Meditation and Mindfulness for Software / IT Professionals. Conducted by Bipin Joshi in Thane. Read more...

Membership, Roles and Profile - An Example (Part 1)

Introduction

The new membership, roles and profile features introduced in ASP.NET 2.0 significantly reduce development time that is otherwise spent in traditional approaches. Securing your web site by implementing a flexile membership scheme backed with role based security is required in many professional web sites. In this article series we are going to see these features in action with the help of an example.

Example Scenario

Let's assume that we want to develop a security and membership scheme for a professional web site. We want to capture the following details about the user:

  • UserID
  • Password
  • Email
  • Security Question
  • Security Answer
  • Full Name
  • Birth Date
  • Yearly Salary
  • Address

The web site has three roles - NormalUsers, PowerUsers and Administrators. When a user registers with the web site by default he is assigned to NormalUsers role. Later on the administrator may add him to any other role. Whenever anybody tries to access the web site, the user should be asked for User ID and password. Upon supplying a correct User ID and Password the user should be taken to the main page of the web site. Depending upon the role of the user the content of the main page is rendered.

Steps required

In order to meet our requirement we will use ASP.NET 2.0 Membership, Roles and Profile features. The overall steps required in fulfilling our requirements are as follows:

  • Configure a SQL Server database to store membership, roles and profile data
  • Configure Membership, Roles and Profile providers for the web site
  • Create roles in the system
  • Create a registration page that will capture above details from the user
  • Create a login page
  • Create the main page with content

Configure a SQL Server database

In order to store Membership, Roles and Profile data in a SQL Server database we must configure it using aspnet_regsql.exe command line tool. The tool starts a wizard that guides you through the steps. The tool creates certain tables and stored procedures in the database that are used by these features. Figure 1 and Figure 2 shows the main steps of this tool.

Figure 1

Figure 2

The step indicated by Figure 1 allows us to configure the database for membership, roles and profile services. The same step can be used if at all we decide to remove the services for some reason. The step indicated by Figure 2 allows us to specify the database that is to be configured.

Though not mandetory it would be interesting to know the tables used by these features. The following table lists the tables used by membership, roles and profile features respectively.

Feature Tables Used
Membership aspnet_users
aspnet_membership
Roles aspnet_roles
aspnet_usersinroles
Profile aspnet_profile

Configure Membership, Roles and Profile providers for the web site

once you configure the database the next step is to configure membership, roles and profile providers for your web site. In order to do so open the web.config file and add the following markup in it:

<connectionStrings>
<add name="connstr" connectionString="data source=
.\sqlexpress;initial catalog=northwind;
integrated security=true"/>
</connectionStrings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>

<membership defaultProvider="provider1">
<providers>
<add name="provider1" connectionStringName="connstr" 
type="System.Web.Security.SqlMembershipProvider"/>
</providers>
</membership>

<roleManager enabled="true" defaultProvider="provider2">
<providers>
<add name="provider2" connectionStringName="connstr" 
type="System.Web.Security.SqlRoleProvider"/>
</providers>
</roleManager>

<profile defaultProvider="provider3">
<providers>
<add name="provider3" connectionStringName="connstr" 
type="System.Web.Profile.SqlProfileProvider"/>
</providers>
<properties>
<add name="FullName"/>
<add name="DOB" type="System.DateTime"/>
<add name="Salary" type="System.Double"/>
<group name="Address">
<add name="Street"/>
<add name="Country"/>
<add name="State"/>
<add name="PinCode"/>
</group>
</properties>
</profile>

The markup consists of various sections.

  • The <authentication> section configures our web site to use Forms based authentication
  • The <authorization> section denies access to anonymous users
  • The <connectionStrings> section stored the connection string to the Northwind database. This connection string is used by other tags such as <membership> and <roleManager>
  • The <membership> tag configure the membership provider used by our web site. Through this tag ASP.NET knows about the data store used by our web site for membership data
  • The <roleManager> tag configure the role provider used by our web site. Through this tag ASP.NET knows about the data store used by our web site for roles related data
  • The <profile> tag configure the profile provider used by our web site. Through this tag ASP.NET knows about the data store used by our web site for profile data. The <properties> sub section of this tag specifies the profile properties and groups. Observe how the data type of certain properties is mentioned via type attribute. Note that the user information is captured partly by the membership features (User ID, Password, Email, Security Question, Security Answer) and partly by Profile features (Full Name, Birth Date, Salary, Address)

Creating roles

In order to create roles needed by our application, we will use Web Site Administration Tool accessible via WebSite > ASP.NET Configuration menu option.

