8 3 6 CHAPTER 14 Implementing User Profiles, Authentication, and Authorization FIGURE 14-3 Managing access rules using the WSAT The WSAT adds (or edits) a Web.config file to any folder to which you apply an access rule. This configuration file applies only to the content of that folder. In the example shown in Fig- ure 14-3, the role of Site Owner is being allowed for the Administration folder. The following represents the content of the Web.config file found inside the Administration folder after this operation: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <allow roles="Site Owner" /> </authorization> </system.web> </configuration> Login Controls ASP.NET provides a set of controls, classes, and management tools for authenticating users with Web forms and storing user information in a database. These controls allow you to track, manage, and authenticate users without creating your own schema, relying on Active Direc- tory, or managing users by other means. Prior to version 2.0 of the .NET Framework, custom user authentication required creation from scratch of many complex components, such as user database schemas, login pages, password management pages, and user administration. Creating these components yourself is time-consuming and risky to your application’s secu- rity. ASP.NET helps you minimize this risk. Lesson 2: Using ASP.NET Membership CHAPTER 14 837 The Login Control Classes There are seven controls inside of ASP.NET for managing the login information of a user. These seven controls are grouped together as the login controls. They provide user interface elements for managing the login features related to users. Like the profile features, these controls are configured to work with the ASPNETDB SQL Server Express database by default. You can, of course, create your own custom providers or migrate to a higher version of SQL Server. Figure 14-4 shows an overview of the login controls class hierarchy. FIGURE 14-4 The ASP.NET login controls Each of these controls provides a specific feature required of most user-driven Web sites. The following is a list of each of these controls and their purpose: n CreateUserWizard This control gathers information from a new user such as user name and password and creates a new user account. You can use the user profile fea- tures in conjunction with the CreateUserWizard. n Login This control defines a user interface for prompting users for their user name and password and enables users to select whether they wish to be automatically authenticated the next time they visit your site. You can use the Login control with ASP.NET membership without writing any code, or you can write your own authentica- tion code by adding a handler for the Authenticate event. n LoginView This control is used to display different information if a user is logged into your site. For example, you could use this control to provide links to features that are available only to authenticated users. n LoginStatus You use this control to allow users to link to your login page if they haven’t been authenticated. It displays a link to log out for users who are currently logged in. n LoginName This control displays the current user’s user name (if logged in). 8 3 8 CHAPTER 14 Implementing User Profiles, Authentication, and Authorization n PasswordRecovery This control enables password retrieval or reset for a user by sending an e-mail message or by having the user answer a security question. n ChangePassword This control enables a user who is logged in to change his or her password. With the functionality built into these controls, you can create without writing any code a Web site that enables users to create their own accounts, change and reset their passwords, and log on and log off. Creating a User Account Creation Page Most public Web sites allow users to create their own accounts. This simplifies user creation and takes the burden off of an administrator. However, to enable this functionality, you must create a page that allows users to define an account. You use the CreateUserWizard control to create a page that allows users to create their own accounts using the standard ASP.NET membership. This control can be added to a page and will automatically work with the provider talking to ASPNETDB. The CreateUserWizard control, by default, prompts a user for user name, password, e-mail, security question, and security answer. Figure 14-5 shows an example of the control on a page inside Visual Studio. Note that the CreateUserWizard control also includes features for validating required fields, ensuring a strong password, and confirming a password. FIGURE 14-5 The ASP.NET CreateUserWizard control in Visual Studio Lesson 2: Using ASP.NET Membership CHAPTER 14 839 There is nothing additional that you need to do to configure, set up, or use a CreateUser- Wizard control. However, you will most likely wish to set the ContinueDestinationPageUrl property. This property should be set to the page to which you wish users to go once they have completed their account creation process. In addition, you can add your own code to the ContinueButtonClick event to add additional processing when the user clicks the final step in the Wizard. The CreateUserWizard control is a composite, template-driven control. Therefore, you have access to edit the templates that are defined by the control. You can even change and add to the steps defined by the wizard. These features are useful if you wish to add additional infor- mation to the user registration process or change the layout of the interface. As an example, suppose you wish to add controls to allow a user to define additional profile information as part of the account creation process. You can do so by clicking the Customize Create User Step link from the CreateUserWizard Tasks pane (refer back to Figure 14-5). This will render the entire markup to create a user form inside your page. You can then edit this markup to include your own controls as necessary. Figure 14-6 shows an example of a CheckBox control added to the page. FIGURE 14-6 A customized version of the CreateUserWizard control You can store this additional information by handling the CreatedUser event. In this event, you use the Membership class (discussed later in this lesson) to get the user and update the Comment property of the MembershipUser class. This property is used to store custom values for a user. However, a better method is to use the user Profile object as discussed in Lesson 1. 