8. authentication and authorization - asp.net web forms
DESCRIPTION
This is an Authentication and Authorisation presentation of the free ASP.NET Web Forms Course in Telerik Academy. Telerik Software Academy: http://aspnetcourse.telerik.com The website and all video materials are in Bulgarian Table of contents: Basic Principles; Authentication Types; Users & Roles; Membership and Providers; Login / Logout Controls; Authentication; Authorization ASP.NET Web Forms Course @ Telerik Academy http://aspnetcourse.telerik.comTRANSCRIPT
![Page 1: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/1.jpg)
Authentication & Authorization
Forms Authentication, Users, Roles, Membership
Ventsislav Popov
Telerik Software Academyacademy.telerik.com
Software Developerwww.ventsypopov.com/
aspnetcourse.telerik.com
![Page 2: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/2.jpg)
Table of Contents
1. Basic principles
2. Authentication Types
Windows Authentication
Forms Authentication
Passport Authentication
3. Users & Roles
4. Membership and Providers
5. Login / Logout Controls2
![Page 3: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/3.jpg)
Basics Authentication
The process of verifying the identity of a user or computer
Questions: Who are you? How you prove it?
Credentials can be password, smart card, etc.
Authorization The process of determining what a
user is permitted to do on a computer or network
Question: What are you allowed to do?
3
![Page 4: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/4.jpg)
Windows and Form Authentication in
ASP.NET
![Page 5: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/5.jpg)
Authentication Types in ASP.NET
Windows Authentication Uses Active Directory / Windows
accounts
Forms Authentication Uses a traditional login / logout
pages
Code associated with a Web form handles users authentication by username / password
Users are usually stored in a database
Passport Authentication Uses Microsoft's passport service
5
![Page 6: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/6.jpg)
Windows Authentication
In Windows Authentication mode the Web application uses the same security scheme that applies to your Windows network
Network resources and Web applications use the same: User names Passwords Permissions
It is the default authentication when a new Web site is created
6
![Page 7: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/7.jpg)
Windows Authentication (2)
The user is authenticated against his username and password in Windows NTLM or Kerberos authentication
protocol
When a user is authorized: Application executes using the
permissions associated with the Windows account
The user's session ends when the browser is closed or when the session times out
7
![Page 8: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/8.jpg)
Windows Authentication (3)
Users who are logged on to the network Are automatically authenticated
Can access the Web application
To set the authentication to Windows add to the Web.config:
To deny anonymous users add:
<authentication mode="Windows" />
<authorization> <deny users="?"/></authorization>
8
![Page 9: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/9.jpg)
Windows Authentication (4)
The Web server should have NTLM enabled:
GET /Default.aspx HTTP/1.1…
HTTP/1.1 401 UnauthorizedWWW-Authenticate: NTLM
GET /Default.aspx HTTP/1.1Authorization: NTLM tESsB/ yNY3lb6a0L6vVQEZNqwQn0sqZ…
HTTP/1.1 200 OK…<html> … </html>
HTTP requests: HTTP responses:
9
![Page 10: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/10.jpg)
Windows Authentication
Live Demo
![Page 11: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/11.jpg)
Forms Authentication Forms Authentication uses a Web form to collect login credentials (username / password)
Users are authenticated by the C# code behind the Web form
User accounts can be stored in: Web.config file
Separate user database
Users are local for the Web application Not part of Windows or Active
Directory
11
![Page 12: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/12.jpg)
Forms Authentication (2)
Enabling forms authentication: Set authentication mode in the Web.config to "Forms"
Create a login ASPX page
Create a file or database to store the user credentials (username, password, etc.)
Write code to authenticate the users against the users file or database
<authentication mode="Forms" />
12
![Page 13: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/13.jpg)
Configuring Authorization in
Web.config To deny someone's access add <deny users="…"> in the <authorization> tag
To allow someone's access add <allow users="…"> in the authorization tag
<deny users="?" /> denies anonymous access
<deny users="*" /> denies access to all users
<system.web> <authorization> <deny users="?"/> </authorization></system.web>
13
![Page 14: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/14.jpg)
Configuring Authorization in Web.config (2) Specifying authorization rules in
Web.config:
The deny/allow stops the authorization process at the first match Example: if a user is authorized as Pesho, the tag <deny users="*" /> is not processed
<location path="RegisterUser.aspx"> <system.web> <authorization> <allow roles="admin" /> <allow users="Pesho,Gosho" /> <deny users="*" /> </authorization> </system.web></location>
14
![Page 15: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/15.jpg)
Implementing Login / Logout
Logging-in using credentials from Web.config:
Logging-out the currently logged user:
Displaying the currently logged user:
if (FormsAuthentication.Authenticate(username, passwd)){ FormsAuthentication.RedirectFromLoginPage( username, false);}else{ lblError.Text = "Invalid login!";}
FormsAuthentication.SignOut();
This method creates a cookie (or hidden field) holding the
authentication ticket.
