Security – Meet the new Login controls
.NET Framework 2.0 turns easy the developer’s work. A clear example of this are the Login controls of the ASP.NET 2.0. Uniting the use of the Login controls with the new security scheme of the ASP.NET 2.0, we can implement security in our applications without a single code line, as we will see in this article.
We will begin with a practical application. Create a new ASP.NET Web Site project in the Visual Studio 2005. Observe that in the ToolBox we have a section with the Login controls (Figure 1).
Figure 1. Login controls in the Visual Studio 2005 ToolBox.
Drag the Login control in your Default.aspx page. See that we have all the elements of a component that performs logins from a site. As any ASP.NET control, we can modify control layout by accessing the Auto Format option which we find in Tasks. In our example the Professional format was applied. You may verify the result in Figure 2.
Figure 2. Login control in the Default.aspx Page.
Add a new Web Form to the project, called “Menu.aspx”; this will be the page that we will call in case the user informs a valid user and password. In the design of the Menu.aspx, include the text “Hello, login successful!” Before the comma include the LoginName control.
Return to the Default.aspx, click over Login and go to properties. Search for the DestinationPageUrl property, click over the button with three points and choose the Menu.aspx page. Run your project; inform in Username the user of your local machine and his respective password. See the result in Figure 3.
Figure 3. Error when attempting to login to the site.
In order to modify the error message, modify the FailureText property. To modify the labels of the text boxes, Checkbox and button, access the properties: UserNameLabelText, PasswordLabelText, RememberMeText and LoginButtonText, respectively.
This didn’t work, right? Fortunately, because we need to adjust some settings before. We will now understand how the new security scheme of the ASP.NET 2.0 works. Go to the Solution Explorer and in the buttons bar that we have above, click the last button (Figure 4).
Figure 4. Button to access the ASP.NET Configuration.
This button gives us access to the ASP.NET Configuration, which among other options, allows access to all the security configurations. We can also access the ASP.NET Configuration through the Website>ASP.NET Configuration menu. Right at the first screen, choose the Security tab (Figure 5).
Figure 5. Configuring security in ASP.NET 2.0.
From here we can perform all the security configurations for our web application. As we are beginning now, we will use the wizard. Click on the Use the security Setup Wizard to configure security step by step link. The first screen is just a summary of what we will do, therefore click Next.
The first step while configuring the security of your application is to define how the users will access it (Figure 6).
Figure 6. Defining the access method that will be used in the application.
If the application will be accessed by the internet, we must choose the From the Internet option. In this case, through the Login control, the users will be authenticated before accessing the application. In case the application is to be accessed only by local network users, we choose the From a Local Area Network option. Therewith, we do not need the Login controls, for the users have already been authenticated by the network’s dominion itself. Choose the From the Internet option and click on Next.
The second step of the configuration is to define the Data Store. We do not need to modify anything related to storage; we will use the ASP.NET default. The ASP.NET automatically creates a database in the SQL Server Express, called aspnetdb, which stores the configuration information of the applications created, including all the information relative to security.
In order to visualize this, go to the Server Explorer and create a connection for the aspnetdb database. See in Figure 7 that in this database we have several tables, including one called aspnet_Users, where the ASP.NET stores the users.
Figure 7. aspnetdb database.
Proceeding with the wizard, click Next. In this stage we have to define if we will work with Roles. Roles are like user groups. The users are grouped in Roles to identify that they perform the same roles in the company, as for example: Sales, Marketing, Administrators, etc.
Use Roles in applications with many users, for you can apply security rules directly to the Roles and then include users in them. This makes the maintenance of the applications users’ easier. As shows Figure 8, click the Enable roles for this Web Site option to enable the use of Roles in the application.
Figure 8. Enabling Roles for the application.
After click Next to proceed with the wizard. See that the next screen is destined to the creation of the Roles. To create a Role it is enough to inform its name in the New Role Name field and click on the Add Role button. For our example, we will create two Roles: “Sales” and “Marketing”. See in Figure 9 that the Roles created appear in a list, where we can even remove them, through the Delete link. After creating the Roles click Next.
Figure 9. Creating Roles.