8 4 0 CHAPTER 14 Implementing User Profiles, Authentication, and Authorization Unfortunately, you cannot easily set the user’s profile information inside the CreatedUser event because the user is not considered identified and authenticated to the site until after this event completes. To help with this issue, the CreateUserWizard control exposes the properties EditProfileText and EditProfileUrl. You can use these properties to create a link that appears on the final page for the created user. This link can take users to a page that allows them to edit their profile (as discussed in Lesson 1). This profile will be associated with the newly created user. However, without deeper customizations, you will have to maintain both a profile page and a create user page. By default, new user accounts do not belong to any roles. To add a new user to a role (such as a default Users role), add a handler for the CreateUserWizard.CreatedUser event, and then call the Roles.AddUserToRole method as described later in this lesson. Creating a Login Page A login page allows a user to present his or her credentials to your site and then be authen- ticated. In most cases, a login page will include login information, a link to create a new account, and a link to retrieve a password for an existing account. Users expect to see these features grouped together on a page. To get started, you should create a login page. You should then edit the Web.config file to point nonauthenticated requests to your login page by adding the loginUrl attribute to the <forms> element as follows: <authentication mode="Forms"> <forms loginUrl="Login.aspx" /> </authentication> On the login page, you start by adding a Login control. This control is used to prompt a user for his or her credentials. The Login control also includes features for validation to ensure the user types a user name and password. However, to get the actual error messages to the page (instead of just asterisks), you should add a ValidationSummary control to your login page. You configure this control to work with the Login control by setting the ValidationGroup property to the ID of your Login control. Figure 14-7 shows an example of both controls added to a page. Lesson 2: Using ASP.NET Membership CHAPTER 14 841 FIGURE 14-7 The Login control prompts the user for credentials You do not need to write any code to use the login control. It works automatically with the site confi guration to authenticate users using forms-based authentication. Adding Password Recovery To complete your login page, you might wish to add a PasswordRecovery control. This control assists users if they forget their password. This control enables users to type their user name and receive a new, random password via e-mail. E-mails are sent based on the confi gured e-mail provider in Web.confi g. Optionally, users can also be required to answer a security question before their password is sent. MORE INFO CONFIGURING AN E-MAIL SERVER You can confi gure an e-mail server for your site manually inside of the Web.confi g fi le. You can also use the WSAT. You set up a Simple Mail Transfer Protocol (SMTP) server using WSAT on the Application tab. Figure 14-8 shows an example of the control in Visual Studio. Notice that there are three template views: UserName, Question, and Success. The UserName view allows a user to enter his or her user name, the Question view allows you to ask and validate the user’s secret ques- tion, and the Success view indicates a successful lookup. MORE INFO CONFIGURING AN E-MAIL SERVER You can confi gure an e-mail server for your site manually inside of the Web.confi g fi le. You can also use the WSAT. You set up a Simple Mail Transfer Protocol (SMTP) server using WSAT on the Application tab. 8 4 2 CHAPTER 14 Implementing User Profiles, Authentication, and Authorization FIGURE 14-8 The PasswordRecovery control can send e-mail to users who request their passwords If the user provides valid credentials, the user is logged in to your site. The member- ship controls such as LoginStatus will then automatically reflect that. If the user does not provide valid credentials, the Login control prompts the user to retype his or her password. You should create a handler for the Login.LoginError event and perform security auditing by adding an event to the Security event log. Similarly, you should handle (log) the Password- Recovery.UserLookupError and PasswordRecovery.AnswerLookupError events. This ensures that administrators can discover excessive attempts to look up and recover a user account. Creating a Password Change Page Another important form is the change password form. This allows users to enter their current password and create a new one. You create a change password form using the Change- Password control. Figure 14-9 shows an example. On completion, you can either show a success message or automatically navigate to another page. To enable the latter scenario, set the SuccessPageUrl property of the ChangePassword control to the name of the page to which you wish to redirect the user fol- lowing a successful password change. The control also exposes other useful properties such as EditProfileUrl and EditProfileText to create a link to allow the user to edit other portions of his or her profile if required. Lesson 2: Using ASP.NET Membership CHAPTER 14 843 FIGURE 14-9 The ChangePassword control allows users to change their passwords The Membership Class The login controls discussed previously use the methods of the System.Web.Security.Mem- bership class to implement their functionality. This is, for the most part, abstracted from developers. However, there are many cases in which you might want to use these methods yourself. These include creating your own custom user interface outside of the login controls, intercepting login control events, and implementing other security-related code on your site. In each case, you use the Membership class. It provides capabilities to add, remove, and find users. The following are the important, static methods in this class, along with each method’s capability: n CreateUser This method adds a user to the database. Use this method if you create a custom page to enable users or administrators to add new accounts. n DeleteUser This method removes a user from the data store. Use this method if you create custom user management tools. n FindUsersByEmail This method gets a collection of membership users with the speci- fied e-mail addresses. n FindUsersByName This method gets a collection of membership users with the specified user names. n GeneratePassword This method creates a random password of the specified length. Use this if you are implementing custom controls to generate or reset passwords. n GetAllUsers This method returns a collection of all users in the database. 