I'm new to User Roles Management. I was reading my Wrox Programming book on asp.net 3.5 user role management...but it was hard to follow along, as I do not have a local server set up to test on (I do...but...thats a separate question), but rather currently test on a remote server (where the website is hosted, theres not enough hits where I can get away with testing on a live server).
Any ways...Where do I begin in user role management. I'm not necessarily asking to be given a 30 pg hard description, but more of a summary. My GoDaddy hosting account seems to offer asp.net schemea SQL database set up for user role management, but I have yet to learn how to integrate it into my development.
Any input would be appreciated.
I would open up Visual Studio, create a new ASP.NET Web Application project, and click the "Configure ASP.NET" button on the top-right hand corner of the Solution Explorer. If you navigate to the Security section, you can start creating Users and Roles. The tool basically describes exactly how they work to you.
Here's the first place I'd go:
http://www.asp.net/Learn/Security/
Check out tutorials 9 through 11.
You can use SqlRoleProviders and SqlMembershipProviders with the .NET default management, or you can write your own providers.
http://www.odetocode.com/Articles/427.aspx
http://msdn.microsoft.com/en-us/library/aa478949.aspx
Then these are used in conjunction with asp .net forms authentication.
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Common/Login.aspx" timeout="450" />
</authentication>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
The configuration of all of this is via the web.config your membership and roles may be similar to this if you use the out of the box aspnetdb.
<membership defaultProvider="IDTSqlMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="IDTSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlMembershipConnectionString"
applicationName="ConsumerSynergy"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="20"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="IDTSqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
<providers>
<clear/>
<add
name="IDTSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlMembershipConnectionString"
applicationName="ConsumerSynergy"/>
</providers>
</roleManager>
My personal favorite about roles.
Examining ASP.NET's Membership, Roles, and Profile - Part 2
https://web.archive.org/web/20210417083524/https://www.4guysfromrolla.com/articles/121405-1.aspx
Related
I have a website which users upload large files on it. In order to keep site responsive, I have separated upload part from the main part. Now there are two websites with two different app pools but both app pools are using the same user identity to run. The problem is now users must first login into the main site and in order to upload they have to login again!
How can I auto login a user which has already logged in the main site?
I'm using ASP.NET MVC but with Old ASP.NET membership on Windows Server 2016 (IIS 10) and here is my web.config:
<membership>
<providers>
<clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="NewsDb" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="3" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
to share form authenticate in different websites, you need to make sure your websites are under same main domain, otherwise you will need to implement a lot of codes
check your <authentication> node in your web.config
for your main website with login page
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="{your_auth_cookie_name}" timeout="120" slidingExpiration="true" domain=".yourdomain.com" enableCrossAppRedirects="true"/>
</authentication>
for your upload site
<authentication mode="Forms">
<forms loginUrl="https://mainsite/login.aspx" name="{your_auth_cookie_name}" timeout="120" slidingExpiration="true" domain=".yourdomain.com" enableCrossAppRedirects="true"/>
</authentication>
if your deployed your websites on different server, you may need unify the machine key to make sure the decryption of auth cookie is correct
I am maintaining an existing asp.net website. I do not completely understand the project because another developer just handed it to me. Project is not neat. .NET version is 4 and MVC version is 4 as well. Now, I need to completely disable the membership system of the project. I found a lot of article and some changes need to be done in web.config.
I added this lines in web.config
<system.web>
<membership>
<providers>
<clear/>
</providers>
</membership>
When I run application, it throws this error.
So then I tried this instead
<membership>
<providers>
<clear />
</providers>
</membership>
<roleManager enabled="false">
<providers>
<clear />
</providers>
</roleManager>
<profile>
<providers>
<clear />
</providers>
</profile>
Then I gave me this error
How can I completely disable membership in asp.net?
Removing Membership Provider is easy. You just comment out the following 3 tags inside web.config
<system.web>
<!--<membership>...</membership>-->
<!--<roleManager enabled="true">...</roleManager>-->
<!--<profile>...</profile>-->
</system.web>
The main question is after removing, how do you plan to authenticate and authorize a user.
If you do not need authentication and allow anonymous access, you'll still need to remove [Authorize] attribute on each controller and action methods, or global filter.
I am trying to build a very basic website using ASP.NET to allow users access the private information by logging into the company Active Directory. Any help is really appreciated.
