Tuesday, November 25, 2008

ASP.NET Security, Authentication and Authorization

Security is one of the major features in a web application. A good way of providing reliable security in your web application is to use a tried and tested solution which follows known standards. ASP.NET's security mechanism is outstandingly beautiful. As a side note here, I have  good experience with Java Authentication and Authorization Service and the brillant Seam Security Implementation which uses underlying Java Security mechanisms.

ASP.NET though, provides the simplest way of implementing security in a web application. Authentication and Authorization has all been taken care of with even the possibility of customization. To demonstrate this, here are the various steps I have been carrying out:

(1) Configure your web application to use Membership and Role Management by adding the following in your web.config

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
  <providers>
    <clear />
    <add
      name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SimpleSqlConnection"
      applicationName="MyApplication"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="true"
      requiresUniqueEmail="true"
      passwordFormat="Hashed" />
  </providers>
</membership>

<roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
  <providers>
    <add name="CustomizedRoleProvider"
         type="System.Web.Security.SqlRoleProvider"
         connectionStringName="SimpleSqlConnection" />
  </providers>
</roleManager>

(2) Make sure that the connection string you specify here exists in your connection string settings in the web.config file

(3) Now using the Visual Studio Command Prompt type aspnet_regsql.exe to launch the ASP.NET SQL SERVER SETUP Wizard and configure your database with the required tables for security

(4) Once this is done, in Visual Studio IDE, launch the ASP.NET WEB SITE ADMINSTRATION TOOL (Click on Project -> ASP.NET Configuration )

(5) Click on the Security Tab and use the Security Wizard to create roles, users along with roles, and access rules

(6) ASP.NET comes with a variety of pre build login controls for Login, Authenticated User Information display and Logout

For Login Control, the code is as follows:

<div>
        <asp:Login DisplayRememberMe="false" ID="LoginControl" runat="server"/>
    </div>

For User Information Display

<asp:LoginView ID="LoginViewControl" runat="server" Visible="true">
    <AnonymousTemplate>
        <asp:HyperLink NavigateUrl="~/general/login.aspx" Text="Please Login"/>
    </AnonymousTemplate>
    <LoggedInTemplate>
        <table>
            <tr>
                <td>
                   Welcome <asp:Label ID="LoginUserName" runat="server"/>
                </td>
            </tr>
            <tr>
                <td>
                    You are logged in as <asp:Label ID="LoginRoles" runat="server"/>
                </td>
            </tr>
            <tr>
                <td>
                    <asp:LoginStatus ID="LoginStatusControl" runat="server" />
                </td>
            </tr>
        </table>
    </LoggedInTemplate>
</asp:LoginView>

Hope its also a cruise for you.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)