Membership Provider and Role Manager in ASP.NET
Introduction
ASP.NET provides all the
features we need to use a database to store all kinds of security, user, and
role membership details. It also provides a series of server controls that help
we build the pages that users need and that administrators require creating
accounts, change passwords, and maintain the login information and role
membership for each user. The two features of ASP.NET that support this are:
• The membership provider and the associated database tables and procedures
• The role manager and its associated database tables and procedures
• The membership provider and the associated database tables and procedures
• The role manager and its associated database tables and procedures
Membership
Provider Configuration
The ASP.NET membership
provider manages the tables in the ASP.NET application database that store
details of the users we define for Web site. The <membership< section of
web.config defines the configuration of the membership provider, including the
connection to the database using <membership< element (located within the
<system.web< section) and the content.
The <membership< element consists of a series of one or more <add> elements within the <providers< section, each of which defines the parameters for a provider that will be available for the membership system to use. By default, it includes just the first one, named AspNet-SqlMembershipProvider. We have added two more to the list to demonstrate how we can choose a different configuration for your providers, if required.
The connectionStringName attribute refers to a value in the <connectionStrings> section of this web.config file, or a value defined in a web.config file nearer the root folder of this application. The remaining attributes set specific properties of the provider that control how ASP.NET pages and controls can interact with it.
The <membership< element consists of a series of one or more <add> elements within the <providers< section, each of which defines the parameters for a provider that will be available for the membership system to use. By default, it includes just the first one, named AspNet-SqlMembershipProvider. We have added two more to the list to demonstrate how we can choose a different configuration for your providers, if required.
The connectionStringName attribute refers to a value in the <connectionStrings> section of this web.config file, or a value defined in a web.config file nearer the root folder of this application. The remaining attributes set specific properties of the provider that control how ASP.NET pages and controls can interact with it.
<system.web>
...
<membership>
<providers>
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="LocalSqlServer"
applicationName="/"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
<!-- following added to use SQL Server
2005 database ->
<add
name="Sql2005MembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="SqlServer2005"
... />
<!-- following uses remote SQL Server
attached database ->
<add
name="Sql2005RemoteMembershipProvider"
type="System.Web.Security.SqlMembershipProvider,
..."
connectionStringName="Sql2005Remote"
... />
</providers>
</membership>
...
</system.web>
Specifying
the Database Connection Strings
The >add> elements in
the >membership> section of web.config correspond to values defined in
the >connectionStrings> section. These are, in order:
• A connection to the local SQL Server Express Edition database that is an optional component we can install with Visual Studio 2005. SQL Server 2005 and SQL Server Express Edition can auto-attach an .mdf database file as they connect. The AttachDBFilename and User Instance properties of the connection string specify that this will occur, and they provide the required location and instance information.
• A connection to a local instance of SQL Server 2005 using the database auto-attach feature.
• A connection to a remote SQL Server that has the database already attached, specifying the login details required to connect to this database.
Notice that all specify the database named aspnetdb in the file named aspnetdb.mdf. This is the default database name, though we can specify a different name if we wish when we create the database. The physical location, when using the auto-attach feature, is the App_Data subfolder within the root of the Web site or Web application virtual directory. Note that the >connectionStrings> element does not reside within the >system.web> section, because it stores connection strings for all other types of applications (such as Windows Forms applications) as well as Web Forms pages.
• A connection to the local SQL Server Express Edition database that is an optional component we can install with Visual Studio 2005. SQL Server 2005 and SQL Server Express Edition can auto-attach an .mdf database file as they connect. The AttachDBFilename and User Instance properties of the connection string specify that this will occur, and they provide the required location and instance information.
• A connection to a local instance of SQL Server 2005 using the database auto-attach feature.
• A connection to a remote SQL Server that has the database already attached, specifying the login details required to connect to this database.
Notice that all specify the database named aspnetdb in the file named aspnetdb.mdf. This is the default database name, though we can specify a different name if we wish when we create the database. The physical location, when using the auto-attach feature, is the App_Data subfolder within the root of the Web site or Web application virtual directory. Note that the >connectionStrings> element does not reside within the >system.web> section, because it stores connection strings for all other types of applications (such as Windows Forms applications) as well as Web Forms pages.
<connectionStrings>
<add name="LocalSqlServer"
connectionString="data
source=.\SQLEXPRESS;
Integrated
Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User
Instance=true"
providerName="System.Data.SqlClient" />
<!-- following added to use SQL Server
2005 database ->
<add name="SqlServer2005"
connectionString="data
source=localhost;
Integrated
Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User
Instance=true"
providerName="System.Data.SqlClient" />
<!-- following added to use remote SQL
Server attached database ->
<add name="Sql2005Remote"
connectionString="data
source=myremoteserver;
Initial
Catalog=aspnetdb;
User ID=myusername;
Password=secret"
providerName="System.Data.SqlClient" />
</connectionStrings>
Role
Manager Configuration
Having looked at the
configuration of the built-in membership provider in ASP.NET, we will not be
surprised to discover that the built-in role provider follows much the same
pattern. The >roleManager> section of web.config defines a list of
providers that are available. It contains, by default, two providers:
(i) The SqlRoleProvider uses the same database as the membership provider to hold details of the roles and role membership, and we can configure the roles and members using the ASP.NET Web Site Administration Tool.
(ii) The WindowsTokenRoleProvider is a read-only provider, and exposes information about roles for a specific Windows user account. It takes this information from the account groups held in Active Directory or on your server or local machine, depending on the configuration. We cannot create, add, or delete roles with this provider.
(i) The SqlRoleProvider uses the same database as the membership provider to hold details of the roles and role membership, and we can configure the roles and members using the ASP.NET Web Site Administration Tool.
(ii) The WindowsTokenRoleProvider is a read-only provider, and exposes information about roles for a specific Windows user account. It takes this information from the account groups held in Active Directory or on your server or local machine, depending on the configuration. We cannot create, add, or delete roles with this provider.
<system.web>
...
<roleManager>
<providers>
<add
name="AspNetSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider ..."
connectionStringName="LocalSqlServer"
applicationName="/" />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider,
..."
applicationName="/" />
<!-- following added to use SQL Server
2005 database ->
<add
name="Sql2005RoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="SqlServer2005"
applicationName="/" />
<!-- following uses remote SQL Server
attached database ->
<add
name="Sql2005RemoteRoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="Sql2005Remote"
applicationName="/" />
</providers>
</roleManager>
...
</system.web>
Comments
Post a Comment