Figure 3 shows the Security tab of this tool.

Figure 3

As you can see the Roles section allows you to create or manager roles of the web site. Figure 4 shows the roles created using this tool.

Figure 4

Creating a user registration page

Traditionally developers used to create a user registration page by assembling various controls such as TextBoxes, DropDownLists and Buttons. Fortunately ASP.NET 2.0 comes with a control called CreateUserWizard that simplifies the job. This control not only provides readymade registration functionality but also allows you to customize it. In our example the first five pieces about a user i.e. User ID, Password, Email, Security Question and Security Answer are collected by the control out of the box. In order to collect the remaining pieces we need to customize the control by adding our own "Wizard Step".

Proceed by adding a new web form called Login.aspx. Drag and drop a CreateUserWizard control on it. From the smart tags select "Add/Remove wizard steps" to open a dialog as shown in Figure 5.

Figure 5

Add a new "Templated Wizard Step" using Add button and set its Title property to "User Profile" and StepType property to Step. Now design the step as shown in Figure 6.

Figure 6

The template consists of TextBoxes and RequiredFieldValidator controls for accepting extended user information (profile). After you finish designing the template add the following code in NextButtonClick event handler of the CreateUserWizard control. This event is raised when the user click on any Next button.

protected void CreateUserWizard1_NextButtonClick
(object sender, WizardNavigationEventArgs e)
{
if (e.CurrentStepIndex==1)
{
TextBox t;

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox1");
Profile.FullName = t.Text;

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox2");
Profile.DOB = DateTime.Parse(t.Text);

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox3");
Profile.Salary = double.Parse(t.Text);

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox4");
Profile.Address.Street = t.Text;

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox5");
Profile.Address.Country = t.Text;

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox6");
Profile.Address.State = t.Text;

t = (TextBox)CreateUserWizard1.ActiveStep.
Controls[0].FindControl("TextBox7");
Profile.Address.PinCode = t.Text;
}

}

Here, we check the index of the current step via CurrentStepIndex property of WizardNavigationEventArgs class. Inside the if condition we get reference to each TextBox with the help of FindControl() method. The value entered in the textBox is then assigned to the corresponding profile property. Note that the profile properties that you specified in the web.config file appear as properties of the Profile object.

We want that initially all the users be part of NormalUsers role. This is done by handling CreatedUser event of the CreateUserWizard control.

protected void CreateUserWizard1_CreatedUser
(object sender, EventArgs e)
{
Roles.AddUserToRole(CreateUserWizard1.UserName
, "NormalUsers");
}

Here, we used AddUserToRole() method of the Roles object to add the current user to NormalUsers role. The user name is retrieved via UserName property of CreateUserWizard control.

Finally, set the ContinueDestinationPageUrl property of CreateUserWizard control to Default.aspx.

That's it! You can now run the Login.aspx and create new users in the system using the CreateUserWizard control.

In the next part we will see:

  • How administrator can assign users to one or more roles.
  • How users can login to the web site.
  • How to develop Default.aspx that shows content for different roles.

Till then stay tuned!




Bipin Joshi is a software consultant, an author and a yoga mentor having 21+ years of experience in software development. He conducts online courses in ASP.NET MVC / Core, jQuery, and Design Patterns. He is a published author and has authored or co-authored books for Apress and Wrox press. Having embraced Yoga way of life he also teaches Meditation to interested individuals. To know more about him click here.

Get connected : Twitter  Facebook  Google+  LinkedIn

Posted On : 16 Jun 2006



Tags : ASP.NET Server Controls Security Configuration