3. Click the Manage link for the Administrators group, and then search for the Administrator user account, using the search tools shown in Figure 4-24. The easiest way to find the Administrator account is to search for all accounts beginning with the letter A, so type a* in the text box and click Find User. Add the Administrator account to the Administrators role by checking the User Is In Role check box. Figure 4-24 4. Add the remaining user accounts to the Users role in the same way. 5. Click the Security tab to return to the main Security section of the Administration Tool. Then click the Manage access rules link to return to managing the access rules for the site. In the same interface as you used in the earlier example for managing access rules (see Figure 4-13), remove the access rules for the individual user accounts, and instead grant access to the site to both the Administrators and Users groups. As you delete rules, you’ll be prompted as shown in Figure 4-25. 6. Add the new permissions on a role-by-role basis with the interface shown in Figure 4-26. After you have added the rules, you should see the list of rules shown in Figure 4-27. 122 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 122 Figure 4-25 Figure 4-26 123 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 123 Figure 4-27 7. If you run the application again now, you should be able to log in as any of the user accounts and access the site as before. If you change the permissions for one of the roles, all members of that role will be affected, hence you could block access to all non-administrative users if you wanted. How It Works All of the changes in this example were made via the magic Web Site Administration interface, which simplifies the process of adding role definitions and access rules. If you were to do this by hand, as you will see in just a moment, you would have to manipulate the contents of the Roles table in the AspNetDB.mdf database that was shown earlier to include two role definitions, and then add users to those roles by changing the UsersInRoles table by hand. Then you would have to manipulate the Web.config file to change the access permissions to the site. This configuration process was all handled for you automatically by the tool, so it’s made configuration and administration quite a lot simpler. However, this is a Visual Web Developer and Visual Studio 2005 feature, not an ASP.NET feature, so you would have to do this by hand if you didn’t have access to the VWD environment. If you return to the Source View of your Web.config file, you’ll see the following changes have been made (shown with a gray background): <roleManager enabled=”true” /> <authorization> 124 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 124 <allow users=”?” /> <allow roles=”administrators” /> <allow roles=”users” /> </authorization> In addition, the process of enabling roles has modified the user profile database slightly, by adding two new tables: one to store roles and one that tells you which users are members of which roles (see Figure 4-28). Figure 4-28 Authentication One area not yet discussed is that of how the authentication works for this application, and what options are available in ASP.NET for authentication. The examples so far have relied on what’s known as Forms authentication. So, what is Forms authentication, and what are the other options available? ❑ Forms authentication: Login requests are made by filling in a form on a web page and submit- ting that form to the server. When the server receives the request, a cookie is written to the user’s local machine, and this cookie is passed back to the server by the browser along with each request that is sent so that the user remains authenticated for as long as is required. ❑ Windows authentication: Login pages pass user credentials to a web server (IIS only, not the web server built into VWD). The web server then handles the authentication using whichever method is configured on the virtual directory that the application is running within. IIS hooks in to the Windows operating system and Active Directory domain structures, which means that it can rely on user profiles that are stored externally, and use standard Windows credentials to log in to the site. Depending on the configuration of your site, and depending on which user account you used to log in to your machine, you may not even have to log in to the site directly, because your current Windows credentials can be passed to the web server automatically for authentication. This is really handy when it comes to developing intranet applications. 125 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 125 ❑ Passport authentication: Login credentials are passed to a Microsoft Passport server where user profiles are stored centrally. You may be familiar with this from logging in to a Hotmail account. And because you can configure Windows to log on to a Passport account on startup, you can access your Hotmail inbox without even having to type a password. Forms Authentication Model This section looks at how Forms authentication works. Consider the following scenario: ❑ The user — let’s call him Bob — wants to view Page A, which can’t be accessed by anonymous users, so when Bob tries to view Page A, the browser instead displays a login page, as shown in Figure 4-29. Figure 4-29 ❑ Bob is now looking at a login page. Because Bob registered with this site previously, he logs in to the site using his username and password combination. Figure 4-30 shows the interaction between Bob’s browser and the server. Figure 4-30 ❑ Bob can now view Page A and is a happy user. Next, Bob wants to view Page B by following a link from Page A. Along with the request for the page, Bob’s browser sends a copy of the cookie to the server to let the server know that it’s Bob who’s trying to view the page. The server knows who Bob is, and likes Bob, so it sends Bob Page B as requested, as shown in Figure 4-31. Server authenticates Bob and returns Page A along with a cookie to the browser Browser sends a login request to the server Browser Server Server refuses anonymous access and sends login page instead Browser sends request for Page A to the server Browser Server 126 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 