Now we have the option to create users. We will create two users so that we can perform our tests. We can inform only the name of the user, password, e-mail and additionally one question and answer to help remember the password in case of oblivion. When you finish filling the fields, click in Create User.
You can create two users with the names and other information of your choice. The names of the users created in this example are: “NhoQuim” e “NhoSerra”. The password used in both was “P@ssw0rd” (Figure 10). After creating the two necessary users for our example, click in Next.
Figure 10. Creating a new user in the ASP.NET 2.0.
Note: By default, the ASP.NET uses a security policy for the passwords, which must be bigger than seven digits and require a special character (*, &, % etc.).
In this last step of the wizard we can define the Access Rules. Do not mix Role with Rule. Access Rules can be useful to allow or deny the access to certain areas of the site. You can use the Access Rules to control the access of the whole application or of every single one of the application’s folders. The Access Rules can be applied to a single user or to just anonymous users.
To add an Access Rule, first select the Folder to which it will be applied. If the Access Rule is valid for the whole application, select the root Folder. Following define if the Access Rule will be applied to a Role, user, all users or simply the anonymous users. To finish you need to define if the Access Rule will ensure access to the Folder or deny it. After determining these three points, click on Add This Rule.
The added Rules will appear on a list just below. The Access Rules are applied in the order found in this list, for example: if the first Rule denies the access to the anonymous users in the application, and the second one grants it, the first one is the one that will count. In this list we can remove the Rules through the Delete link.
In our example we will create only two simple Access Rules. One will ensure access to the role Sales users, and the other will allow access to the role Marketing users (Figure 11).
Figure 11. Defining Access Rules.
After the creation of the Access Rules, click on Next. A conclusion screen will appear; all you have to do now is click on Finish. You can manage users, Roles and Access Rules at any time you wish, just access the ASP.NET Configuration and go to the Security tab.
Assigning users to the roles
You must have noticed that something is missing in our configuration. We have not yet defined which Role is for each one of the user that we have created. That is exactly what we will do now. In the Security tab, of the ASP.NET Configuration, click on the Manager Users option. A screen such as the one in Figure 12 will appear.
Figure 12. Defining Roles of the users.
To define which roles are of a user, you must click on the Edit roles link, which is beside each user on the list of users. When you click on the link, to your right side will appear a list with all the available Roles. Just select the Roles of the user in question. In our example, we will define that the user NhoQuin takes part in the Sales role, and that the user NhoSerra takes part in the Marketing role.
Testing the user access
We will now test the access to the application using the Login control. Close the ASP.NET Configuration and return to the application. Compile and run again. In the Login control, inform the user NhoQuin and his respective password (P@ssword). See the result in Figure 13.
Figure 13. User authenticated in the application.
We will now use the LoginView control to validate the Roles’ utilization. The LoginView is a control used to define different contents in certain areas of a page, according to the user’s Role. Open the Menu.aspx page, and include a LoginView control. In the control’s tasks click on the Edit RoleGroups option. A window as the one demonstrated in Figure 14 will de displayed.
Figure 14. Configuring RoleGroups in the LoginView.
Click on Add and an item called RoleGroup will appear. To the right side we will have a property called Roles, click on the three points button relative to this property. A new window will appear for us to inform the name of the Role. Type “Sales” and click on OK. Click again on Add and repeat this procedure for the “Marketing” Role. When you are finished, click on OK.
Still in tasks, observe the Views option. As shown in Figure 15, we can choose several possible Views and define a different content for each one of them.
Figure 15. Possible Views of the LoginView control.
We will select the Sales View. See that a LoginView works as a container, where we can insert controls inside of it. We will only insert the text “Sales content”. Modify to the Marketing View and insert the text “Marketing content”.
These modifications made, save, compile and run the application. First access, using the NhoQuin user. See that he has access only to the content of the Sales role. Exit and access with the user NhoSerra. See that he only has access to the contents of the Marketing role. It is also possible to define a different content for anonymous users, or simply for logged in users that do not belong to any configured role.
We will now use a CreateUserWizard control. Add a new WebForm to the project called “CreateUser.aspx”. In the design, insert a CreateUserWizard. Configure the AutoFormat to Professional. In the ContinueDestinationPageUrl property inform the Default.aspx page, to indicate the destination page after the creation of the new account.
