Authentication Tasks Made Easier
|Figure 6: Managing users, roles, and permissions is now handled through a Web interface.|
Although managing authentication in ASP.NET has never been terribly difficult, it's always been something that every developer must handle individually, for each application. Realizing that this is a common requirement for every application, Microsoft has created a series of security-related controls in this new version. You'll certainly need to write less code, given the set of template-driven controls you'll find on the Security
tab of the control toolbox. You'll be creating login pages with little or no code.
The new security-related controls utilize classes in the System.Web.Security namespace, and this namespace includes several new classes that make it easier to manage user, password, and role maintenance. These classes can use any data provider to store information about your users, passwords, and roles in just about any data store you wish.
In order to make it easier for developers to manage their sites' users, roles, and permissions, Microsoft includes a Web-based interface that handles all the details for you. Select Website, and then ASP.NET Configuration to display a set of pages, as shown in Figure 6, to manage security. You can store your data in either SQL Server tables or Access/JET MDB files. Use this wizard to set up a new database with all of the necessary tables, and to add, edit, and delete users, roles, and permissions.
The Web Application Administration Wizard creates quite a few tables for you. Figure 7 shows a sample of these tables in an Access database for a sample application. (You'll find this database in the Data folder of an Intranet application you create using the ASP.NET project templates, as well.)
Figure 7: Quite a few membership tables are created for the security system in ASP.NET.
Figure 8: The Login control makes checking user membership quick and easy.
The Login control, shown in Figure 8
, can be dropped onto any Web page. This control uses the .NET Framework's membership classes to check whether the user is authenticatedin other words, if the user is in the aspnet_Users
table in your data store. If the user exists, and the password checks out, an authentication cookie is issued so ASP.NET knows the user has been authenticated. Like many of the new controls, the Login control supports templates, so that you can change just about every aspect of its appearance on the page. In Figure 8
, we selected one of the supplied auto-formats.