126 Figure 4-31 ❑ If Bob now requests the site’s home page, the browser will tack on the cookie to the request, so even though the home page is not restricted content, the cookie is still sent to the server. Because the page isn’t restricted, the server doesn’t worry about the cookie, ignores it, and sends back the home page. ❑ Bob then heads back to Page A. Because the cookie is fresh on Bob’s machine, the cookie is sent to the server. The server is still happy with Bob, so it lets Bob view the page. ❑ Bob goes off and makes himself a coffee. He then makes some lunch. By the time he gets back to his computer, 25 minutes have elapsed. Bob now wants to view Page B again, but the cookie on his machine has expired. The server doesn’t receive a cookie along with the page request, so Bob has to log back in again. Cookies on a user’s machine are normally set to expire after a specific amount of time has elapsed. In this scenario, the server gives out cookies with a 20-minute expiry, which means that as long as the user keeps making requests within 20 minutes of each other, the cookie will remain active. However, more than 20 minutes away from the site and the user will have to log back in to the site to view restricted content. The login page built in the earlier examples included a box that offered you the “remember my details for next time” option. This writes a more permanent cookie to your browser’s cookie collection so that your account name is pre-populated when you revisit the site. Because you should never store password information in a cookie, you should always have to enter your password, but at least your username field is filled in for you on each visit. Other methods of authentication — Windows and Passport—provide the end user with a similar experi- ence. For example, the Windows authentication model relies on the web server (which will likely be IIS) to control access to the site, but it can also incorporate the timeout mechanism to block users that have been idle for too long. To configure Windows authentication, you need to specify which users or roles from the corporate Active Directory (AD) domain can access a site. These users can then access the site whenever they are logged on using their login details to a PC on the corporate network. It’s also possible to view a Windows authenticated site from outside of the corporate environment, though you are asked to enter your standard Windows logon credentials when you attempt to access a page protected by Windows authentication. Server accepts cookie and sends back Page B Browser requests Page B and passes a copy of the cookie Browser Server 127 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 127 Passport authentication isn’t as widely adopted as Microsoft perhaps would have liked, but some sites on the Internet do link to the Passport network to handle web site authentication (for example, Expedia.com). Passport authentication relies on the entire repository of user accounts being accessible from anywhere in the wired world, a bit like a central active directory for web accounts. This book uses Forms authentication to handle all authentication with the Wrox United application. Wrox United Security The Wrox United site that you’ve been working on so far needs to have some security applied to it if you want to be able to include some personalization in the site. In the finished site ( www.wroxunited.net), you’ll see that there is shopping cart functionality built in to the site. Additionally, the finished site will also have an administration area, where you can edit fixtures, team members, and much more. This all means that you’re going to have to add some users and roles at some stage. Because you have gained plenty of experience of using the configuration tool, you can now perform the first stage in this process. The next Try It Out walks you through the user accounts and roles configuration for the Wrox United site. At this stage, you don’t have to worry about locking down parts of the site — that’s a task for later in the book. Try It Out Configuring Security in the Wrox United Site 1. Open the final version of the Wrox United site in VWD. Then click the Website menu and select ASP.NET Configuration. This launches the configuration tool for the site. Figure 4-32 shows the configuration screen that is displayed for the finished version of the site. Figure 4-32 128 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 128 2. Click the Security link to go to the section where you can configure users and roles. As you did previously in this chapter, launch the security setup wizard. As you walk through the wizard, select the following: ❑ The application will be used over the Internet. ❑ Roles are enabled. ❑ Roles should be defined for Administrator, FanClubMember, Manager, Owner, and Reporter (see Figure 4-33). 3. Look at the user accounts. The user accounts predefined with the Wrox United application are shown in Figure 4-34. 4. Take a look at the configuration for the finished application. You’ll see that the preconfigured user accounts are each members of different roles, so while the ChrisH account is a member of the Reporter role, Jim is a member of the Owners role, and Lou is a member of the Fan Club. 5. After you finish the wizard, look at a couple of subfolders within the WroxUnited directory that contain specific areas of the site—the Admin and the FanClub sections. These areas have some access restrictions on them. Figure 4-33 129 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 129 Figure 4-34 6. Go to the section for managing Access Rules and you’ll see the following rules: ❑ For the main WroxUnited folder, anonymous access is allowed. ❑ For the FanClub folder, only members of the FanClub role can access the folder — all other users are denied access. ❑ For the Admin folder, access is denied to all users. How It Works With the Wrox United application, you have access to the configuration of a fully functional web appli- cation. Feel free to have a look through this configuration using both the Administration Tool and the Web.config file to see how the basic permissions are enabled. This example is only a taste of what will come later in the book, because Chapter 11 covers the details of role-based access to a site and shows you different techniques for enabling and disabling content by role. The code generated for filtering access to the FanClub folder has been added to the Web.config file that lives within the FanClub folder. This code is as follows: 130 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 130 <?xml version=”1.0” encoding=”utf-8”?