Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

No Slide Title - webdev-bit

advertisement 
Chapter 20
How to authenticate
and authorize users
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 1
Objectives
Applied
 Use the Web Site Administration Tool to enable forms-based
authentication and to create and manage roles, users, and access
rules.
 Use the Login, LoginStatus, and LoginName controls to provide
the functionality required for a web site that contains restricted
pages.
 Use the CreateUserWizard, PasswordRecovery, and
ChangePassword controls to allow users to create and manage
their own accounts.
 Use the LoginView control to determine the message that’s
displayed depending on whether a user is logged in.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 2
Objectives (cont.)
Knowledge
 Describe how the three types of authentication work.
 Describe the purpose of roles, users, and access rules.
 Describe the basic purpose of the AspNetDb.mdf database.
 Describe the basic procedure for modifying a data provider.
 Describe some of the common functions provided by the
Membership, MembershipUser, FormsAuthentication, and Roles
classes.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 3
Windows-based authentication
 Causes the browser to display a login dialog box when the user
attempts to access a restricted page.
 Is supported by most browsers.
 Is configured through the IIS management console.
 Uses Windows user accounts and directory rights to grant access
to restricted pages.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 4
Forms-based authentication
 Lets developers code a login form that gets the user name and
password.
 The user name and password entered by the user are encrypted if
the login page uses a secure connection.
 Doesn’t rely on Windows user accounts. Instead, the application
determines how to authenticate users.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 5
Windows Live ID authentication
 Windows Live ID is a centralized authentication service offered
by Microsoft.
 Windows Live ID lets users maintain a single user account that
lets them access any web site that participates in Windows Live
ID. The advantage is that the user only has to maintain one user
name and password.
 To use Windows Live ID, you must register your web site with
Microsoft to obtain an application ID and then download the
Windows Live ID Web Authentication SDK.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 6
HTTP requests and responses with forms-based
authentication
Browser requests
Server responses
1. The browser requests a
protected page.
Request
Redirect
3. The browser receives the
redirect and requests the
login page.
5. The browser displays the
login page. When the user
enters a name and
password, the browser
posts the information back
to the server.
Login page
7. The browser receives the
redirect and requests the
original page. The cookie
that contains the
authentication ticket is
sent back to the server.
Redirect
9. The browser displays the
requested page.
Murach’s ASP.NET 3.5/C#, C20
Request
Post
Request
Protected page
© 2008, Mike Murach & Associates, Inc.
2. The server receives the
request and checks if it
includes a cookie with an
authentication ticket. If
not, the server responds
by redirecting the browser
to the login page.
4. The server receives the
request for the login page
and sends it to the
browser.
6. The login page validates
the user name and
password. If they’re valid,
the login page redirects
the browser to the page
originally requested.
ASP.NET automatically
creates an authentication
ticket and sends it as a
cookie.
8. The server receives the
request and determines
from the cookie that the
user is authenticated. It
responds by sending the
requested page.
Slide 7
The Security tab of the Web Site Administration
Tool
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 8
How to enable forms-based authentication
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 9
User names and roles
User name
anne
joel
kelly
Roles
admin
admin, custserv
custserv
How to create and manage roles
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 10
How to create a user
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 11
How to manage users
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 12
How to create an access rule
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 13
How to manage access rules
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 14
The Provider tab of the Web Site Administration
Tool
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 15
Elements in the web.config file that relax the
default password policy
<membership defaultProvider="AspNetSqlMembershipProviderRelaxed">
<providers>
<add name="AspNetSqlMembershipProviderRelaxed"
type="System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 16
A Login control in the Web Forms Designer
The aspx code for the Login control
<asp:Login ID="Login1" runat="server">
</asp:Login>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 17
Common attributes of the Login control
Attribute
RememberMeSet
RememberMeText
FailureText
Murach’s ASP.NET 3.5/C#, C20
Description
Determines whether the RememberMe check
box is displayed. By default, this is set to True.
The text for the label of the RememberMe text
box.
The text that’s displayed when a login attempt
fails.
© 2008, Mike Murach & Associates, Inc.
Slide 18
The LoginName and LoginStatus controls
displayed in a browser
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 19
The LoginName and LoginStatus controls in the
Web Forms Designer
The aspx code for the LoginName and
LoginStatus controls
<asp:LoginName ID="LoginName1" runat="server"
FormatString="You are logged in as: {0}" />
<asp:LoginStatus ID="LoginStatus1" runat="server" />
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 20
Common attribute of the LoginName control
Attribute
FormatString
Description
The text that’s displayed with the user name. This
string uses “{0}” to identify the UserName parameter,
and you can add text before or after this parameter.
Common attributes of the LoginStatus control
Attribute
LoginText
LogoutText
Murach’s ASP.NET 3.5/C#, C20
Description
The text that’s displayed for the login link.
The text that’s displayed for the logout link.
© 2008, Mike Murach & Associates, Inc.
Slide 21
The CreateUserWizard control with the smart tag
menu shown
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 22
The two steps of a customized
CreateUserWizard control in a browser
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 23
The PasswordRecovery control in the Web Forms
Designer
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 24
The first two views of the PasswordRecovery
control
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 25
The aspx code for the PasswordRecovery control
<asp:PasswordRecovery ID="PasswordRecovery1" runat="server">
<MailDefinition From="anne@murach.com">
</MailDefinition>
</asp:PasswordRecovery>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 26
The first view of the ChangePassword control in
the Web Forms Designer
The second view of the ChangePassword control
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 27
The aspx code for the ChangePassword control
<asp:ChangePassword ID="ChangePassword1" runat="server"
CancelDestinationPageUrl="MyAccount.aspx"
ContinueDestinationPageUrl="MyAccount.aspx">
</asp:ChangePassword>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 28
The LoginView control in the Web Forms Designer
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 29
The aspx code for the LoginView control
<asp:LoginView ID="LoginView1" runat="server">
<LoggedInTemplate>
<asp:Label ID="Label2" runat="server"
Text="You are logged in."
Width="155px"></asp:Label><br />
<asp:LoginStatus ID="LoginStatus2" runat="server" />
</LoggedInTemplate>
<AnonymousTemplate>
<asp:Label ID="Label1" runat="server"
Text="You are not logged in."
Width="175px"></asp:Label><br />
<asp:LoginStatus ID="LoginStatus1" runat="server" />
</AnonymousTemplate>
</asp:LoginView>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 30
The LoginView control displayed in a browser
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 31
The Menu page
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 32
The Login page
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 33
The MyAccount page
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 34
The Maintenance page
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 35
The directory structure for the Authentication
application
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 36
The access rules for the MyAccount directory
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 37
The web.config files for the Authentication
application
For the root directory
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" />
<roleManager enabled="True"/>
...
</system.web>
</configuration>
For the MyAccount directory
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 38
The web.config files for the Authentication
application (cont.)
For the Maintenance directory
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Wildcard specifications in the users attribute
Wildcard
*
?
Description
All users, whether or not they have been authenticated.
All unauthenticated users.
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 39
Common methods of the Membership class