8 4 4 CHAPTER 14 Implementing User Profiles, Authentication, and Authorization n GetNumberOfUsersOnline This method returns the number of users currently logged on. n GetUser This method returns a MembershipUser object representing the current logged-on user. Call this method any time you need to access the current user’s account. n GetUserNameByEmail This method gets a user name with the specified e-mail address. n UpdateUser This method updates the database with the information for the specified user. Use this method if you create a page to enable users or administrators to modify existing accounts. n ValidateUser This method verifies that the supplied user name and password are valid. Use this method to check a user’s credentials if you create your own custom login controls. The Roles Class Role management consists of a set of classes and interfaces that establish roles for the cur- rent user and manage role information. In ASP.NET user management, roles function as user groups, enabling you to assign access rights to all users who are part of a specific role. The most useful of these classes is System.Web.Security.Roles, which provides capabilities to add users to or remove users from roles, create new roles, and determine to which roles a user belongs. The Roles class provides many static methods, including the following: n AddUserToRole, AddUsersToRole, and AddUsersToRoles These methods add a user to a role. n CreateRole This method creates a new role. n DeleteRole This method deletes an existing role. n FindUsersInRole This method returns a collection of users in a role. n GetAllRoles This method returns a collection of all roles that currently exist. n GetRolesForUser This method returns a collection of roles for the current user. n IsUserInRole This method returns true if the user is a member of a specified role. n RemoveUserFromRole, RemoveUsersFromRole, RemoveUserFromRoles, and RemoveUsersFromRoles These methods remove a user from a role. For example, if you want to assign the user being created as part of the CreateUserWizard control to a role named Users, you could use the following code: 'VB Roles.AddUserToRole(CreateUserWizard1.UserName, "Users") //C# Roles.AddUserToRole(CreateUserWizard1.UserName, "Users"); [...]... Configure an ASP.NET Web application to require Windows authentication Create an ASP.NET Web application that uses custom forms for user authentication n n Configure an ASP.NET Web application to require Passport authentication n n Configure Web applications for anonymous access n n Configure impersonation so that ASP.NET uses nondefault user credentials n n Restrict access to Web applications,... your ASP.NET Web application The subsection of the section tells ASP.NET that all users who pass the authentication requirements are allowed access to all ASP.NET content To configure an ASP.NET application to provide access only to the users Eric and Sam, override the Machine.config security settings by editing the Web.config file in the root of the ASP.NET application. .. To enable administrators to use hashed password information in the Web.config file, your ASP.NET application must include a page or tool to generate these passwords The passwords... users Configuring Authentication in ASP.NET Applications Lab In these exercises, you create an ASP.NET Web application and then configure it to restrict access using roles If you encounter a problem completing an exercise, the completed projects are available in the sample files installed from the companion CD in the Code folder E xErcisE 1 Create and Configure an ASP.NET Site to Use Membership Features... authentication in your application s Web.config file by following these steps, which are more user-friendly: 1 Create an ASP.NET Web application using Visual Studio 2 From the Website menu, select ASP.NET Configuration 3 Click the Security tab, and then click Select Authentication Type 4 Under How Will Your Users Access The Site, select From A Local Network, and then click Done Creating Custom ASP.NET Forms... new ASP.NET Web site and add support for ASP.NET memberships 1 Open Visual Studio Create a new, file-based Web site called UserMembership 2 Create two subfolders in your site Name one Members and the other Admin You can do so by right-clicking the project and choosing New Folder 3 To each subfolder, add a blank ASP.NET Web form named Default.aspx Later, you’ll access these pages to verify that ASP.NET. .. Using ASP.NET Membership CHAPTER 14 847 2 You use the ASP.NET Web Site Administration Tool to configure ASP.NET membership with forms authentication What should you name your login form so that you do not have to modify the Web.config file? A Login.aspx B LoginPage.aspx C Default.aspx D Auth.aspx 3 You are creating a Web form that enables users to log in to your Web site Which of the following ASP.NET. .. Controlling Authorization in ASP.NET Applications In this lab, you modify an ASP.NET Web application to use Windows authentication If you encounter a problem completing an exercise, the completed projects are available in the sample files installed from the companion CD in the Code folder Lesson 3: Securing Your Site CHAPTER 14 863 E xercise 1  Create a Web Site That Uses ASP.NET Memberships In this exercise,... INFO PASSPORT SOFTWARE DEVELOPMENT KiT For more detailed information about the requirements for building a Web application that uses Passport, you can download and review the free Microsoft NET Passport Software Development Kit from http://support .microsoft. com/?kbid=816418 Configuring Web Applications for Anonymous Access only You can explicitly disable authentication for your application if you know... CHAPTER 14 851 site, allowing the ASP.NET application to validate requests This cookie can, optionally, be encrypted by a private key located on the Web server, enabling the Web server to detect an attacker who attempts to present a cookie that the Web server did not generate ASP.NET membership allows you to quickly add forms authentication to your Web application Because Microsoft thoroughly tests the . gure an ASP .NET Web application to require Windows authentication. n Create an ASP .NET Web application that uses custom forms for user authentication. n Confi gure an ASP .NET Web application. your application s secu- rity. ASP .NET helps you minimize this risk. Lesson 2: Using ASP .NET Membership CHAPTER 14 837 The Login Control Classes There are seven controls inside of ASP .NET for. ASP .NET Web application to require Windows authentication. n Create an ASP .NET Web application that uses custom forms for user authentication. n Confi gure an ASP .NET Web application to