Scribd
Upload
388 views

ASP - Net Authentication and Authorization

Forms authentication, users, roles, and membership are key concepts for authentication and authorization in ASP.NET. Forms authentication uses login pages to authenticate users by username and password, while windows authentication relies on Windows accounts. Users can be assigned to roles, and authorization is based on a user's roles and permissions. ASP.NET includes membership and role providers to simplify user and role management through common APIs.

Uploaded by

Lorenz Pasensyoso
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
388 views

ASP - Net Authentication and Authorization

Forms authentication, users, roles, and membership are key concepts for authentication and authorization in ASP.NET. Forms authentication uses login pages to authenticate users by username and password, while windows authentication relies on Windows accounts. Users can be assigned to roles, and authorization is based on a user's roles and permissions. ASP.NET includes membership and role providers to simplify user and role management through common APIs.

Uploaded by

Lorenz Pasensyoso
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 46

Authentication &

Authorization in ASP.NET
Forms Authentication, Users, Roles, Membership

Svetlin Nakov
Telerik Corporation
www.telerik.com

Table of Contents
1.

Basic principles

2.

Authentication Types
Windows Authentication
Forms Authentication

3.

Users & Roles

4.

Membership and Providers

5.

Login / Logout Controls

Basics
Authentication

The process of verifying the identity


of a user or computer
Questions: Who are you? How you prove it?

Credentials can be password, smart card, etc.


Authorization

The process of determining what a user is


permitted to do on a computer or network
Question: What are you allowed to do?

Windows and Form


Authentication in ASP.NET

Authentication Types in ASP.NET


Windows Authentication

Uses the security features integrated into the


Windows operating systems
Uses Active Directory / Windows accounts
Forms Authentication

Uses a traditional login / logout pages


Code associated with a Web form handles users
authentication by username / password
Users are usually stored in a database

Windows Authentication
In Windows Authentication mode the Web

application uses the same security scheme


that applies to your Windows network
Network resources and Web applications

use

the same:
User names
Passwords
Permissions
It is the default authentication when a new

Web site is created

Windows Authentication (2)


The user is authenticated against his

username

and password in Windows


Known as NTLM authentication protocol
When a user is authorized:

ASP.NET issues an authentication ticket


(which is a HTTP header)
Application executes using the permissions
associated with the Windows account

The user's session ends when the browser is


closed or when the session times out

Windows Authentication (3)


Users who are logged on to the network

Are automatically authenticated


Can access the Web application
To set the authentication to Windows add to

the Web.config:
<authentication mode="Windows" />

To deny anonymous
<authorization>
<deny users="?"/>
</authorization>

users add:

Windows Authentication (4)

The Web server should have NTLM enabled:

HTTP requests:

HTTP responses:

GET /Default.aspx HTTP/1.1

HTTP/1.1 401 Unauthorized


WWW-Authenticate: NTLM

GET /Default.aspx HTTP/1.1


Authorization: NTLM tESsB/
yNY3lb6a0L6vVQEZNqwQn0sqZ

HTTP/1.1 200 OK

<html> </html>

Windows Authentication
Live Demo

Forms Authentication
Forms Authentication uses a Web form to

collect login credentials (username / password)


Users are authenticated by the C# code behind

the Web form


User accounts can be stored in:

Web.config file
Separate user database
Users are local

for the Web application

Not part of Windows or Active Directory

Forms Authentication (2)


Enabling forms authentication:

Set authentication mode in the Web.config


to "Forms"
<authentication mode="Forms" />

Create a login ASPX page


Create a file or database to store the user
credentials (username, password, etc.)
Write code to authenticate the users against
the users file or database

Configuring Authorization
in Web.config

To deny someone's access add <deny


users=""> in the <authorization> tag

To allow someone's access add <allow


users=""> in the authorization tag

<deny users="?" /> denies anonymous access


<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>

<deny users="*" /> denies access to all users

Configuring Authorization
in Web.config (2)

Specifying authorization rules in Web.config:


<location path="RegisterUser.aspx">
<system.web>
<authorization>
<allow roles="admin" />
<allow users="Pesho,Gosho" />
<deny users="*" />
</authorization>
</system.web>
</location>

The deny/allow stops the authorization


process at the first match
Example: if a user is authorized as Pesho, the tag
<deny users="*" /> is not processed

Implementing Login / Logout

Logging-in using credentials from Web.config:


if (FormsAuthentication.Authenticate(username, passwd))
{
FormsAuthentication.RedirectFromLoginPage(
username, false);
}
This method creates a cookie (or hidden
else
field) holding the authentication ticket.
{
lblError.Text = "Invalid login!";
}

Logging-out the currently logged user:


FormsAuthentication.SignOut();

Displaying the currently logged user:


lblInfo.Text = "User: " + Page.User.Identity.Name;

Forms Authentication
Live Demo

ASP.NET Users and Roles


Membership Provider and Roles Provider

Users, Roles and Authentication


User is a client with a Web browser running a

session with the Web application


Users can authenticate (login) in the Web

application
Once a user is logged-in, a set of roles and
permissions are assigned to him
Authorization in ASP.NET is
based on users and roles

Authorization rules specify what


permissions each user / role has

ASP.NET Membership Providers


Membership providers in ASP.NET

Simplify common authentication and user


management tasks
CreateUser()

DeleteUser()
GeneratePassword()
ValidateUser()

Can store user credentials in database / file / etc.

