Evjen c12.tex V2 - 01/28/2008 2:25pm Page 597 Chapter 12: Introduction to the Provider Model <add name="AspNetSql2005MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSql2005Server" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership> </system.web> </configuration> Figure 12-8 597 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 598 Chapter 12: Introduction to the Provider Model With these changes in place, the SQL Server 2005 instance is now one of the providers available for use with your applications. The name of this provider instance is AspNetSql2005MembershipProvider . You can see that this instance also uses the connection string of LocalSql2005Server , which was defined in Listing 12-1. Pay attention to some important attribute declarations from Listing 12-2. The first is that the provider used by the membership system is defined via the defaultProvider attribute found in the main < membership > node. Using this attribute, you can specify whether the provider is one of the built-in providers or whether it is a custom provider that you have built yourself or received from a third party. With the code from Listing 12-2 in place, the membership provider now works with Microsoft SQL Server 2005 (as shown in this example) instead of the Microsoft SQL Server Express Edition files. Next, you look at the providers that come built into the ASP.NET 3.5 install — starting with the member- ship system providers Membership Providers The membership system enables you to easily manage users in your ASP.NET applications. As with most of the systems provided in ASP.NET, it features a series of server controls that interact with a defined provider to either retrieve or record information to and from the data store defined by the provider. Because a provider exists between the server controls and the data stores where the data is retrieved and recorded, it is fairly trivial to have the controls work from an entirely different backend. You just change the underlying provider of the overall system (in this case, the membership system). This can be accomplished by a simple configuration change in the ASP.NET application. It really makes no difference to the server controls. As previously stated, ASP.NET 3.5 provides two membership providers out of the box. ❑ System.Web.Security.SqlMembershipProvider : Provides you with the capability to use the membership system to connect to Microsoft’s SQL Server 2000/2005 as well as with Microsoft SQL Server Express Edition. ❑ System.Web.Security.ActiveDirectoryMembershipProvider : Provides you with the capabil- ity to use the membership system to connect to Microsoft’s Active Directory. Both of these membership provider classes inherit from the MembershipProvider base class, as illustrated in Figure 12-9. Next, you review each of these providers. System.Web.Security.SqlMembershipProvider The default provider is the SqlMembershipProvider instance. You find this default declaration for every ASP.NET application that resides on the application server in the machine.config file. This file is found in C: \ WINDOWS \ Microsoft.NET \ Framework \ v2.0.50727 \ CONFIG . Listing 12-3 shows the definition of this provider, which is located in the machine.config file. Listing 12-3: A SqlMembershipProvider instance declaration <configuration> <system.web> 598 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 599 Chapter 12: Introduction to the Provider Model <membership> <providers> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/> </providers> </membership> </system.web> </configuration> Figure 12-9 599 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 600 Chapter 12: Introduction to the Provider Model From this listing, you can see that a single instance of the SqlMembershipProvider object is defined in the machine.config file. This single instance is named AspNetSqlMembershipProvider .Thisisalso where you find the default behavior settings for your membership system. By default, this provider is also configured to work with a SQL Server Express Edition instance rather than a full-blown ver- sion of SQL Server such as SQL Server 2000, 2005, or 2008. You can see this by looking at the defined connectionStringName property in the provider declaration from Listing 12-3. In this case, it is set to LocalSqlServer . LocalSqlServer is also defined in the machine.config file as shown in Listing 12-4. Listing 12-4: The LocalSqlServer defined instance <configuration> <connectionStrings> <clear /> <add name="LocalSqlServer" connectionString="Data Source=. \ SQLEXPRESS;Integrated Security=SSPI; AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" /> </connectionStrings> </configuration> You can see this connection string information is set for a local SQL Server Express Edition file (an .mdf file). Of course, you are not required to work with only these file types for the SqlMembershipProvider capabilities. Instead, you can also set it up to work with either Microsoft’s SQL Server 7.0, 2000, 2005, or 2008 (as was previously shown). System.Web.Security.ActiveDirectoryMembershipProvider It is also possible for the membership system provided from ASP.NET 3.5 to connect this system to a Microsoft Active Directory instance or even Active Directory Application Mode (ADAM), which is a stand-alone directory product. Because the default membership provider is defined in the machine. config files at the SqlMembershipProvider , you must override these settings in your application’s web.config file. Before creating a defined instance of the ActiveDirectoryMembershipProvider in your web.config file, you have to define the connection string to the Active Directory store. This is illustrated in Listing 12-5. Listing 12-5: Defining the connection string to the Active Directory store <configuration> <connectionStrings> <add name="ADConnectionString" connectionString= "LDAP://domain.myAdServer.com/CN=Users,DC=domain,DC=testing,DC=com" /> </connectionStrings> </configuration> With the connection in place, you can create an instance of the ActiveDirecotryMembershipProvider in your web.config file that associates itself to this connection string. This is illustrated in Listing 12-6. 