> <configuration> <system.web> <authorization> <allow roles=”FanClubMember” /> <deny users=”*” /> </authorization> </system.web> </configuration> Notice that the FanClubMember role has been defined as the only role that has permission to access the content in this folder. The directory-level permission created in this example has created a restricted zone in the site. Chapter 11 walks through some examples using the Administration section and the Fan Club sections, demon- strating different parts of ASP.NET 2.0 technology. These examples will rely on an understanding of the foundations built in this section. Summary This chapter discussed the basics of security, the concept of identity, and the process involved in logging on to a site. These are familiar concepts to anyone who spends time on the Internet, surfing fan sites, community portals, or online shops. Because these concepts are so universal, you’ve seen how ASP.NET 2.0 is designed to make the process of creating sites that use this functionality. The core concepts to understand are as follows: ❑ Identity: The concept of an individual as described by a set of attributes that make that individ- ual unique. ❑ Authentication: The concept of identifying a user to a server by passing a set of credentials to the server. If the server can identify the user attempting to connect, he or she will be authenticated. ❑ Authorization: The process of taking authenticated user credentials and comparing them against a set of access control list information, providing the answer to the question “can this user access the requested resource?” ❑ Personalization: The capability to provide information that is specific to the currently logged-in user. ❑ Membership: The concept of belonging. This chapter considered the concept of users being members of specific roles. The next chapter expands on the concept of personalization and looks at how ASP.NET sites can be personalized. 131 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 131 [...]...Chapter 4 Exercises 1 2 132 Change the configuration of your Chapter 4 web site to allow anonymous access, but to deny access to one specific user account Add a subfolder to the Chapter 4 web site called Admin Within this folder, add a page called MainAdmin.aspx with a LoginName control on it and any other controls you might want Change the access permissions for that specific folder so... ‘Trebuchet MS’; Color: Navy; } You can choose whichever presentation style you prefer — personally, I like my braces to all line up in a vertical line Style information can also be applied to elements like anchor tags () with some specific modifiers to provide some dynamic hover-style appearance as follows: a:link, a:visited { color: #cc 330 0; text-decoration: underline; } a:hover { text-decoration:... { color: #cc 330 0; text-decoration: underline; } a:hover { text-decoration: none; } a:active { color: #ff9900; text-decoration: underline; } Notice how you get the same syntax help when you work with a CSS style sheet as when you work with attributes on a HTML control in Source View, as displayed in Figure 5-9 Also notice the Build Style icon on the toolbar If you click this button, it launches... group can view the page 5 Styling with Themes The process of developing any web application usually revolves around two main areas: functionality and appearance The functionality aspect of a web application includes the structure of the site, the behavior of the controls, the user experience, code for securing the application, what happens when the user clicks a button, and so on The appearance of... theme, called RedBits.skin For these examples, you’ll find it really handy to create a simple ASP. NET page for trying out new styles before you add controls to a skin file Create a new web page by right-clicking the C: \ \Chapter05 root in the Solution Explorer and selecting Add New Item, selecting a Web Form, calling it SkinSource.aspx, and clicking OK 149 Chapter 5 Figure 5-14 8 Drag two Calendar controls... Theme=”Blue” %> Page 1 < /asp: Calendar> < /asp: Content> 9 In ThemePage2.aspx, enter the text Page 2 and add an ImageButton control to the page Set its SkinID property to homeImage and the PostBackUrl property to ThemeDefault.aspx This means that if a user clicks the image,... link < /asp: Label> 5 Right-click the Chapter05 site in the Solution Explorer and select Add New Item Select StyleSheet from the list of icons and accept the default name: StyleSheet.css In this file, add the following code: HighlightedText { font-family: ‘Trebuchet MS’; color:... Font-Size=”Medium” BorderColor=”Chocolate” BorderStyle=”Ridge” BorderWidth=”8px” DayNameFormat=”FirstLetter”> < /asp: Calendar> TitleStyle - Font-Bold True TitleStyle - ForeColor # FFFFC0 BackColor Red Skin 151 Chapter 5 9 Now drag a Label control onto the page... style=”float:left;padding-right:15px”> < /asp: TreeView> < /asp: contentplaceholder> 154 Styling with Themes 2 You’ll need to create a simple web.sitemap for this example to act as the data source for the TreeView control Right-click the Chapter05 folder and select Add New... stored within a folder in an application directory called App_Themes Here’s a look at a sample skin file: < /asp: Calendar> . 4/4 /06 2: 43 PM Page 1 40 p.code, li.code, div.code {margin-top:0cm; margin-right:0cm; margin-bottom:0cm; margin-left: 30 . 0pt; margin-bottom: .00 01pt; line-height:1 12% ; font-size:8.5pt; font-family:Courier;}: This. areas have some access restrictions on them. Figure 4 -33 129 Membership and Identity 07 _0 425 83 ch04.qxd 4/4 /06 2: 42 PM Page 129 Figure 4 -34 6. Go to the section for managing Access Rules and you’ll. Chapter05 (C: BegASPNET2ChaptersBegin Chapter05 ). This starter site contains just a few files to give you a head start on the examples within this chapter. 134 Chapter 5 08 _0 425 83 ch05.qxd 4/4 /06