Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 76 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
76
Dung lượng
2,69 MB
Nội dung
Figure 4-22 Figure 4-23 121 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 121 3. Click the Manage link for the Administrators group, and then search for the Administrator user account, using the search tools shown in Figure 4-24. The easiest way to find the Administrator account is to search for all accounts beginning with the letter A, so type a* in the text box and click Find User. Add the Administrator account to the Administrators role by checking the User Is In Role check box. Figure 4-24 4. Add the remaining user accounts to the Users role in the same way. 5. Click the Security tab to return to the main Security section of the Administration Tool. Then click the Manage access rules link to return to managing the access rules for the site. In the same interface as you used in the earlier example for managing access rules (see Figure 4-13), remove the access rules for the individual user accounts, and instead grant access to the site to both the Administrators and Users groups. As you delete rules, you’ll be prompted as shown in Figure 4-25. 6. Add the new permissions on a role-by-role basis with the interface shown in Figure 4-26. After you have added the rules, you should see the list of rules shown in Figure 4-27. 122 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 122 Figure 4-25 Figure 4-26 123 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 123 Figure 4-27 7. If you run the application again now, you should be able to log in as any of the user accounts and access the site as before. If you change the permissions for one of the roles, all members of that role will be affected, hence you could block access to all non-administrative users if you wanted. How It Works All of the changes in this example were made via the magic Web Site Administration interface, which simplifies the process of adding role definitions and access rules. If you were to do this by hand, as you will see in just a moment, you would have to manipulate the contents of the Roles table in the AspNetDB.mdf database that was shown earlier to include two role definitions, and then add users to those roles by changing the UsersInRoles table by hand. Then you would have to manipulate the Web.config file to change the access permissions to the site. This configuration process was all handled for you automatically by the tool, so it’s made configuration and administration quite a lot simpler. However, this is a Visual Web Developer and Visual Studio 2005 feature, not an ASP.NET feature, so you would have to do this by hand if you didn’t have access to the VWD environment. If you return to the Source View of your Web.config file, you’ll see the following changes have been made (shown with a gray background): <roleManager enabled=”true” /> <authorization> 124 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 124 <allow users=”?” /> <allow roles=”administrators” /> <allow roles=”users” /> </authorization> In addition, the process of enabling roles has modified the user profile database slightly, by adding two new tables: one to store roles and one that tells you which users are members of which roles (see Figure 4-28). Figure 4-28 Authentication One area not yet discussed is that of how the authentication works for this application, and what options are available in ASP.NET for authentication. The examples so far have relied on what’s known as Forms authentication. So, what is Forms authentication, and what are the other options available? ❑ Forms authentication: Login requests are made by filling in a form on a web page and submit- ting that form to the server. When the server receives the request, a cookie is written to the user’s local machine, and this cookie is passed back to the server by the browser along with each request that is sent so that the user remains authenticated for as long as is required. ❑ Windows authentication: Login pages pass user credentials to a web server (IIS only, not the web server built into VWD). The web server then handles the authentication using whichever method is configured on the virtual directory that the application is running within. IIS hooks in to the Windows operating system and Active Directory domain structures, which means that it can rely on user profiles that are stored externally, and use standard Windows credentials to log in to the site. Depending on the configuration of your site, and depending on which user account you used to log in to your machine, you may not even have to log in to the site directly, because your current Windows credentials can be passed to the web server automatically for authentication. This is really handy when it comes to developing intranet applications. 125 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 125 ❑ Passport authentication: Login credentials are passed to a Microsoft Passport server where user profiles are stored centrally. You may be familiar with this from logging in to a Hotmail account. And because you can configure Windows to log on to a Passport account on startup, you can access your Hotmail inbox without even having to type a password. Forms Authentication Model This section looks at how Forms authentication works. Consider the following scenario: ❑ The user — let’s call him Bob — wants to view Page A, which can’t be accessed by anonymous users, so when Bob tries to view Page A, the browser instead displays a login page, as shown in Figure 4-29. Figure 4-29 ❑ Bob is now looking at a login page. Because Bob registered with this site previously, he logs in to the site using his username and