Security and user management have often been seen as quite complicated to iTlement in Web sites, and with good reason. You have to consider a number of factors, including:
- What sort of user management system will Iimplement? Will users map to Windows user accounts, or will Iimplement something independent?
- How do implement a login system?
- Do I let users register on the site, and if so, how?
- How do I let some users see and do only some things, while supplying other users with additional privileges?
- What happens in the case of forgotten passwords?
With ASP.NET2.0, you have a whole suite of tools at your disposal for dealing with questions such as these, and it can in fact take only a matter of minutes to implement a user system on your site, You have three types of authentication at your disposal:
- Windows Authentication, whereby’ users have Windows accounts, typically used with intranet sites or WANportals
- Forms Authentication, whereby the Web site maintains its own list of users and handles its own authentication
- Passport Authentication, whereby Microsoft provides a centralized authentication service for you to use
A full discussion of security in ASP.NETwould take up at least a full chapter, but we provide a brief look in this section to give you an idea of how things work. You will concentrate on Forms Authentication here, because it is the most versatile system and very quick to get up and running.
The quickest way to implement Forms Authentication is via the Website ¢ ASP.NETConfiguration tool, which you saw briefly in the previous chapter. This tool has a Security tab, and on it a security wizard, This wizard lets you choose an authentication type, add roles, add users, and secure areas of your site.
Adding Forms Authentication Using the Security Wizard
For the purposes of this explanation, create a new Web site called PCSAuthenticationDemo in the directory c. \ ProCSharp \Chapter3 8\ Once you create the site, open the Web site ¢ ASP.NET Configuration tool. Navigate to the Security tab and click the “Use the security Setup Wizard to configure security step by step.” link. Click Next on the first step after reading the information there, On the second step, select “From the internet,” as shown in Figure 38-9.
Click Next, and then Next again after confirming that you will be using the default” Advanced provider settings” provider to store security information. This provider information is configurable via the Provider tab, where you can choose to store information elsewhere, such as in an SQLServer database, but an Access database is fine for illustrative purposes.
Check the “Enable roles for this Web site.” option, as shown in Figure 38-10, and click Next.
Then, add some, as shown in Figure 38-11.
Click Next and then add some users, as shown in Figure 38-12, Note that the default security rules for passwords (defined in machine. config) are quite strong; there is a seven-character minimum, including at least one symbol character and a mix of uppercase and lowercase.
In the downloadable codefor this chapter, two users are added in this example. The usernames are User and Administrator, and the password for both users is Password.
After clicking Next again, you can define access rules for your site. By default, all users and roles Will have access to all areas of your site, From this dialog you fan restrict areas by role, by user, or for anonymous users. You can do this for each directory in your site because this is achieved via web conf files in directories, as you see shortly, For now, skip this step, and complete authentication setup.
The last step is to assign users to roles, which you can do via the “Manage users” link on the Security tab, From here you can edit user roles, as shown in Figure 38 13.
Once you have done all this, you are pretty much there:You have a user system in place, as well as roles and users.
Now you have to add a few controls to your Web site to make things work.
Implementing a Login System
If you open Web config after runnmg the security wizard you WIll see that it has been modified with the followicg content:
Once you have logged in, you will be sent back to DefauIt. aspx, currently a blank page.
Login Web Server Controls
You see some of these in action in PCSDemoSite shortly.
One final thing to discuss is how to restrict access to directories. You can do this via the Site Configuration tool, as noted earlier, but it’s actually quite easy to do this yourself.
Add a directory to PCSAuthenticationDemo called SecureDirectory, as well as a Default . aspx Web page in this directory, and a new Web.config file, Replace the contents of Web.config with the following:
The <authorization> element can contain one or more <deny> or <allow> elements representing permission rules, each of which can have a users or roles attribute saying what the rule applies to The rules are applied from top to bottom, so more specific rules should generally be near the top if the membership of rules overlaps. In this example, ? refers to anonymous users, who will be denied access to this directory, along with users in the User role. Note that users in both the User and Administrator roles will be allowed access only if the <allow> rule shown here comes before the <deny> rule for the User role – all of a user’s roles are taken into account, but the rule order still applies.
Now when you log in to the Web site and try to navigate to SecureDirectory/Default. aspx, you will be permitted only if you are in the Admin role, Other users, or users that are not authenticated, will be redirected to the login page.