You will want to set up configuration in the web.config file to tell the ASP.Net app to use forms authentication:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" cookieless="UseCookies" />
</authentication>
Then you will need to create a membership provider that will connect to AD for authentication. Fortunately Microsoft has provided an AD membership provider out of the box, so you can use that. If you set it as the defaultProvider, ASP.Net will automatically use it for authentication.
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="<domainName>\administrator"
connectionPassword="password"/>
</providers>
</membership>
Finally, you will need to set up a connection string to connect to your domain controller:
<connectionStrings>
<add name="ADService" connectionString="LDAP://myCompany.com/DC=myCompany,DC=com"/>
</connectionStrings>
Look here for a good reference with more details.
I have two asp.net applications on one IIS server and I would like to use the same back end asp_security database and membership provider. I've read that all I have to do is reference the same application name in both web configs as I'm doing now, but I must be doing something wrong
In each applications web.config I have this section.
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="membership"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>
When I log in from application A and browse to application B application B doesn't seem to know anything about me or my credentials from application A. Anyone have any ideas what I'm doing incorrectly?
Just for closure sake I will answer how I did achieved the goal of what my original question meant to ask for.
I had two asp.net applications on one IIS server. It was my goal to make it so when user logged onto app1 their user credentials would be available in app2. Configuring the asp.net membership provider is only one step of what I was looking for. Even if both apps were using the same back end database and provider I still wouldn't be authenticated when I hit app2. What I was looking for was a Single Sign On solution.
Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config
<authentication mode="Forms" />
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="membership"
applicationName="/"
/>
</providers>
</membership>
<roleManager enabled="true" />
make sure both have the same applicationname property set.
I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config
<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />
That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.
Thanks for the push in the right direction.
If my understanding serves me correctly, the users authentication credentails are stored within the HTTP context of each application. So switching between the two applications will not automatically authenticate the user, since a new context will be created when you switch to app B.
What I believe may the correct approach would be to use the DefaultCredentials (or UseDefaultCredentials property to True) of the current user prior to switching to app B.
When you say switch what do you mean eg. open a different browser window and access app B or request a page from appB from appA?
I am currently learning form authentication using a SQLMembership provider. The ASP:Login control does not seem to authenticate. Here is the structure of my test site on my local machine:
~/LoginTest/
Default.aspx
CreateUser.aspx
lostpassword.aspx
web.config
/login/
Login.aspx
ProtectedStuff.aspx
web.config
In the web.config file of the LoginTest folder I have added the following nodes:
<connectionStrings>
<add name="EvgSqlConnection" connectionString="connection string" />
</connectionStrings>
<authentication mode="Forms">
<forms name="LoginTest" loginUrl="~/login/Login.aspx" path="/login"
cookieless="UseCookies" />
</authentication>
<membership defaultProvider="mySqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add
name="mySqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="EvgSqlConnection"
applicationName="LoginTest"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="mySqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
<providers>
<clear/>
<add name="mySqlRoleProvider" applicationName="LoginTest" connectionStringName="EvgSqlConnection"
type="System.Web.Security.SqlRoleProvider"/>
</providers>
</roleManager>
In the web.config in the login folder I have the following:
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
So what this is supposed to do from what I have read is deny users access to anything in the login folder. In this case my test file is ProtectedStuff.aspx which is nothing more than a page with a label. What is currently happening is that everything seems to work except the ASP:Login control. I can currently create a new user with the ASP:CreateUserWizard on CreateUser.aspx. I can recover a new password using the question and answer set up using the ASP:PasswordRecovery control on lostpassword.aspx. I can enter the correct name and password in the ASP:Login control on Login.aspx. The only thing that doesn't seem to work is the actual authentication. Whenever I try to go to ProtectedStuff.aspx it kicks me back to Login.aspx like it is supposed to when you are not authenticated. Further, I can enter the wrong user name or wrong password and the Login control complains. I can see my user in the website administration page, I can see that the user is assigned a role.
There is no custom code behind any of these controls, all I have done is copied in the SqlProvider name into the MembershipProvider attribute of these controls. SQL Server 2000 is configured with an NT AUTHORITY\Network Service user that has aspnet_Membership Full Access checked. the config files seem to be okay, all the controls seem to be able to read and write to the database correctly, only the Login control doesn't seem to authenticate the user. What else should I be looking for?
I'd start by removing the path attribute from your Forms element:
Specifies the path for cookies issued by the application. The default value is a slash (/), because most browsers are case-sensitive and will not send cookies back if there is a path case mismatch.
If that still fails, I'd get hold of Fiddler and see what cookies are being sent back to the client and to the server after logging in.