password combination. Figure 4-30 shows the interaction between Bob’s browser and the server. Figure 4-30 ❑ Bob can now view Page A and is a happy user. Next, Bob wants to view Page B by following a link from Page A. Along with the request for the page, Bob’s browser sends a copy of the cookie to the server to let the server know that it’s Bob who’s trying to view the page. The server knows who Bob is, and likes Bob, so it sends Bob Page B as requested, as shown in Figure 4-31. Server authenticates Bob and returns Page A along with a cookie to the browser Browser sends a login request to the server Browser Server Server refuses anonymous access and sends login page instead Browser sends request for Page A to the server Browser Server 126 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 126 Figure 4-31 ❑ If Bob now requests the site’s home page, the browser will tack on the cookie to the request, so even though the home page is not restricted content, the cookie is still sent to the server. Because the page isn’t restricted, the server doesn’t worry about the cookie, ignores it, and sends back the home page. ❑ Bob then heads back to Page A. Because the cookie is fresh on Bob’s machine, the cookie is sent to the server. The server is still happy with Bob, so it lets Bob view the page. ❑ Bob goes off and makes himself a coffee. He then makes some lunch. By the time he gets back to his computer, 25 minutes have elapsed. Bob now wants to view Page B again, but the cookie on his machine has expired. The server doesn’t receive a cookie along with the page request, so Bob has to log back in again. Cookies on a user’s machine are normally set to expire after a specific amount of time has elapsed. In this scenario, the server gives out cookies with a 20-minute expiry, which means that as long as the user keeps making requests within 20 minutes of each other, the cookie will remain active. However, more than 20 minutes away from the site and the user will have to log back in to the site to view restricted content. The login page built in the earlier examples included a box that offered you the “remember my details for next time” option. This writes a more permanent cookie to your browser’s cookie collection so that your account name is pre-populated when you revisit the site. Because you should never store password information in a cookie, you should always have to enter your password, but at least your username field is filled in for you on each visit. Other methods of authentication — Windows and Passport—provide the end user with a similar experi- ence. For example, the Windows authentication model relies on the web server (which will likely be IIS) to control access to the site, but it can also incorporate the timeout mechanism to block users that have been idle for too long. To configure Windows authentication, you need to specify which users or roles from the corporate Active Directory (AD) domain can access a site. These users can then access the site whenever they are logged on using their login details to a PC on the corporate network. It’s also possible to view a Windows authenticated site from outside of the corporate environment, though you are asked to enter your standard Windows logon credentials when you attempt to access a page protected by Windows authentication. Server accepts cookie and sends back Page B Browser requests Page B and passes a copy of the cookie Browser Server 127 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 127 Passport authentication isn’t as widely adopted as Microsoft perhaps would have liked, but some sites on the Internet do link to the Passport network to handle web site authentication (for example, Expedia.com). Passport authentication relies on the entire repository of user accounts being accessible from anywhere in the wired world, a bit like a central active directory for web accounts. This book uses Forms authentication to handle all authentication with the Wrox United application. Wrox United Security The Wrox United site that you’ve been working on so far needs to have some security applied to it if you want to be able to include some personalization in the site. In the finished site ( www.wroxunited.net), you’ll see that there is shopping cart functionality built in to the site. Additionally, the finished site will also have an administration area, where you can edit fixtures, team members, and much more. This all means that you’re going to have to add some users and roles at some stage. Because you have gained plenty of experience of using the configuration tool, you can now perform the first stage in this process. The next Try It Out walks you through the user accounts and roles configuration for the Wrox United site. At this stage, you don’t have to worry about locking down parts of the site — that’s a task for later in the book. Try It Out Configuring Security in the Wrox United Site 1. Open the final version of the Wrox United site in VWD. Then click the Website menu and select ASP.NET Configuration. This launches the configuration tool for the site. Figure 4-32 shows the configuration screen that is displayed for the finished version of the site. Figure 4-32 128 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 128 2. Click the Security link to go to the section where you can configure users and roles. As you did previously in this chapter, launch the security setup wizard. As you walk through the wizard, select the following: ❑ The application will be used over the Internet. ❑ Roles are enabled. ❑ Roles should be defined for Administrator, FanClubMember, Manager, Owner, and Reporter (see Figure 4-33). 3. Look at the user accounts. The user accounts predefined with the Wrox United application are shown in Figure 4-34. 