Roles in ASP.NET
Roles in ASP.NET allow assigning

permissions

to a group of users
E.g. "Admins" role could have more privileges
than "Guests" role
A user account can be assigned

to multiple

roles in the same time


E.g. user "Peter" can be member of "Admins"
and "TrustedUsers" roles
Permissions

can be granted to multiple users


sharing the same role

ASP.NET Role Providers


Role providers in ASP.NET

Simplify common authorization tasks and role


management tasks
CreateRole()

IsUserInRole()
GetAllRoles()
GetRolesForUser()

Can store user credentials in database / file / etc.

Registering a
Membership Provider

Adding membership provider to the Web.config


<membership defaultProvider="MyMembershipProvider">
<providers>
<add connectionStringName="UsersConnectionString"
minRequiredPasswordLength="6"
requiresQuestionAndAnswer="true"
enablePasswordRetrieval="false"
requiresUniqueEmail="false"
applicationName="/MyApp"
minRequiredNonalphanumericCharacters="1"
name="MyMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>

Registering a Role Provider

To register role provider in ASP.NET 4.0 add the


following to the Web.config:

<roleManager enabled="true"
DefaultProvider="MyRoleProvider">
<providers>
<add connectionStringName="UsersConnectionString"
name="MyRoleProvider"
type="System.Web.Security.SqlRoleProvider" />
</providers>
</roleManager>
<connectionStrings>
<add name="UsersConnectionString"
connectionString="Data Source=.\SQLEXPRESS;Initial
Catalog=Users;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>

The SQL Registration Tool:


aspnet_regsql

The built-in classes System.Web.Security.


SqlMembershipProvider and System.Web.
Security.SqlRoleProvider use a set of standard
tables in the SQL Server
Can be created by the ASP.NET SQL Server
Registration tool (aspnet_regsql.exe)
The aspnet_regsql.exe utility is installed as part
of with ASP.NET 4.0:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\
aspnet_regsql.exe

The Standard ASP.NET


Applications Database Schema

aspnet_regsql.exe
Live Demo

ASP.NET Membership API


Implementing login:
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.RedirectFromLoginPage(
username, false);
}

Implementing logout:
FormsAuthentication.SignOut();

Creating

new user:

Membership.CreateUser(username, password);

ASP.NET Membership API (2)


Getting the currently logged user:
MembershipUser currentUser = Membership.GetUser();

Creating

new role:

Roles.CreateRole("Admins");

Adding user to existing

role:

Roles.AddUserToRole("admin", "Admins");

Deleting user / role:


Membership.DeleteUser("admin", true);
Roles.DeleteRole("Admins");

Membership Provider
Live Demo

ASP.NET Web Site


Administration Tool
Designed to manage your Web site

configuration
Simple interface

Can create and manage users, roles and

providers
Can manage application

configuration settings

Accessible from Visual Studio:

[Project] menu [ASP.NET Configuration]

Visual Studio Web Site


Administration Tool
Live Demo

Built-in Login Control

The Login Control


The Login control provides the necessary

interface through which a user can enter their


username and password
The control uses the membership provider

specified in the Web.config file


Adding the login control to the page:
<asp:Login id="MyLogin" runat="server"/>

The Login Control (2)

The LoginName and


LoginStatus Control
Once a user has logged in we can display

his

username just by adding the LoginName


control to the page
<asp:LoginName id="lnUser" runat="server"/>

The LoginStatus control allows the user to

log in or log out of the application


<asp:LoginStatus id=" lsUser" runat="server"/>

The LoginName and


LoginStatus Control

The LoginView Control


Customized information which will

be shown
to users through templates, based on their
roles

By default there are

AnonymousTemplate
and LoggedInTemplate

New custom templates can be added


To add the control to the page use:
<asp:LoginView id="MyLoginView" runat="server">
</asp:LoginView>

The CreateUserWizard Control


It is used to create new accounts
It works with the membership provider class
Offers many customizable features
Can quickly be added to and used using
<asp:CreateUserWizard id="NewUserWiz" runat="server">
</asp:CreateUserWizard>

The CreateUserWizard
Control (2)

The PasswordRecovery
Control
It is used to retrieve passwords
The user is first prompted to enter username
Once users enter valid

user names, they must


answer their secret questions

The password

is sent via e-mail

To add this control use:


<asp:PasswordRecovery id="prForgotPass" runat="server">
</asp:PasswordRecovery>

The ChangePassword
Control
Allows

users to change their passwords

It uses the membership provider specified in

the Web.config
Can be added to any page with the following

tag:
<asp:ChangePassword id="cpChangePass" runat="server"/>

The ChangePassword
Control

Authentication & Authorization

Questions?

Exercises
1.

Create a database School in SQL Server. Using


aspnet_regsql.exe add the SQL Server
membership tables to support users / roles.

2.

Using the ASP.NET Web Site Configuration Tool


create a new role "Student" and two users that
have the new role. Create a login page and try to
enter the site with one of these two accounts.

3.

Create a Web site and restrict access to a it for


unregistered users. Implement login page, user
registration page and logout link in the master
page. The site should have the following pages:

Exercises (2)
Login.aspx accessible to everyone
Register.aspx accessible to everyone allows
visitors to register
Main.aspx accessible to logged-in users only
Admin.aspx accessible to Administrators roles only
allows users to be listed and deleted
4.

Implement a site map and navigation menu that


defines the pages in the Web site and specifies
which pages which roles require. Hide the
inaccessible pages from the navigation.

Exercises (3)
5.

Create your own membership provider that uses a


database of your choice. Define the tables:
Users(ID, username, PasswordSHA1)

Roles(ID, Name)
6.

Create the following ASP.NET pages:


Login.aspx accessible to everyone
Register.aspx accessible to Administrators only
Main.aspx accessible to logged-in users only

You might also like