Membership, Role ManagerMembership, Role Managerand Profileand Profile

Matt GibbsASP.NET Development Manager

• Overview of Provider Model

• ASP.NET 2.0 Security Services– Membership (Authentication)– Role Manager (Authorization)

• ASP.NET 2.0 Personalization Features– Profile feature

• Summary

Agenda

Provider Model

Data Stores

SQL Server 7 / 2000 / 2005 Active Directory Access User Defined

Providers

Microsoft Provider Implementations Custom Providers

Public Feature API

Calls Configured Providers

Providers Communicate With Data Stores

ASP.NET 2.0 Security Services - Membership

Security Services - Membership• Membership

– Replaces complex authentication code– Solves common credential storage problem

• Secure Credential Storage Services– Hashed + random salt for user credentials– Eliminates complex security plumbing code

• Comprehensive user management– Creating Users / Credential Validation– Password maintenance

Login Controls• No code needed

• Integrates seamlessly with security features– Controls change behavior based on

configuration of security features

• Rapidly build out common security UI:– Login/Logout– Create new users– Password recovery / password maintenance

• Easily modify page display based on a user’s role

Membership ClassesSystem.Web.Security

• Membership – Main entry point for programming with the

Membership feature• Validating credentials• User Management• Finding/Getting Users

• MembershipUser– Represents a user in Membership– Properties represent data about the user

• Username, Email, LastLoginDate, etc…

• MembershipProvider– Defines the required functionality for

implementing the feature

Membership Security• Can create users in a disabled state

• Password Question and Answer

• Membership tracks bad password and bad answer attempts

• Configurable thresholds for number of attempts and tracking time window

• Passwords are hashed by default

• Extensibility for encryption and password validation

Creating and Managing Users

•Create users w/ console app

•Validate user credentials

demo

ASP.NET 2.0 Security Services – Role Manager

Security Services - Role Manager

• Role Manager– Solves common user-to-role mapping code– Replaces complex authorization code– Builds on ASP.NET 1.X Role APIs

•RolePrincipal class represents logged in user

• Not tied to Membership– Works great together, but…– Role Manager can be used separately

• Enables the following two common AuthZ scenarios– Declaratively restrict access through

web.config

– Code-based authorization checks using User.IsInRole

Role Manager

<authorization><authorization>

<allow roles="Administrators" /><allow roles="Administrators" />

<deny users="*" /><deny users="*" />

</authorization></authorization>

User.IsInRole(rolename);User.IsInRole(rolename);

Role Manager ClassesSystem.Web.Security

• Roles– Main entry point

• Create, Delete roles, etc.. • IsUserInRole check

• RoleProvider – Defines the required functionality for the

feature• RolePrincipal &

RoleManagerModule – Automatically associates roles with the current

user– Supports role caching

Role Manager

• Create new roles• Map users to roles

•Url Authorization• Using role based security

demo

Personalization Features

Profile

• Store custom data about each user– Access through friendly programming model– Eliminate complex data plumbing code

• Store user data indefinitely– SQL Server (or other) back-end

• Associates a user with data– Remember user settings and preferences– Build richer web sites

Web Parts Personalization

• Long-term persistent storage of control properties (e.g. long-lived viewstate)

• Data is stored on a per-user-per-page basis

• Personalization is a feature of Web Parts– Works with both User Controls and custom

Server Controls

Profile

Profile• Defined completely in configuration

– No custom code required

• Type-safe programming model– No dictionary key to remember - No casting

• Smart data retrieval– On-demand and Partitioned data retrieval

• Provider Model– Plug in your own data stores for extensibility

• ProfileModule– Loads & saves Profile data on each page request

Profile Configuration•Configuration is central to the Profile feature

Profile Programming Model

Working with Profile

• Scalar property types, e.g. int• Non-Scalar property types, e.g. Collections•Custom types, e.g. System.Drawing.Color

demo

Summary

• Membership – easy way to create, manage and validate users

• Role Manager – authorize users based on roles

• Profile – easily store and retrieve information for a user

• Provider information + Access providers:http://msdn.microsoft.com/asp.net/downloads/providers/

• Sample Code: Atlas, Profile Providers, etc..http://www.asp.net/default.aspx?tabindex=8&tabid=60

Questions?

Advanced Scenarios

• Creating Profile data for new users•Associating role data in CreateUserWizard

• Approving new users•Controlling site navigation with roles

demo