ValidateUser(userName, password)

CreateUser(userName, password)

CreateUser(userName, password, email)

GetUser()

GetUser(userName)

GetUserNameByEmail(email)

GetAllUsers()

DeleteUser(userName)

UpdateUser(membershipUser)
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 40
A statement that checks if a user is valid
bool validUser;
validUser = Membership.ValidateUser(txtUserName.Text,
txtPassword.Text);
A statement that creates a user
try
{
Membership.CreateUser(txtUserName.Text,
txtPassword.Text);
}
catch(MembershipCreateUserException eCreateUser)
{
lblStatus.Text = eCreateUser.Message;
}
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 41
A statement that gets the current user and
updates the last activity timestamp
MembershipUser user = Membership.GetUser();
A statement that deletes a user
Membership.DeleteUser(txtUserName.Text);
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 42
Common properties of the MembershipUser class
 Username
 Email
 PasswordQuestion
 CreationDate
 LastLoginDate
 LastActivityDate
 IsApproved
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 43
Common methods of the MembershipUser class

GetPassword()

ChangePassword(oldPassword, newPassword)

ResetPassword()

ChangePasswordQuestionAndAnswer(
password, question, answer)
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 44
Code that changes a user’s password
MembershipUser user = Membership.GetUser();
try
{
user.ChangePassword(txtOldPassword.Text,
txtNewPassword.Text);
}
catch(Exception ex)
{
lblStatus.Text = "Error changing password: "
+ ex.Message;
}
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 45
Common methods of the FormsAuthentication
class
Method
Description
RedirectFromLoginPage(userName, createPersistentCookie)
SignOut()
Murach’s ASP.NET 3.5/C#, C20
Issues an authentication ticket for the user and
redirects the browser to the page it was attempting to
access when the login page was displayed. If the
createPersistentCookie argument is True, the cookie
that contains the authentication ticket is persisted
across browser restarts.
Logs the user off by removing the cookie that
contains the authentication ticket.
© 2008, Mike Murach & Associates, Inc.
Slide 46
Code that redirects the browser to the originally
requested page
if (Membership.ValidateUser(txtUserName.Text,
txtPassword.Text))
FormsAuthentication.RedirectFromLoginPage(
txtUserName.Text, false);
else
lblStatus.Text = "Invalid user! Try again.";
A statement that logs a user off
FormsAuthentication.SignOut()
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 47
Common methods of the Roles class

CreateRole(roleName)

GetAllRoles()

AddUserToRole(userName, roleName)

GetRolesForUser(userName)

GetUsersInRole(roleName)

IsUserInRole(userName, roleName)

RemoveUserFromRole(userName, roleName)

DeleteRole(roleName)
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 48
Code that creates a role
try
{
Roles.CreateRole(txtRoleName.Text);
}
catch(Exception ex)
{
errorMessage = "Error creating role: " + ex.Message;
}
A statement that gets all roles in the system
string[] roles = Roles.GetAllRoles();
A statement that adds a user to a role
Roles.AddUserToRole(currentUserName, "premium");
A statement that removes a user from a role
Roles.RemoveUserFromRole(txtUserName.Text,
cboRoles.SelectedValue);
Murach’s ASP.NET 3.5/C#, C20
© 2008, Mike Murach & Associates, Inc.
Slide 49
Related documents
Sample syllabus - Computer and Information Sciences
Sample syllabus - Computer and Information Sciences
COP 2823 - Curriculum Services
COP 2823 - Curriculum Services
IS 3350 - the Sorrell College of Business at Troy University
IS 3350 - the Sorrell College of Business at Troy University
MIS5122 Syllabus
MIS5122 Syllabus
MIS5122 Syllabus
MIS5122 Syllabus
Lecture Set 01A
Lecture Set 01A
Syllabus - The Astro Home Page
Syllabus - The Astro Home Page
Download
advertisement