind that simply hiding links from a user won't stop a reasonably intelligent attacker from getting to those pages by simply guessing their URLs. You'll want to lock down those restricted pages you're linking to in order to ensure that any direct requests will be denied unless the user is authorized. Use the <authorization> section to do this, as described in Essential ASP.NET.

In Visual Studio designer mode, the LoginView control only shows one template at a time. You can use the LoginView tasks pane to flip between templates in the designer, which is convenient for editing the templates visually. Press the Edit RoleGroups button to add templates that will be displayed based on roles (see Figure 5-10).

Figure 5-10. Switching views


The order of the RoleGroups you define can be important. If a user is in more than one RoleGroup, the first match wins, and the matching template will be displayed. So it is wise to arrange RoleGroups in order from high to low privilege, top to bottom. If none of the RoleGroups match, the LoggedInTemplate will be displayed, unless the user has not been authenticated, in which case the AnonymousTemplate will be shown.

The LoginView control fires two events as it switches between templates at runtime. ViewChanging fires before the controls from the old template are torn down, giving you a chance to extract their state. ViewChanged fires after the controls for the new template are created, giving you a chance to data bind or otherwise initialize them.

One thing that might surprise you if you're new to templated controls like the LoginView is that you cannot access its child controls directly by name. For example, the login control in the AnonymousTemplate shown in Listing 5-8 is not added to your Web form as a member variable. If you want to access this control, you'll need to use the FindControl method on the LoginView control to look for the child control by name, as shown in Listing 5-9.

Listing 5-9. Accessing child controls

if (!User.Identity.IsAuthenticated) {   Login loginControl = (Login)loginView.FindControl("login");   // ... } 

Note the check against User.Identity.IsAuthenticated to ensure that the anonymous template is actually showing. If it wasn't being shown, FindControl would not find any control named "login" and would return null.

And finally, there's the CreateUserWizard control (illustrated in Figure 5-8), which is convenient if you're building a user-management page or if you allow users to self-register. This wizard by default has only two steps, although you can easily add more. The first step collects enough information to create a user in the Membership system, and the second step is simply a success indicator after the user has been created.




Essential ASP. NET 2.0
Essential ASP.NET 2.0
ISBN: 0321237706
EAN: 2147483647
Year: 2006
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net