Membership, Roles and Profile - An Example (Part 1)
Introduction
The new membership, roles and profile features introduced in ASP.NET 2.0
significantly reduce development time that is otherwise spent in traditional
approaches. Securing your web site by implementing a flexile membership scheme
backed with role based security is required in many professional web sites. In
this article series we are going to see these features in action with the help
of an example.
Example Scenario
Let's assume that we want to develop a security and membership scheme for a
professional web site. We want to capture the following details about the user:
- UserID
- Password
- Email
- Security Question
- Security Answer
- Full Name
- Birth Date
- Yearly Salary
- Address
The web site has three roles - NormalUsers, PowerUsers and Administrators.
When a user registers with the web site by default he is assigned to NormalUsers
role. Later on the administrator may add him to any other role. Whenever anybody
tries to access the web site, the user should be asked for User ID and password.
Upon supplying a correct User ID and Password the user should be taken to the
main page of the web site. Depending upon the role of the user the content of
the main page is rendered.
Steps required
In order to meet our requirement we will use ASP.NET 2.0 Membership, Roles
and Profile features. The overall steps required in fulfilling our requirements
are as follows:
- Configure a SQL Server database to store membership, roles and profile
data
- Configure Membership, Roles and Profile providers for the web site
- Create roles in the system
- Create a registration page that will capture above details from the user
- Create a login page
- Create the main page with content
Configure a SQL Server database
In order to store Membership, Roles and Profile data in a SQL Server database
we must configure it using aspnet_regsql.exe command line tool. The tool starts
a wizard that guides you through the steps. The tool creates certain tables and
stored procedures in the database that are used by these features. Figure 1 and
Figure 2 shows the main steps of this tool.
Figure 1
Figure 2
The step indicated by Figure 1 allows us to configure the database for
membership, roles and profile services. The same step can be used if at all we
decide to remove the services for some reason. The step indicated by Figure 2
allows us to specify the database that is to be configured.
Though not mandetory it would be interesting to know the tables used by these
features. The following table lists the tables used by membership, roles and
profile features respectively.
| Feature |
Tables Used |
| Membership |
aspnet_users
aspnet_membership |
| Roles |
aspnet_roles
aspnet_usersinroles |
| Profile |
aspnet_profile |
Configure Membership, Roles and Profile providers for the web site
once you configure the database the next step is to configure membership,
roles and profile providers for your web site. In order to do so open the
web.config file and add the following markup in it:
<connectionStrings>
<add name="connstr" connectionString="data source=
.\sqlexpress;initial catalog=northwind;
integrated security=true"/>
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="provider1">
<providers>
<add name="provider1" connectionStringName="connstr"
type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>
<roleManager enabled="true" defaultProvider="provider2">
<providers>
<add name="provider2" connectionStringName="connstr"
type="System.Web.Security.SqlRoleProvider"/>
</providers>
</roleManager>
<profile defaultProvider="provider3">
<providers>
<add name="provider3" connectionStringName="connstr"
type="System.Web.Profile.SqlProfileProvider"/>
</providers>
<properties>
<add name="FullName"/>
<add name="DOB" type="System.DateTime"/>
<add name="Salary" type="System.Double"/>
<group name="Address">
<add name="Street"/>
<add name="Country"/>
<add name="State"/>
<add name="PinCode"/>
</group>
</properties>
</profile>
The markup consists of various sections.
- The <authentication> section configures our web site to use Forms based
authentication
- The <authorization> section denies access to anonymous users
- The <connectionStrings> section stored the connection string to the
Northwind database. This connection string is used by other tags such as
<membership> and <roleManager>
- The <membership> tag configure the membership provider used by our web
site. Through this tag ASP.NET knows about the data store used by our web
site for membership data
- The <roleManager> tag configure the role provider used by our web site.
Through this tag ASP.NET knows about the data store used by our web site for
roles related data
- The <profile> tag configure the profile provider used by our web site.
Through this tag ASP.NET knows about the data store used by our web site for
profile data. The <properties> sub section of this tag specifies the profile
properties and groups. Observe how the data type of certain properties is
mentioned via type attribute. Note that the user information is captured
partly by the membership features (User ID, Password, Email, Security
Question, Security Answer) and partly by Profile features (Full Name, Birth
Date, Salary, Address)
Creating roles
In order to create roles needed by our application, we will use Web Site
Administration Tool accessible via WebSite > ASP.NET Configuration menu option.
Figure 3 shows the Security tab of this tool.
Figure 3
As you can see the Roles section allows you to create or manager roles of the
web site. Figure 4 shows the roles created using this tool.
Figure 4
Creating a user registration page
Traditionally developers used to create a user registration page by
assembling various controls such as TextBoxes, DropDownLists and Buttons.
Fortunately ASP.NET 2.0 comes with a control called CreateUserWizard that
simplifies the job. This control not only provides readymade registration
functionality but also allows you to customize it. In our example the first five
pieces about a user i.e. User ID, Password, Email, Security Question and
Security Answer are collected by the control out of the box. In order to collect
the remaining pieces we need to customize the control by adding our own "Wizard
Step".
Proceed by adding a new web form called Login.aspx. Drag and drop a
CreateUserWizard control on it. From the smart tags select "Add/Remove wizard
steps" to open a dialog as shown in Figure 5.
Figure 5
Add a new "Templated Wizard Step" using Add button and set its Title property
to "User Profile" and StepType property to Step. Now design the step as shown in
Figure 6.
Figure 6
The template consists of TextBoxes and RequiredFieldValidator controls for
accepting extended user information (profile). After you finish designing the
template add the following code in NextButtonClick event handler of the
CreateUserWizard control. This event is raised when the user click on any Next
button.
protected void CreateUserWizard1_NextButtonClick
(object sender, WizardNavigationEventArgs e)
{
if (e.CurrentStepIndex==1)
{
TextBox t;
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox1");
Profile.FullName = t.Text;
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox2");
Profile.DOB = DateTime.Parse(t.Text);
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox3");
Profile.Salary = double.Parse(t.Text);
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox4");
Profile.Address.Street = t.Text;
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox5");
Profile.Address.Country = t.Text;
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox6");
Profile.Address.State = t.Text;
t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox7");
Profile.Address.PinCode = t.Text;
}
}
Here, we check the index of the current step via CurrentStepIndex property of
WizardNavigationEventArgs class. Inside the if condition we get reference to
each TextBox with the help of FindControl() method. The value entered in the
textBox is then assigned to the corresponding profile property. Note that the
profile properties that you specified in the web.config file appear as
properties of the Profile object.
We want that initially all the users be part of NormalUsers role. This is
done by handling CreatedUser event of the CreateUserWizard control.
protected void CreateUserWizard1_CreatedUser
(object sender, EventArgs e)
{
Roles.AddUserToRole(CreateUserWizard1.UserName
, "NormalUsers");
}
Here, we used AddUserToRole() method of the Roles object to add the current
user to NormalUsers role. The user name is retrieved via UserName property of
CreateUserWizard control.
Finally, set the ContinueDestinationPageUrl property of CreateUserWizard
control to Default.aspx.
That's it! You can now run the Login.aspx and create new users in the system
using the CreateUserWizard control.
In the next part we will see:
- How administrator can assign users to one or more roles.
- How users can login to the web site.
- How to develop Default.aspx that shows content for different roles.
Till then stay tuned!