ptg 1254 CHAPTER 27 Using ASP.NET Membership <ContentTemplate> <h1>Welcome Administrator!</h1> </ContentTemplate> </asp:RoleGroup> </RoleGroups> <LoggedInTemplate> <h1>Welcome Average User!</h1> </LoggedInTemplate> </asp:LoginView> </div> </form> </body> </html> If you request the page in Listing 27.31 after enabling the WindowsTokenRoleProvider, you see the content displayed by the LoginView control only when you are a member of the Windows Administrators group. Configuring the AuthorizationStoreRoleProvider Authorization Manager (AzMan) is a component of Windows Server 2003 and Windows Server 2008. You can use Authorization Manager to define roles, tasks, and operations. Authorization Manager supports more features than the authorization framework included in ASP.NET Framework. For example, Authorization Manager supports role inheritance, which enables you to easily define new roles based on existing roles. Authorization Manager can store role information in three different ways. You can create an authorization store by using an XML file, by using Active Directory, or by using Active Directory Lightweight Directory Services (AD LDS). Before you use Authorization Manager with the ASP.NET Framework, you need to create an authorization store. Role information is stored in an XML file local to the application. Follow these steps: 1. Launch Authorization Manager by executing the command AzMan.msc from a command prompt (see Figure 27.15). 2. Switch Authorization Manager into Developer mode by selecting Action, Options and selecting Developer mode. 3. Open the New Authorization Store dialog box by selecting Action, New Authorization Store. 4. Select the XML file option and enter the path to your application’s App_Data folder for the Store Name field. For example: c:\Websites\MyWebsite\App_Data\WebRoles.xml From the Library of Wow! eBook ptg 1255 Using the Role Manager 27 FIGURE 27.15 Using Authorization Manager. 5. Create a new Authorization Manager application by right-clicking the name of your authorization store and selecting New Application. Enter the name WebRoles for your application (you can leave the other fields blank). After you complete these steps, a new XML file is added to your application. This XML file contains the authorization store. Next, you need to configure the ASP.NET Role Manager to use the authorization store. The web configuration file in Listing 27.32 uses the WebRoles.xml authorization store. LISTING 27.32 Web.Config <?xml version=”1.0” encoding=”utf-8”?> <configuration> <connectionStrings> <add name=”AZConnection” connectionString=”msxml://~/App_Data/WebRoles.xml”/> </connectionStrings> <system.web> <authentication mode=”Windows” /> <roleManager enabled=”true” defaultProvider=”MyRoleProvider”> <providers> <add name=”MyRoleProvider” type=”System.Web.Security.AuthorizationStoreRoleProvider” connectionStringName=”AZConnection” applicationName=”WebRoles” /> From the Library of Wow! eBook ptg 1256 CHAPTER 27 Using ASP.NET Membership FIGURE 27.16 Creating a new role definition with Authorization Manager. </providers> </roleManager> </system.web> </configuration> You should notice a couple of things about the configuration file in Listing 27.32. First, notice that the connection string uses the prefix msxml: to indicate that the connection string represents a connection to an XML file. Second, notice that the AuthorizationStoreRoleProvider includes an applicationName attribute. This attribute must contain the name of the Authorization Manager application that you created in the preceding steps. After you complete these configuration steps, you can use the Authorization Manager just as you do the default SqlMembershipProvider. You can define new roles by using either the Web Site Administration Tool or the Authorization Manager interface (see Figure 27.16). Caching Roles in a Browser Cookie To improve your application’s performance, you can cache user roles in a browser cookie. That way, the Role Manager does not have to perform a query against the Role provider each and every time a user visits a page. Caching roles in cookies is disabled by default. You can enable this feature with the web configuration file in Listing 27.33. From the Library of Wow! eBook ptg 1257 Using the Role Manager 27 LISTING 27.33 Web.Config <?xml version=”1.0” encoding=”utf-8”?