Rob Howard – Membership, Role Management and Security in ASP.NET Whidbey
Blog: http://weblogs.asp.net/rhoward and http://www.rob-howard.net
Forms Authentication 1.0
- Solves a common problem developers had with their web apps
- Most popular Internet auth. Technique
- No ugly/confusing dialog boxes
- Custom authentication uses HTML UI
- Use credentials collected on page
- Posted back to the server
- Page obtains credentials issues auth. Ticket
- ASP.NET Forms Authentication APIs
- APIs for creating authentication ticket
- Authenticate requests in Http Pipeline
Forms Authentication 2.0
- Whidbey
- Cookies no longer a requirement
- When supported, Cookies still best choice
- Single Forms Authentication model
- Mobile & Desktop
- All ASP.NET 2.0 controls are now mobile aware
- No special device adapters or pages
Cookieless Modes
useDeviceProfile – detects whether to use cookies based on the user agent of the device (default)
useCookies – all requests store ticket In cookie
auto – auto detects whether to use cookies or to store ticket in URI by attempting to send the user a cookie
useURI – all request store ticket in URI
Pretty cool – seems you might want to use useURI most of the case though.
Security Services Stack
- Composed of the APIs of Membership and Role Manager
- Back end to data – SQL 7&2000, Jet(Access) and Authorization Manager and User defined
- Out of the box, at least three options
- Didn’t want to force users into a data model
- The ones we defined will work for most cases
- Can also drop in your own business logic
- For everyone of these data providers – there is actually a separate class
- There is no business logic in the Membership and Role manager classes – it is all in the database providers
- On top of all this – set of rich server controls
Membership
- Membership
- Solves common credential storage problem
- Replace complex authentication code
- Secure Credential Storage Services
- Hashed + randon salt for user credentials
- Eliminates complex security plumbing code
- Comprehensive user management
- Credential Validation /Who is online
- Question/Answer password reset/retrieve
Membership.ValidateUser(username.Text, Password.Text)
Membership APIs
System.Web.Security
- User management
- Validate credentials
- Creeate, Delete, Update
- Finding/Getting Users
- By Username/Email
- Users online
- Password management
- Password reset
- Question/Answer
Can have two applications on the server that share the same users/passwords
There is also : CreateUser, DeleteUser, GetAllUsers, GetUser, GetUserNameByEmail, GetNumberOfUsersOnline, UpdateUser … more
MembershipUser Class
System.Web.Security
- Membership.UpdateUser()
- Used to update user properties
- Access to user details
- Last login date
- Password change date
- Disable authentication
Membership configuration
requiresUniqueEmail attribute is cool.
description will show in ASP.NET tools.
Providers
- Not just a data access layer – also the business layer
- Users new Provider Design pattern
- Pluggable Data Access Layer (DAL)
- Pluggable Business Logic Layer (BLL)
- Ships with 2 Membership Providers
- SQL Server – Production Application
- Access – testing/development
- Identical APIs through Membership
Writing Membership Providers
- Implement IMembershipProvider
- All methods properties for Membership
- Will be bsttract base class in beta – for our versioning purposes
- Register custom provider
- Membership APIs then call your class
- All logic in your class
- If you want an Oracle provider – role your own
DEMO of XML Membership Provider and derive from SqlMembershipProvider
Role Caching
- When cookies are supported
- Stores encrypted list of roles
- No database lookups on each request
- When cookies not supported
- Role manager still works
- Lookup to cached list in application
- When more roles than cookie can store
- Incremental Roles cookie
- Stores LRU list of roles Roles Class
- Role Management
- Create, Update, Delete
- IsUserInRole / Roles for User
- Adding / Removing
?>