600 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 601 Chapter 12: Introduction to the Provider Model Listing 12-6: Defining the ActiveDirectoryMembershipProvider instance <configuration> <connectionStrings> <add name="ADConnectionString" connectionString= "LDAP://domain.myAdServer.com/CN=Users,DC=domain,DC=testing,DC=com" /> </connectionStrings> <system.web> <membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUserName="UserWithAppropriateRights" connectionPassword="PasswordForUser" connectionProtection="Secure" enablePasswordReset="true" enableSearchMethods="true" requiresQuestionAndAnswer="true" applicationName="/" description="Default AD connection" requiresUniqueEmail="false" clientSearchTimeout="30" serverSearchTimeout="30" attributeMapPasswordQuestion="department" attributeMapPasswordAnswer="division" attributeMapFailedPasswordAnswerCount="singleIntAttribute" attributeMapFailedPasswordAnswerTime="singleLargeIntAttribute" attributeMapFailedPassswordAnswerLockoutTime="singleLargeIntAttribute" maxInvalidPasswordAttemps = "5" passwordAttemptWindow = "10" passwordAnswerAttemptLockoutDuration = "30" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordStrengthRegularExpression=" @ \ "(?=.{6,})(?=(.* \ d){1,})(?=(.* \ W){1,})" /> /> </providers> </membership> </system.web> </configuration> 601 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 602 Chapter 12: Introduction to the Provider Model Although not all these attributes are required, this list provides you with the available attributes of the ActiveDirectoryMembershipProvider . In fact, you can easily declare the instance in its simplest form, as shown here: <membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" /> </providers> </membership> Again, with either the SqlMembershipProvider or the ActiveDirectoryMembershipProvider in place, the membership system server controls (such as the Login server control) as well as the membership API, once configured, will record and retrieve their information via the provider you have established. That is the power of the provider model that the ASP.NET team has established. You continue to see this power as you learn about the rest of the providers detailed in this chapter. Role Providers After a user is logged into the system (possibly using the ASP.NET membership system), the ASP.NET role management system enables you to work with the role of that user to authorize him for a particular access to the overall application. The role management system in ASP.NET 3.5, as with the other systems, has a set of providers to store and retrieve role information in an easy manner. This, of course, doesn’t mean that you are bound to one of the three available providers in the role management system. Instead, you can extend one of the established providers or even create your own custom provider. By default, ASP.NET 3.5 offers three providers for the role management system. These providers are defined in the following list: ❑ System.Web.Security.SqlRoleProvider : Provides you with the capability to use the ASP.NET role management system to connect to Microsoft’s SQL Server 2000/2005/2008 as well as to Microsoft SQL Server Express Edition. ❑ System.Web.Security.WindowsTokenRoleProvider : Provides you with the capability to con- nect the ASP.NET role management system to the built-in Windows security group system. ❑ System.Web.Security.AuthorizationStoreRoleProvider : Provides you with the capability to connect the ASP.NET role management system to either an XML file, Active Directory, or in an Active Directory Application Mode (ADAM) store. These three classes for role management inherit from the RoleProvider base class. This is illustrated in Figure 12-10. System.Web.Security.SqlRoleProvider The role management system in ASP.NET uses SQL Server Express Edition files by default (just as the membership system does). The connection to the SQL Server Express file uses SqlRoleProvider ,butyou can just as easily configure your SQL Server 7.0, 2000, 2005, or 2008 server to work with the role 602 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 603 Chapter 12: Introduction to the Provider Model Figure 12-10 management system through SqlRoleProvider . The procedure for setting up your full-blown SQL Server is described in the beginning of this chapter. Looking at the SqlRoleProvider instance in the machine.config.comments file, you will notice the syntax as defined in Listing 12-7. The machine.config.comments file provides documentation on the machine.config as well as showing you the details of the default settings that are baked into the ASP .NET Framework. Listing 12-7: A SqlRoleProvider instance declaration <configuration> <system.web> <roleManager enabled="false" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" defaultProvider="AspNetSqlRoleProvider" createPersistentCookie="false" maxCachedResults="25"> <providers> <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web> </configuration> 603 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 604 Chapter 12: Introduction to the Provider Model As stated, this is part of the default < roleManager> declaration that is baked into the overall ASP.NET Framework (note again that you can change any of these defaults by making a new declaration in your web.config file). As you can see, role management is disabled by default through the enabled attribute found in the < roleManager> node (it is set to false by default). Also, pay attention to the default- Provider attribute in the < roleManager> element. In this case, it is set to AspNetSqlRoleProvider .This provider is defined in the same code example. To connect to the Microsoft SQL Server 2005 instance that was