membership, role manager and profile membership, role manager and profile matt gibbs asp.net...
Post on 21-Dec-2015
245 views
TRANSCRIPT
Membership, Role ManagerMembership, Role Managerand Profileand Profile
Matt GibbsASP.NET Development Manager
• Overview of Provider Model
• ASP.NET 2.0 Security Services– Membership (Authentication)– Role Manager (Authorization)
• ASP.NET 2.0 Personalization Features– Profile feature
• Summary
Agenda
Provider Model
Data Stores
SQL Server 7 / 2000 / 2005 Active Directory Access User Defined
Providers
Microsoft Provider Implementations Custom Providers
Public Feature API
Calls Configured Providers
Providers Communicate With Data Stores
ASP.NET 2.0 Security Services - Membership
Security Services - Membership• Membership
– Replaces complex authentication code– Solves common credential storage problem
• Secure Credential Storage Services– Hashed + random salt for user credentials– Eliminates complex security plumbing code
• Comprehensive user management– Creating Users / Credential Validation– Password maintenance
Login Controls• No code needed
• Integrates seamlessly with security features– Controls change behavior based on
configuration of security features
• Rapidly build out common security UI:– Login/Logout– Create new users– Password recovery / password maintenance
• Easily modify page display based on a user’s role
Membership ClassesSystem.Web.Security
• Membership – Main entry point for programming with the
Membership feature• Validating credentials• User Management• Finding/Getting Users
• MembershipUser– Represents a user in Membership– Properties represent data about the user
• Username, Email, LastLoginDate, etc…
• MembershipProvider– Defines the required functionality for
implementing the feature
Membership Security• Can create users in a disabled state
• Password Question and Answer
• Membership tracks bad password and bad answer attempts
• Configurable thresholds for number of attempts and tracking time window
• Passwords are hashed by default
• Extensibility for encryption and password validation
Creating and Managing Users
•Create users w/ console app
•Validate user credentials
demo
ASP.NET 2.0 Security Services – Role Manager
Security Services - Role Manager
• Role Manager– Solves common user-to-role mapping code– Replaces complex authorization code– Builds on ASP.NET 1.X Role APIs
•RolePrincipal class represents logged in user
• Not tied to Membership– Works great together, but…– Role Manager can be used separately
• Enables the following two common AuthZ scenarios– Declaratively restrict access through
web.config
– Code-based authorization checks using User.IsInRole
Role Manager
<authorization><authorization>
<allow roles="Administrators" /><allow roles="Administrators" />
<deny users="*" /><deny users="*" />
</authorization></authorization>
User.IsInRole(rolename);User.IsInRole(rolename);
Role Manager ClassesSystem.Web.Security
• Roles– Main entry point
• Create, Delete roles, etc.. • IsUserInRole check
• RoleProvider – Defines the required functionality for the
feature• RolePrincipal &
RoleManagerModule – Automatically associates roles with the current
user– Supports role caching
Role Manager
• Create new roles• Map users to roles
•Url Authorization• Using role based security
demo
Personalization Features
Profile
• Store custom data about each user– Access through friendly programming model– Eliminate complex data plumbing code
• Store user data indefinitely– SQL Server (or other) back-end
• Associates a user with data– Remember user settings and preferences– Build richer web sites
Web Parts Personalization
• Long-term persistent storage of control properties (e.g. long-lived viewstate)
• Data is stored on a per-user-per-page basis
• Personalization is a feature of Web Parts– Works with both User Controls and custom
Server Controls
Profile
Profile• Defined completely in configuration
– No custom code required
• Type-safe programming model– No dictionary key to remember - No casting
• Smart data retrieval– On-demand and Partitioned data retrieval
• Provider Model– Plug in your own data stores for extensibility
• ProfileModule– Loads & saves Profile data on each page request
Profile Configuration•Configuration is central to the Profile feature
Profile Programming Model
Working with Profile
• Scalar property types, e.g. int• Non-Scalar property types, e.g. Collections•Custom types, e.g. System.Drawing.Color
demo
Summary
• Membership – easy way to create, manage and validate users
• Role Manager – authorize users based on roles
• Profile – easily store and retrieve information for a user
• Provider information + Access providers:http://msdn.microsoft.com/asp.net/downloads/providers/
• Sample Code: Atlas, Profile Providers, etc..http://www.asp.net/default.aspx?tabindex=8&tabid=60
Questions?
Advanced Scenarios
• Creating Profile data for new users•Associating role data in CreateUserWizard
• Approving new users•Controlling site navigation with roles
demo