Return in the Default.aspx page and go until the properties of the Login control. In the Links section search for the CreateUserText and CreateUserUrl properties. In the first one, inform “New User”, and in the second one inform the CreateUser.aspx page, which we have just created. Save, compile and run your project. See in Figure 16 that in the Login control we now have a link called New User.
Figure 16. Login control with option of registering new user.
Click on the link and see in Figure 17 that we can include a new user, such as we have done by the ASP.NET Configuration.
Figure 17. Creating a new user with the CreateUserWizard control.
Fill the form for the creation of the new user and click on Create User. A message informing that the user was created successfully will appear, click on the Continue button. You will return to the login screen, inform the user and password that you have just created and click on Login. There, you already have a new user enabled!
Go to the design of the Menu.aspx page. Include a ChangePassword control and configure the AutoFormat to Professional. Save, compile and run. Inform the user and the password in the Login control. See that in our Menu.aspx page we already have available a control for password changing (Figure 18). Perform a test and change the user’s password.
Figure 18. Modifying the password with the ChangePassword control.
Integrating the security of the ASP.NET in your own database
You must be certainly asking yourself how to integrate this security scheme in your own database, once the ASP.NET stores its users in aspnetdb. In the examples we have made so far, we used the aspnetdb, which was automatically created in the SQL Express. This is a possible kind of solution, but it is also possible to integrate the whole ASP.NET security scheme in our own database.
When the ASP.NET 2.0 is installed, we have an application called aspnet_regsql.exe, which stays in the C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory. Through this application we can create the whole infrastructure of security tables in our own SQL Server database. This structure of which we speak is the one that was previously demonstrated in Figure 7.
We will make a test creating this structure in a different database, in this case the Northwind. Through the command prompt go to the de indicated directory and execute the aspnet_regsql.exe application. A wizard will be started. Click on Next to proceed. On the next screen the wizard asks if we want to create the structure of the Application Services or if we want to remove it. We will select the first option and click on Next.
Note: It is important to highlight that the structure of tables created by the ASP.NET is not destined only to security, and yes to a set of services (Application Services) which we may implement in our applications.
In the next window we must define the server and the SQL Server database where we will create the structure, as shows Figure 19. See that we define the Northwind database.
Following click on Next. The next window is just a confirmation, click on Next again and wait for a few moments while the structure is created. Next, just click on Finish. The ASP.NET tables were now created in the Northwind database.
Figure 19. Defining the Northwind database for the creation of the structure of the Application Services.
The ASP.NET persists and accesses the information of the Application Services through classes called Providers. We now need to configure our application in order for the provider responsible for our application’s security data access to access the Northwind database and not the aspnetdb. You must configure your web.config file as shows Listing 1.
Listing 1. Web.config altered to configure Provider and ConnectionString.
<?xml version="1.0" encoding="utf-8"?>
connectionString="Data Source=SQLSERVER2005;Initial Catalog=NorthWind;Integrated Security=True;"/>
<authentication mode="Forms" />
Observe that we have a ConnectionString that points to the Northwind, and just below we have the configuration of the AspNetSqlMembershipProvider provider and of the AspNetSqlRoleProvider provider. See that we are pointing to the ConnectionString created, and that we can also define a series of security configurations here, as for example the minimum size of the passwords, in the minRequiredPasswordLenght attribute. There, our application and database already have the ASP.NET security implemented! It is enough now to create the users, roles and Access Rules necessary.
In case you want, you may also create relationships between the tables of our system with the aspnet_Membership table. In this manner, as an example, we can identify that the logged user is a certain employee of the Employees table or a certain customer from the Customers table, and then apply the business rules of our application. All depends on the necessity and reality of each solution.
Note: Additionally, it is possible to customize the Membership and Roles providers, so that they access a table of structures different to the one created and used by the ASP.NET. This is useful in case our database is not a SQL Server, or in case we want to benefit from an already existing table of users. We will approach Providers customization, theme that we will approach in a next opportunity.
ASP.NET 2.0 has many new security features. We could see that with the new login controls, it is possible to implement security in our applications without the need to include a single code line! We have done it all just configuring the security through the ASP.NET Configuration and through the Login controls. My best regards and until next time!