lblInfo.Text = "User: " + Page.User.Identity.Name;15
![Page 16: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/16.jpg)
Forms AuthenticationLive Demo
![Page 17: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/17.jpg)
ASP.NET Users and RolesMembership Provider and Roles Provider
![Page 18: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/18.jpg)
Users, Roles and Authentication
User is a client with a Web browser running a session with the Web application
Users can authenticate (login) in the Web application Once a user is logged-in, a set of
roles and permissions are assigned to him
Authorization in ASP.NET is based on users and roles
Authorization rules specify what permissions each user / role
has
18
![Page 19: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/19.jpg)
ASP.NET Membership Simplify common authentication and user management tasks CreateUser() DeleteUser() GeneratePassword() ValidateUser() …
Can store user credentials in database / file / etc.
19
![Page 20: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/20.jpg)
Registering a Membership
Provider Adding membership provider to the Web.config<membership defaultProvider="MyMembershipProvider">
<providers> <add connectionStringName="UsersConnectionString" minRequiredPasswordLength="6" requiresQuestionAndAnswer="true" enablePasswordRetrieval="false" requiresUniqueEmail="false" applicationName="/MyApp" minRequiredNonalphanumericCharacters="1" name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider"/> </providers></membership>
20
![Page 21: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/21.jpg)
Roles in ASP.NET Roles in ASP.NET allow assigning permissions to a group of users E.g. "Admins" role could have more
privileges than "Guests" role A user account can be assigned to multiple roles in the same time E.g. user "Peter" can be member of
"Admins" and "TrustedUsers" roles Permissions can be granted to multiple users sharing the same role 21
![Page 22: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/22.jpg)
ASP.NET Role Providers Role providers in ASP.NET
Simplify common authorization tasks and role management tasks CreateRole() IsUserInRole() GetAllRoles() GetRolesForUser() …
Can store user credentials in database / file / etc.
22
![Page 23: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/23.jpg)
Registering a Role Provider
To register role provider in ASP.NET 4.0 add the following to the Web.config:<roleManager enabled="true" DefaultProvider="MyRoleProvider"> <providers> <add connectionStringName="UsersConnectionString" name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" /> </providers></roleManager>
<connectionStrings> <add name="UsersConnectionString" connectionString="Data Source=.\SQLEXPRESS;Initial Catalog=Users;Integrated Security=True" providerName="System.Data.SqlClient" /></connectionStrings> 23
![Page 24: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/24.jpg)
The SQL Registration Tool: aspnet_regsql
The built-in classes System.Web.Security. SqlMembershipProvider and System.Web. Security.SqlRoleProvider use a set of standard tables in the SQL Server Can be created by the ASP.NET SQL
Server Registration tool (aspnet_regsql.exe)
The aspnet_regsql.exe utility is installed as part of with ASP.NET 4.0:C:\WINDOWS\Microsoft.NET\Framework\
v4.0.30319\ aspnet_regsql.exe
24
![Page 25: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/25.jpg)
The Standard ASP.NET Applications Database
Schema
aspnet_Applications
ApplicationName nvarchar(256)
LoweredApplicationName nvarchar(256)
ApplicationId uniqueidentifier
Description nvarchar(256)
Column Name Data Type Allow Nulls
aspnet_Membership
ApplicationId uniqueidentifier
UserId uniqueidentifier
Password nvarchar(128)
PasswordFormat int
PasswordSalt nvarchar(128)
MobilePIN nvarchar(16)
Email nvarchar(256)
LoweredEmail nvarchar(256)
PasswordQuestion nvarchar(256)
PasswordAnswer nvarchar(128)
IsApproved bit
IsLockedOut bit
CreateDate datetime
LastLoginDate datetime
LastPasswordChange... datetime
LastLockoutDate datetime
FailedPasswordAttem... int
FailedPasswordAttem... datetime
FailedPasswordAnswe... int
FailedPasswordAnswe... datetime
Comment ntext
Column Name Data Type Allow Nulls
aspnet_Profile
UserId uniqueidentifier
PropertyNames ntext
PropertyValuesString ntext
PropertyValuesBinary image
LastUpdatedDate datetime
Column Name Data Type Allow Nulls
aspnet_Roles
ApplicationId uniqueidentifier
RoleId uniqueidentifier
RoleName nvarchar(256)
LoweredRoleName nvarchar(256)
Description nvarchar(256)
Column Name Data Type Allow Nulls
aspnet_Users
ApplicationId uniqueidentifier
UserId uniqueidentifier
UserName nvarchar(256)
LoweredUserName nvarchar(256)
MobileAlias nvarchar(16)
IsAnonymous bit
LastActivityDate datetime
Column Name Data Type Allow Nulls
aspnet_UsersInRoles
UserId uniqueidentifier
RoleId uniqueidentifier
Column Name Data Type Allow Nulls
25
![Page 26: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/26.jpg)
aspnet_regsql.exeLive Demo
![Page 27: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/27.jpg)
ASP.NET Membership API
Implementing login:
Implementing logout:
Creating new user:
if (Membership.ValidateUser(username, password)){ FormsAuthentication.RedirectFromLoginPage( username, false);}
