Security
My next step was to configure the security on the Web site. A major goal of the BikeBlogSecured Web site was to allow authorized users to enter information while allowing read-only access for all others. Classic ASP had absolutely no support for security, so pages had to be secured manually in code. With ASP.NET, developers could declaratively configure security by adding tags in the Web.config file that would allow or deny access to specific users or groups of users. This was a huge step in the right direction, but a great deal of manual work was still required to get security working correctly. Fortunately, ASP.NET 2.0 offers excellent support for developers who need to secure their applications.
Users of ASP.NET applications (and in fact, users of any application that uses IIS) can be authenticated in one of two ways. The default authentication method is Windows Authentication.
When Windows Authentication is selected, the user of the Web Forms application is determined by the identity of the user in some Windows domain. For an intranet application, this can be convenient. As the developer of the application, you have to do very little to maintain a user list. The user list, by default, is the list of users in the domain. You can restrict that list by using some other means, (for instance, by checking the user's domain name against a database of domain users, such as Active Directory directory service, that you want to allow into your application), but precautions such as login Web Forms are generally not required, because users will either be automatically recognized or prompted for credentials before they reach the site.
Windows Authentication is not always the perfect solution, however, especially for Internet applications. You cannot expect any user who needs to be identified in your Internet application to have domain credentials on your Windows domain. Fortunately, forms authentication is a good alternative. By using forms authentication, you as the developer are responsible for providing a page that allows users to enter their credentials. More importantly, the storage of those credentials and the management of user information is also up to you. Sadly, most users get the details of storing user credentials wrong. As we will see later in this chapter, this potentially daunting task is made much easier in ASP.NET 2.0 by several controls designed to assist you in identifying and registering users.
From the main page of the ASP.NET Web Site Administration Tool, click the Security tab to see a page like the one shown in Figure 7-4.
Figure 7-4: The Security page in the ASP.NET Web Site Administration Tool
The easiest way to configure security is to click Use The Security Setup Wizard To Configure Security Step By Step. The first step of the Security Setup Wizard is a welcome page, as shown in Figure 7-5.
Figure 7-5: The Security Setup Wizard welcome page
Click Next to proceed to step 2, Select Access Method, shown in Figure 7-6.
Figure 7-6: The Security Setup Wizard Select Access Method step
Although the wizard page shown in Figure 7-6 does not refer to the authentication methods by name, the first option, From The Internet, refers to forms authentication, and the second option, From A Local Area Network, refers to Windows Authentication. For the BikeBlogSecured Web site, I selected From The Internet and clicked Next. The third step, Data Store, simply reminds me that the provider settings that I configured in the previous section are established outside of this wizard. Any changes that I might like to make at this point must be made from the administration tool's Provider page (see Figure 7-2). The Data Store step is shown in Figure 7-7.
Figure 7-7: The Security Setup Wizard Data Store step
Click Next to proceed to the next step, Define Roles, as shown in Figure 7-8.
Figure 7-8: The Security Setup Wizard Define Roles step