defined earlier (in the membership system examples), you can use the syntax shown in Listing 12-8. Listing 12-8: Connecting the role management system to SQL Server 2005 <configuration> <connectionStrings> <add name="LocalSql2005Server" connectionString="Data Source=127.0.0.1;Integrated Security=SSPI" /> </connectionStrings> <system.web> <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" defaultProvider="AspNetSqlRoleProvider" createPersistentCookie="false" maxCachedResults="25"> <providers> <clear /> <add connectionStringName="LocalSql2005Server" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web> </configuration> With this in place, you can now connect to SQL Server 2005. Next is a review of the second provider available to the role management system. System.Web.Security.WindowsTokenRoleProvider The Windows operating system has a role system built into it. This Windows security group system is an ideal system to use when you are working with intranet-based applications where you might have all users already in defined roles. This, of course, works best if you have anonymous authentication turned off for your ASP.NET application, and you have configured your application to use Windows Authentication. Windows Authentication for ASP.NET applications is discussed in Chapter 21. Some limitations exist when using WindowsTokenRoleProvider . This is a read-only provider because ASP.NET is not allowed to modify the settings applied in the Windows security group system. This means that not all the methods provided via the RoleProvider abstract class are usable when working 604 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 605 Chapter 12: Introduction to the Provider Model with this provider. From the WindowsTokenRoleProvider class, the only methods you have at your disposal are IsUserInRole and GetUsersInRole . To configure your WindowsTokenRoleProvider instance, you use the syntax defined in Listing 12-9. Listing 12-9: A W indowsTokenRoleProvider instance <configuration> <system.web> <authentication mode="Windows" /> <roleManager defaultProvider="WindowsProvider" enabled="true" cacheRolesInCookie="false"> <providers> <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" /> </providers> </roleManager> </system.web> </configuration> Remember that you have to declare the default provider using the defaultProvider attribute in the < roleManager> element to change the assigned provider from the SqlRoleProvider association. System.Web.Security.AuthorizationStoreRoleProvider The final role provider you have available to you from a default install of ASP.NET is Authoriza- tionStoreRoleProvider . This role provider class allows you to store roles inside of an Authorization Manager policy store. These types of stores are also referred to as AzMan stores. As with WindowsTo- kenRoleProvider , AuthorizationStoreRoleProvider is a bit limited because it is unable to support any AzMan business rules. To use AuthorizationStoreRoleProvider , you must first make a connection in your web.config file to the XML data store used by AzMan. This is illustrated in Listing 12-10. Listing 12-10: Making a connection to the AzMan policy store <configuration> <connectionStrings> <add name="LocalPolicyStore" connectionString="msxml://~ \ App_Data \ datafilename.xml" /> </connectionStrings> </configuration> Note that when working with these XML-based policy files, it is best to store them in the App_Data folder. Files stored in the App_Data folder cannot be pulled up in the browser. After the connection string is in place, the next step is to configure your AuthorizationStoreRole- Provider instance. This takes the syntax defined in Listing 12-11. 605 Evjen c12.tex V2 - 01/28/2008 2:25pm Page 606 Chapter 12: Introduction to the Provider Model Listing 12-11: Defining the AuthorizationStoreRoleProvider instance <configuration> <connectionStrings> <add name="MyLocalPolicyStore" connectionString="msxml://~ \ App_Data \ datafilename.xml" /> </connectionStrings> <system.web> <authentication mode="Windows" /> <identity impersonate="true" /> <roleManager defaultProvider="AuthorizationStoreRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <clear /> <add name="AuthorizationStoreRoleProvider" type="System.Web.Security.AuthorizationStoreRoleProvider" connectionStringName="MyLocalPolicyStore" applicationName="SampleApplication" cacheRefreshInterval="60" scopeName="" /> </providers> </roleManager> </system.web> </configuration> Next, this chapter reviews the single personalization provider available in ASP.NET 3.5. The Personalization Provider As with the membership system found in ASP.NET, the personalization system (also referred to as the profile system) is another system that is based on the provider model. This system makes associations between the end user viewing the application and any data points stored centrally that are specific to that user. As stated, these personalization properties are stored and maintained on a per-user basis. ASP.NET provides a single provider for data storage. This provider is detailed here: ❑ System.Web.Profile.SqlProfileProvider : Provides you with the capability to use the ASP .NET personalization system to connect to Microsoft’s SQL Server 2000/2005/2008 as well as to the new Microsoft SQL Server Express Edition. 606 . Server 20 05 (as shown in this example) instead of the Microsoft SQL Server Express Edition files. Next, you look at the providers that come built into the ASP. NET 3. 5 install — starting with the. of this provider instance is AspNetSql2005MembershipProvider . You can see that this instance also uses the connection string of LocalSql2005Server , which was defined in Listing 12-1. Pay attention. from Listing 12 -3. In this case, it is set to LocalSqlServer . LocalSqlServer is also defined in the machine.config file as shown in Listing 12-4. Listing 12-4: The LocalSqlServer defined instance <configuration> <connectionStrings> <clear