FormsAuthentication.SignOut();
Membership.CreateUser(username, password);
27
![Page 28: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/28.jpg)
ASP.NET Membership API (2)
Getting the currently logged user:
Creating new role:
Adding user to existing role:
Deleting user / role:
MembershipUser currentUser = Membership.GetUser();
Roles.AddUserToRole("admin", "Admins");
Membership.DeleteUser("admin", true);Roles.DeleteRole("Admins");
Roles.CreateRole("Admins");
28
![Page 29: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/29.jpg)
Membership ProviderLive Demo
![Page 30: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/30.jpg)
ASP.NET Web Site Administration Tool
Designed to manage your Web site configuration
Simple interface Can create and manage users, roles and providers
Can manage application configuration settings
Accessible from Visual Studio: [Project] menu [ASP.NET
Configuration] 30
![Page 31: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/31.jpg)
Visual Studio Web Site Administration
ToolLive Demo
![Page 32: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/32.jpg)
Built-in Login Control
![Page 33: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/33.jpg)
The Login Control The Login control provides the necessary interface through which a user can enter their username and password
The control uses the membership provider specified in the Web.config file
Adding the login control to the page:<asp:Login id="MyLogin" runat="server"/>
33
![Page 34: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/34.jpg)
The Login Control (2)
34
![Page 35: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/35.jpg)
The LoginName and LoginStatus Control
Once a user has logged in we can display his username just by adding the LoginName control to the page
The LoginStatus control allows the user to log in or log out of the application
<asp:LoginName id="lnUser" runat="server"/>
<asp:LoginStatus id=" lsUser" runat="server"/>
35
![Page 36: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/36.jpg)
The LoginName and LoginStatus Control
36
![Page 37: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/37.jpg)
The LoginView Control
Customized information which will be shown to users through templates, based on their roles
By default there are AnonymousTemplate and LoggedInTemplate
New custom templates can be added
To add the control to the page use:
<asp:LoginView id="MyLoginView" runat="server"> </asp:LoginView>
37
![Page 38: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/38.jpg)
The CreateUserWizard Control
It is used to create new accounts It works with the membership provider class
Offers many customizable features Can quickly be added to and used using <asp:CreateUserWizard id="NewUserWiz" runat="server"> </asp:CreateUserWizard>
38
![Page 39: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/39.jpg)
The CreateUserWizard Control (2)
39
![Page 40: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/40.jpg)
The PasswordRecovery Control
It is used to retrieve passwords The user is first prompted to enter username
Once users enter valid user names, they must answer their secret questions
The password is sent via e-mail To add this control use:<asp:PasswordRecovery id="prForgotPass"
runat="server"></asp:PasswordRecovery>
40
![Page 41: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/41.jpg)
The ChangePassword Control
Allows users to change their passwords
It uses the membership provider specified in the Web.config
Can be added to any page with the following tag: <asp:ChangePassword id="cpChangePass" runat="server"/>
41
![Page 42: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/42.jpg)
The ChangePassword Control
42
![Page 43: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/43.jpg)
форум програмиране, форум уеб дизайнкурсове и уроци по програмиране, уеб дизайн – безплатно
програмиране за деца – безплатни курсове и уроцибезплатен SEO курс - оптимизация за търсачки
уроци по уеб дизайн, HTML, CSS, JavaScript, Photoshop
уроци по програмиране и уеб дизайн за ученициASP.NET MVC курс – HTML, SQL, C#, .NET, ASP.NET MVC
безплатен курс "Разработка на софтуер в cloud среда"
BG Coder - онлайн състезателна система - online judge
курсове и уроци по програмиране, книги – безплатно от Наков
безплатен курс "Качествен програмен код"
алго академия – състезателно програмиране, състезания
ASP.NET курс - уеб програмиране, бази данни, C#, .NET, ASP.NETкурсове и уроци по програмиране – Телерик академия
курс мобилни приложения с iPhone, Android, WP7, PhoneGap
free C# book, безплатна книга C#, книга Java, книга C#Дончо Минков - сайт за програмиранеНиколай Костов - блог за програмиранеC# курс, програмиране, безплатно
?
? ? ??
?? ?
?
?
?
??
?
?
? ?
Questions?
?
Autentication & Authorization
http://academy.telerik.com
![Page 44: 8. Authentication and Authorization - ASP.NET Web Forms](https://reader036.vdocuments.mx/reader036/viewer/2022062307/5552ece9b4c90584028b47a7/html5/thumbnails/44.jpg)
Free Trainings @ Telerik Academy
ASP.NET Web Forms Course aspnetcourse.telerik.com
Telerik Software Academy academy.telerik.com
Telerik Academy @ Facebook facebook.com/TelerikAcademy
Telerik Software Academy Forums forums.academy.telerik.com
44