ASP.NET 2.0 Security

The LoginView Control

Another useful Login control is the LoginView control. This control allows you to customize information that will be shown to users through templates, based on their roles. For instance, you may decide that Administrators are able to see a complete department list once they enter the application, but that someone who belongs to a specific department -- let's say it's Engineering -- only sees information that relates to the company and the Engineering department. You can also use the LoginView control to display customized information based on users' login status. For instance, if an anonymous user visits your site, you might want to alert them that the site is intended for registered users, and perhaps let them know that they can click the New User link to register. Alternatively, you may want to alert logged-in users that they don't need to log in again. You might even show them a "welcome back" message, complete with their name, using the LoginName control discussed earlier.

To use the LoginView control, you would simply add the control to the page using the following syntax:

<asp:LoginView id="lvDorknozzle" runat="server">  
</asp:LoginView>

Of course, without the use of templates, the control is fairly useless. In this case, we'll make sure that anonymous users are told to register by clicking the New User link, and that logged-in users see a notification that they've already been logged in. Add the following LoggedInTemplate and AnonymousTemplate child tags to the LoginView parent tag:

<asp:LoginView id="lvDorknozzle" runat="server">  
 <LoggedInTemplate>  
   Welcome <asp:LoginName id="lnUser" runat="server"/>  
 </LoggedInTemplate>  
 <AnonymousTemplate>  
   Welcome to the Dorknozzle site!<br />  
   Please click on the New User link to register on our site.  
 </AnonymousTemplate>  
</asp:LoginView>

Now, when users visit the login.aspx page for the first time, they are considered anonymous and are presented with the welcome message similar to the one shown here.

You could configure the LoginView control further by displaying customized messages depending on users' roles. For instance, I could add within the LoginView tag the RoleGroups tag. To this, I'd add a RoleGroup control in which the name of the Role was a value of the Roles attribute:

<asp:LoginView ID="lvDorknozzle" Runat="server">  
 <RoleGroups>  
   <asp:RoleGroup Roles="Engineering">  
     <ContentTemplate>  
       You are a member of the Engineering department.  
     </ContentTemplate>  
   </asp:RoleGroup>  
 </RoleGroups>  
 <LoggedInTemplate>  
   Welcome <asp:LoginName ID="lnUser" Runat="server" />  
 </LoggedInTemplate>  
 <AnonymousTemplate>  
   Welcome to the Dorknozzle site!<br />  
   Please click on the New User link to register on our site.  
 </AnonymousTemplate>  
</asp:LoginView>

The CreateUserWizard Control

Chances are that if you went through the process of creating new users via the Web Site Administration Tool, you've already used the CreateUserWizard control and may not even have known it. The CreateUserWizard control simply allows a new user to add themselves (or register) to your Web application. This powerful tag offers many customizable features, but can quickly be added to and used in your site via the following tag:

<asp:CreateUserWizard id="NewUserWiz" runat="server">  
</asp:CreateUserWizard>

In the browser, the page renders similar to that shown below.

Of course, the true power in the CreateUserWizard control lies in its flexibility. The control offers seven templates (HeaderTemplate, SideBarTemplate, StartNavigationTemplate, StepNavigationTemplate, FinishNavigationTemplate, Sign Up For a New Account Template, and a Complete Template) that can be customized according to your needs. Even better, the CreateUserWizard control allows you automatically to send an email to newly registered users simply by adding the MailDefinition tag as follows:

<asp:CreateUserWizard id="CreateUserWizard1" runat="server">  
 <MailDefinition  
   BodyFileName="NewUserEmail.txt"  
   From="welcome@dorknozzle.com"  
   Subject="Welcome to the Dorknozzle site!"/>  
</asp:CreateUserWizard>

Once a new user is added to the site, an email is sent to that user. That email, defined within a text file, is loaded via the BodyFileName property, as shown in the code above. Variables can be customized simply with the addition of special expressions, such as <% UserName %>, to the text file.