4. Take a look at the configuration for the finished application. You’ll see that the preconfigured user accounts are each members of different roles, so while the ChrisH account is a member of the Reporter role, Jim is a member of the Owners role, and Lou is a member of the Fan Club. 5. After you finish the wizard, look at a couple of subfolders within the WroxUnited directory that contain specific areas of the site—the Admin and the FanClub sections. These areas have some access restrictions on them. Figure 4-33 129 Membership and Identity 07_042583 ch04.qxd 4/4/06 2:42 PM Page 129 Figure 4-34 6. Go to the section for managing Access Rules and you’ll see the following rules: ❑ For the main WroxUnited folder, anonymous access is allowed. ❑ For the FanClub folder, only members of the FanClub role can access the folder — all other users are denied access. ❑ For the Admin folder, access is denied to all users. How It Works With the Wrox United application, you have access to the configuration of a fully functional web appli- cation. Feel free to have a look through this configuration using both the Administration Tool and the Web.config file to see how the basic permissions are enabled. This example is only a taste of what will come later in the book, because Chapter 11 covers the details of role-based access to a site and shows you different techniques for enabling and disabling content by role. The code generated for filtering access to the FanClub folder has been added to the Web.config file that lives within the FanClub folder. This code is as follows: 130 Chapter 4 07_042583 ch04.qxd 4/4/06 2:42 PM Page 130 [...]... can embed the style information quite easily within the of the page using the tag This technique is fine for single pages — in fact, if you ever save a Word document as HTML, you’ll see that this technique is used to define the document styles in use so that the document can be rendered as HTML I just saved this document from within Word 20 03 as a Web Page (Filtered), which produces HTML... to the element and click OK to apply the style Go ahead and do that with another page 5 Create another aspx page and call it StyledPage1.aspx In this page, add a simple element with the text This is highlighted text and a Heading 1 (h1) element with the text This is also highlighted text 135 Chapter 5 Figure 5 -3 Figure 5-4 6 136 Using the Style Builder dialog box (see Figure 5-5), set the style... information can also be applied to elements like anchor tags () with some specific modifiers to provide some dynamic hover-style appearance as follows: a:link, a:visited { color: #cc 330 0; text-decoration: underline; } a:hover { text-decoration: none; } a:active { color: #ff9900; text-decoration: underline; } This code will render red links with underline on a page that, when you hover your mouse over... personalization and looks at how ASP.NET sites can be personalized 131 Chapter 4 Exercises 1 2 132 Change the configuration of your Chapter 4 web site to allow anonymous access, but to deny access to one specific user account Add a subfolder to the Chapter 4 web site called Admin Within this folder, add a page called MainAdmin.aspx with a LoginName control on it and any other controls you might want... HighlightedText { font-family: ‘Trebuchet MS’; color: Navy; } a:link, a:visited { color: #cc 330 0; text-decoration: underline; } a:hover { text-decoration: none; } a:active { color: #ff9900; text-decoration: underline; } Notice how you get the same syntax help when you work with a CSS style sheet as when you work with attributes on a HTML control in Source View, as displayed in Figure 5-9 Also... themes available to your Chapter05 pages: blue and red 1 53 Chapter 5 How It Works The presence of a skin file within an App_Themes in your web application is all that’s needed to make the themes within the folder available to your application If you are hosting your web sites on a web server running IIS, you can alternatively place your themes within your :\Inetpub\ wwwroot\aspnet_client\... Element 1 In VWD, open the starter web site called Chapter05 (C:\BegASPNET2\Chapters\Begin\ Chapter05) This starter site contains just a few files to give you a head start on the examples within this chapter 134 Styling with Themes 2 Add a new blank aspx page and call it Default.aspx Switch straight to Source View and type the following highlighted lines of code between the Form tags: The style sheet file contains only style information, so say you had a style sheet with all of your style code in it: HighlightedText { font-family: ‘Trebuchet MS’; color: Navy; } a:link, a:visited { color: #cc 330 0; text-decoration: underline; } a:hover { text-decoration: none; } a:active { color: #ff9900; text-decoration: underline; } 141 Chapter... text. 3 Add a hyperlink to the page below the heading with the text This is a sample link Enter “default.aspx” as the value for the href: This is highlighted text. This is also highlighted text. This is a sample link 142 Styling with Themes 4 After . Figure 4 -27 . 122 Chapter 4 07 _0 425 83 ch04.qxd 4/4 /06 2: 42 PM Page 122 Figure 4 -25 Figure 4 -26 1 23 Membership and Identity 07 _0 425 83 ch04.qxd 4/4 /06 2: 42 PM Page 1 23 Figure 4 -27 7. If you run the application. Figure 4 -22 Figure 4 - 23 121 Membership and Identity 07 _0 425 83 ch04.qxd 4/4 /06 2: 42 PM Page 121 3. Click the Manage link for the Administrators group,. the Web.config file that lives within the FanClub folder. This code is as follows: 1 30 Chapter 4 07 _0 425 83 ch04.qxd 4/4 /06 2: 42 PM Page 1 30 <?xml version=”1 .0 encoding=”utf-8”?> <configuration> <system.web> <authorization> <allow