Wednesday, 9 August 2006

ASP.NET 2.0 Roles, Forms Auth and Membership

Jeff
I'm not going to attempt to blog about how to setup ASP.NET 2.0 security, there are more than enough good blogs and How To's to get it working. The best place to start is from the awesome blogs of Scott Gu here.

What I do want to blog is my experiences of setting it up.
My scenario
I have a website that will be deployed on the WWW but will only be accessed by users contained in a AD. There will be two levels of users but not all users in the AD will have access.
My Solution
Ok first of all I would like to say that the Provider model used in ASP.NET 2.0 is spot on :-) It really does allow for less code, more productivity and a neat design.
First of all I am using Forms authentication with Active Directory as my membership provider. A great How To here. This provider along with the new LogIn control authenticates users against an LDAP store. I found the Login control really useful and nicely customizable, the only downside is the way the control renders in tables, which is a bit annoying for styling and you can't get full control over it. Other than that authenticating users via Forms auth is a lot easier than in .NET 1.1.
For my role management I originally wanted to use the AD roles but discovered that there is not yet an AD Role provider, and didn't really have the time to look into creating one!! So I opted for the SqlRoleProvider to manage my roles. There is a great Role Manager How To over here. This provider will use the aspnetdb database to store the roles and integrates well with the AD Membership provider by using the AD usernames. New Roles can be created and managed using the ASP.NET Web Site Administration Tool. I will have two roles, Admin and User and add only the users using the website to the roles from the AD store. After using the SQLRole provider I have realized that it may be a neater place to store role information than in the AD as it can all be stored in a central database, with no replication problems. Roles can be application specific by setting the application name in the providers tag in the web.config under the role manager tag. Here is my config:

<roleManager enabled="true" defaultProvider="SqlRoleManager" cacheRolesInCookie="true">
<providers>
<add name="SqlRoleManager"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlRoleManagerConnectionString"
applicationName="MyAppName" />
</providers>
</roleManager>

I then set my authorization tag in my web.config to allow only the users in my User and Admin roles and Deny everyone else. This ensures that only authenticated users in my roles can access the web site.

<authorization>
<allow roles="User" />
<allow roles="Admin" />
<deny users="*" />
<deny users="?" />
</authorization>

Deploying my role setup is the next issue I face. My plan is to run the Aspnet_regsql.exe tool to setup the aspnetdb database and then run SQL scripts to add the two roles. I have then created an admin page within my site which will add/remove users to these roles. Obviously the first time the web site is accessed no users will be in any roles and everyone will be locked out!! So I will amend the authorization tag in the web.config to allow the administrator user:

<authorization>
<allow users="Administrator" />
<allow roles="User" />
<allow roles="Admin" />
<deny users="*" />
<deny users="?" />
</authorization>

I have also set the following authorization tag up on the admin page as the following:

<location path="admin.aspx">
<system.web>
<authorization>
<allow users="Administrator" />
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

This will allow the administrator user to access the site and the admin page to add all the users to the roles the first time the website is used.

1 comment:

Krushna said...

This is really solved my problem.Nice Blog!!