Finally, in order for the email to be relayed, the email server must be specified in the <smtpMail> mail section of the Web.config file:

<configuration>  
 <system.web>  
   <authentication mode="Forms"/>  
   <smtpMail serverName="Localhost"/>  
 </system.web>  
</configuration>

The PasswordRecovery Control

As an administrator of a Web application, the last things you want to do are answer phone calls and respond to emails for people who have forgotten their passwords. The PasswordRecovery control can ease this burden. By default, you can add the following tag, which allows users to enter their user names and answer their secret questions. In turn, an email message is generated with each user's password, and sent:

<asp:PasswordRecovery id="prForgotPass" runat="server"> </asp:PasswordRecovery>

In the browser, the PasswordRecovery control renders like so:

Once users enter valid user names, they must answer their secret questions. In the browser, the page looks like that shown below.

Similar to the CreateUserWizard control, the mail formatting is handled within the MailDefinition tag:

<asp:PasswordRecovery id="prForgotPass" runat="server">  
 <MailDefinition  
   BodyFileName="forgotpassword.txt"  
   From="helpdesk@dorknozzle.com"  
   Subject="Word has it, you forgot your password?"/>  
</asp:PasswordRecovery>

If everything is formatted correctly, the email will be sent and a message will appear to the user similar to this:

The ChangePassword Control

Finally, The ChangePassword control, as you might expect, allows users to change their passwords. The ChangePassword control can be added to any page with the following tag:

<asp:ChangePassword id="cpChangePass" runat="server"/>

In the browser, the control renders similar to this:

Like the CreateUserWizard and PasswordRecovery controls, the ChangePassword control can be configured, via the MailDefinition tag, to send a confirmation email to users once they've successfully changed their passwords. Unlike the CreateUserWizard and PasswordRecovery controls, however, the ChangePassword control requires that users are logged in before they can change their passwords.

The Membership API

In certain instances when working with security, you'll need more flexibility than is provided either by the Web Site Administration Tool or the Login controls. In this case, you'll want to work directly with the Membership API. Exposed through the Membership class, the Membership API allows you to create users, change passwords, and search for users based on specific criteria, programmatically. For the most part, the Login controls we've seen so far use the methods exposed by the Membership class anyway; your ability to use these directly from code is an added bonus. The following methods exposed by the Membership class are the ones you may find yourself using most often:

• CreateUser - Allows you to creates new users
• DeleteUser - Allows you to delete existing users
• FindUsersByEmail - Allows you to retrieve a set of users that match an email address
• FindUsersByName - Allows you to retrieve a set of users that match a certain username
• GeneratePassword - Allows you to generate a random password
• GetAllUsers - Allows you to retrieve all users stored in the Membership Provider
• GetNumberOfUsersOnline - Allows you to return the number of users currently logged on
• GetUser - Allows you to retrieve the membership information associated with the current or supplied user
• GetUsernameByEmail - Allows you to retrieve a username for a user with a certain email address
• UpdateUser - Allows you to update a particular user's information
• ValidateUser - Allows you to authenticate a user against the Membership Provider

To demonstrate the flexibility of these methods, I'll add some text and a Label control to my index.aspx as follows:

Number of Users Online:  
<asp:Label id="lblNumUsersOnline" runat="server"/>

In my code-behind, I'll add some code that accesses the number of users online:

Sub Page_Load(s As Object, e As EventArgs) Handles MyBase.Load  
 lblNumUsersOnline.Text = _  
   Membership.GetNumberOfUsersOnline().ToString()  
End Sub

I could also add a GridView control to the page like so:

<asp:GridView id="gvUsers" runat="server" AutoGenerateColumns="False">  
 <Columns>  
   <asp:BoundField HeaderText="Username" DataField="Username" />  
   <asp:BoundField HeaderText="Is Online?" DataField="IsOnline" />  
   <asp:BoundField HeaderText="Is Approved?" DataField="IsApproved" />  
   <asp:BoundField HeaderText="Email" DataField="Email" />  
 </Columns>  
</asp:GridView>

In the code-behind, I could add the following to my Page_Load event handler to fill the grid:

gvUsers.DataSource = Membership.GetAllUsers()  
 gvUsers.DataBind()

The output renders in the browser similar to the below.

Conclusion

ASP.NET 2.0 builds on an already feature-rich framework by adding enhanced security features.

In this article, we focused on the new Provider Model exposed by the .NET Framework 2.0. Next, we looked at the suite of Login controls that you can take advantage of when building your Web applications. Finally, we looked at the Membership API and the methods exposed by the Membership class. Whether you use some or all of the security features offered within the newest release of ASP.NET is up to you, but I, for one, think there's a great deal to be excited about in ASP.NET 2.0.