> <configuration> <system.web> <roleManager enabled=”true” cacheRolesInCookie=”true” createPersistentCookie=”true” /> </system.web> </configuration> The web configuration in Listing 27.33 enables role caching. Furthermore, it causes the roles to be cached in a persistent cookie rather than a session cookie. WARNING When you cache roles in a cookie, there is the potential that a user’s cached roles can become out of sync with a user’s actual roles. If you update users’ roles on the server, they don’t get updated on the browser. You can call the Roles.DeleteCookie() method to delete the cached cookies. You can set a number of attributes related to the roles cookie: . cacheRolesInCookie—Enables you to cache user roles in a browser cookie (the default value is false). . cookieName—Enables you to specify the name for the roles cookie (the default value is .ASPXROLES). . cookiePath—Enables you to specify the path associated with the cookie. (The default value is /.). . cookieProtection—Enables you to encrypt and validate the roles cookie. Possible values are All, Encryption, None, and Validation (the default value is All). . cookieRequireSSL—Enables you to require that the roles cookie be transmitted over a Secure Sockets Layer connection. (The default value is False.). . cookieSlidingExpiration—Enables you to prevent a cookie from expiring just as long as a user continues to request pages. (The default value is True.) . cookieTimeout—Enables you to specify the amount of time in minutes before a cookie times out. (The default value is 30.) . createPersistentCookie—Enables you to create a persistent rather than a session cookie. (The default value is False.) From the Library of Wow! eBook ptg 1258 CHAPTER 27 Using ASP.NET Membership . domain—Enables you to specify the domain associated with the cookie. (The default value is an empty string.) . maxCachedResults—Enables you to specify the maximum number of roles that are cached in a cookie. (The default is 25.) Using the Roles Application Programming Interface The Roles class exposes the main application programming interface for manipulating roles. If you need to create roles programmatically, delete roles, or assign users to roles; then you use the methods of the Roles class. The Roles class includes the following methods: . AddUsersToRole—Enables you to add an array of users to a role. . AddUsersToRoles—Enables you to add an array of users to an array of roles. . AddUserToRole—Enables you to add a user to a role. . AddUserToRoles—Enables you to add a user to an array of roles. . CreateRole—Enables you to create a new role. . DeleteCookie—Enables you to delete the roles cookie. . DeleteRole—Enables you to delete a particular role. . FindUsersInRole—Enables you to return a list of users in a role that has a particu- lar username. . GetAllRoles—Enables you to retrieve a list of all roles. . GetRolesForUser—Enables you to get a list of all roles to which a user belongs. . GetUsersInRole—Enables you to get a list of users in a particular role. . IsUserInRole—Enables you to determine whether a particular user is a member of a particular role. . RemoveUserFromRole—Enables you to remove a particular user from a particular role. . RemoveUserFromRoles—Enables you to remove a particular user from an array of roles. . RemoveUsersFromRole—Enables you to remove an array of users from a particular role. . RemoveUsersFromRoles—Enables you to remove an array of users from an array of roles. . RoleExists—Enables you to determine whether a particular role exists. The page in Listing 27.34 illustrates how you can use the methods of the Roles class. The Page_Load() method creates two roles named Sales and Managers (if they don’t already exist). Next, it assigns the current user to both roles. The body of the page contains a GridView that displays all the roles to which the current user belongs (see Figure 27.17). From the Library of Wow! eBook ptg 1259 Using the Role Manager 27 FIGURE 27.17 Displaying a user’s roles. LISTING 27.34 ShowRoles.aspx <%@ Page Language=”C#” %> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <script runat=”server”> void Page_Load() { // If user is not authenticated, redirect to Login page if (!Request.IsAuthenticated) { FormsAuthentication.RedirectToLoginPage(); Response.End(); } // Create two roles if (!Roles.RoleExists(“Managers”)) Roles.CreateRole(“Managers”); if (!Roles.RoleExists(“Sales”)) Roles.CreateRole(“Sales”); // Add current user to both roles if (!Roles.IsUserInRole(“Managers”)) Roles.AddUserToRole(User.Identity.Name, “Managers”); From the Library of Wow! eBook ptg 1260 CHAPTER 27 Using ASP.NET Membership if (!Roles.IsUserInRole(“Sales”)) Roles.AddUserToRole(User.Identity.Name, “Sales”); } </script> <html xmlns=”http://www.w3.org/1999/xhtml” > <head id=”Head1” runat=”server”> <title>Show Roles</title> </head> <body> <form id=”form1” runat=”server”> <div> <h1>Your Roles</h1> <asp:GridView id=”grdRoles” DataSourceID=”srcRoles” EmptyDataText=”You are not a member of any roles” GridLines=”none” Runat=”server” /> <asp:ObjectDataSource id=”srcRoles” TypeName=”System.Web.Security.Roles” SelectMethod=”GetRolesForUser” Runat=”server” /> </div> </form> </body> </html> Summary In this chapter, you learned about the four security frameworks included in ASP.NET Framework. In the first part, you learned how to authenticate users by enabling both Forms and Windows authentication. You learned how to take advantage of several advanced features of authentication such as cookieless authentication and cross- application authentication. You also learned how to authorize users to access particular resources. You not only learned how to control access to ASP.NET pages, but also how you can control access to image files and other files or pages. From the Library of Wow! eBook ptg 1261 Summary 27 Next, you learned how to use ASP.NET Membership to represent user information. You learned how to use the Membership class to create users, delete users, and modify user properties programmatically. You also explored the two Membership providers included with ASP.NET Framework: SqlMembershipProvider and ActiveDirectoryMembership Provider. Finally, we created a custom MembershipProvider: the XmlMembershipProvider. The final section was devoted to the Role Manager. You learned how to configure the three Role providers included in ASP.NET Framework: SqlRoleProvider, WindowsTokenRoleProvider, and AuthorizationStoreRoleProvider. You also learned how to take advantage of the Roles class to create roles, delete roles, and assign users to roles programmatically. From the Library of Wow! eBook ptg This page intentionally left blank From the Library of Wow! eBook ptg CHAPTER 28 Maintaining Application State IN THIS CHAPTER . Using Browser Cookies . Using Session State . Using Profiles . Summary Developers who are new to programming for the web always have difficulty understanding the problem of main- taining state. The HTTP protocol, the fundamental protocol of the World Wide Web, is a stateless protocol. What this means is that from a web server’s perspective, every request is from a new user. The HTTP protocol does not provide you with any method of determining whether any two requests are made by the same person. However, maintaining state is important in just about any web application. The paradigmatic example is a shopping cart. If you want to associate a shopping cart with a user over multiple page requests, you need some method of maintaining state. This chapter looks at three methods included in ASP.NET 4 Framework for associating data with a particular user over multiple page requests. In the first section, you learn how to create and manipulate browser cookies. A browser cookie enables you to associate a little bit of text with each website user. Next, you learn how to take advantage of Session state, which enables you to associate an arbitrary object with any user. For example, you can store a shopping cart object in Session state. You learn how take advantage of cookieless Session state so that you can use Session state even when a browser has cookies disabled. You also learn how to make Session state more robust by enabling out-of-process Session state. From the Library of Wow! eBook . ptg 12 54 CHAPTER 27 Using ASP. NET Membership <ContentTemplate> <h1>Welcome Administrator!</h1> </ContentTemplate> < /asp: RoleGroup> </RoleGroups>. and modify user properties programmatically. You also explored the two Membership providers included with ASP. NET Framework: SqlMembershipProvider and ActiveDirectoryMembership Provider. Finally,. Authorization Store. 4. Select the XML file option and enter the path to your application’s App_Data folder for the Store Name field. For example: c:WebsitesMyWebsiteApp_DataWebRoles.xml