Membership Provider and Role Manager
Introduction
ASP.NET provides all the features we need to
use a database to store all kinds of security, user, and role membership
details. It also provides a series of server controls that help we build the
pages that users need and that administrators require creating accounts, change
passwords, and maintain the login information and role membership for each
user. The two features of ASP.NET that support this are:
(i) The membership provider and the associated database tables and procedures
(ii) The role manager and its associated database tables and procedures
(i) The membership provider and the associated database tables and procedures
(ii) The role manager and its associated database tables and procedures
Membership
Provider Configuration
The ASP.NET membership provider manages the
tables in the ASP.NET application database that store details of the users we
define for Web site. The membership section of web.config defines the
configuration of the membership provider, including the connection to the
database using membership element (located within the system.web section) and
the content.
The 'membership' element consists of a series of one or more 'add' elements within the 'providers' section, each of which defines the parameters for a provider that will be available for the membership system to use. By default, it includes just the first one, named AspNet-SqlMembershipProvider. We have added two more to the list to demonstrate how we can choose a different configuration for your providers, if required.
The connectionStringName attribute refers to a value in the 'connectionStrings' section of this web.config file, or a value defined in a web.config file nearer the root folder of this application. The remaining attributes set specific properties of the provider that control how ASP.NET pages and controls can interact with it.
The 'membership' element consists of a series of one or more 'add' elements within the 'providers' section, each of which defines the parameters for a provider that will be available for the membership system to use. By default, it includes just the first one, named AspNet-SqlMembershipProvider. We have added two more to the list to demonstrate how we can choose a different configuration for your providers, if required.
The connectionStringName attribute refers to a value in the 'connectionStrings' section of this web.config file, or a value defined in a web.config file nearer the root folder of this application. The remaining attributes set specific properties of the provider that control how ASP.NET pages and controls can interact with it.
<system.web>
...
<membership>
<providers>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider,
..."
connectionStringName="LocalSqlServer"
applicationName="/"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
<!-- following added to use SQL
Server 2005 database ->
<add
name="Sql2005MembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="SqlServer2005"
... />
<!-- following uses remote SQL Server
attached database ->
<add
name="Sql2005RemoteMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="Sql2005Remote"
... />
</providers>
</membership>
...
</system.web>
Specifying
the Database Connection Strings
The 'add' elements in the 'membership' section
of web.config correspond to values defined in the 'connectionStrings' section.
These are, in order:
(i) A connection to the local SQL Server Express Edition database that is an optional component we can install with Visual Studio 2005. SQL Server 2005 and SQL Server Express Edition can auto-attach an .mdf database file as they connect. The AttachDBFilename and User Instance properties of the connection string specify that this will occur, and they provide the required location and instance information.
(ii) A connection to a local instance of SQL Server 2005 using the database auto-attach feature.
(iii) A connection to a remote SQL Server that has the database already attached, specifying the login details required to connect to this database.
Notice that all specify the database named aspnetdb in the file named aspnetdb.mdf. This is the default database name, though we can specify a different name if we wish when we create the database. The physical location, when using the auto-attach feature, is the App_Data subfolder within the root of the Web site or Web application virtual directory. Note that the 'connectionStrings' element does not reside within the 'system.web' section, because it stores connection strings for all other types of applications (such as Windows Forms applications) as well as Web Forms pages.
<connectionStrings>
<add name="LocalSqlServer"
connectionString="data
source=.\SQLEXPRESS;
Integrated
Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User Instance=true"
providerName="System.Data.SqlClient"
/>
<!-- following added to use SQL Server 2005 database
->
<add name="SqlServer2005"
connectionString="data
source=localhost;
Integrated Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User Instance=true"
providerName="System.Data.SqlClient"
/>
<!-- following added to use remote SQL Server attached
database ->
<add name="Sql2005Remote"
connectionString="data
source=myremoteserver;
Initial Catalog=aspnetdb;
User
ID=myusername;
Password=secret"
providerName="System.Data.SqlClient" />
</connectionStrings>
Role
Manager Configuration
Having looked at the configuration of the built-in membership
provider in ASP.NET, we will not be surprised to discover that the built-in
role provider follows much the same pattern.
The 'roleManager' section of web.config defines a list of
providers that are available. It contains, by default, two providers:
1. The SqlRoleProvider
uses the same database as the membership provider to hold details of the roles
and role membership, and we can configure the
roles and members using the ASP.NET Web Site Administration Tool.
2. The
WindowsTokenRoleProvider is a read-only provider, and exposes information about
roles for a specific Windows user account. It takes this information from
the account groups held in Active Directory or on your server or local machine,
depending on the configuration. We cannot create, add,
or delete roles with this provider.
<system.web>
...
<roleManager>
<providers>
<add name="AspNetSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider ..."
connectionStringName="LocalSqlServer"
applicationName="/" />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, ..."
applicationName="/" />
<!-- following added to use SQL Server 2005 database ->
<add name="Sql2005RoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="SqlServer2005"
applicationName="/" />
<add name="Sql2005RoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="SqlServer2005"
applicationName="/" />
<!-- following uses remote SQL Server attached database ->t;
<add name="Sql2005RemoteRoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="Sql2005Remote"
applicationName="/" />
<add name="Sql2005RemoteRoleProvider"
type="System.Web.Security.SqlRoleProvider, ..."
connectionStringName="Sql2005Remote"
applicationName="/" />
</providers>
</roleManager>
...
</system.web>
</roleManager>
...
</system.web>
Comments
Post a Comment