The sample web application that was illustrated in
the previous section has one important limitation: It can be accessed
by anonymous users that can access important data. If your application
just presents information, in most cases anonymous access is a good
idea. But if instead your application has the purpose of managing data
or restricted information, you want to force users to login with their
own credentials, such as username and password. ASP.NET provides a
convenient and easy way for configuring web applications to require
login credentials (by storing user information inside a SQL Server
database) but also roles and registration; another interesting new
feature is that in the past you had to implement your own login page
while in Visual Studio 2010; this is generated for you when creating
the project. To start configuring security for your Web application,
click the ASP.NET Configuration
button in Solution Explorer (the one with the icon representing a
hammer). This runs the ASP.NET Web Site Administration Tool, a web
application executed in your web browser. Such tool allows configuring
different parts in the web application, but for the current example
just click the Security tab. When you click this tab, you can access
different security options, including setting users and roles. There is
also a guided procedure that you can utilize to configure the
application security; thus click the Use the Security Setup Wizard to Configure Security Step by Step hyperlink. There are seven steps to complete, but the first one is just a welcome message, so you can click Next. Starting from the second step, execute the following tasks:
Specify the access method by selecting between From the Internet and From a Local Area Network.
The first option is more restrictive and requires users to register
with their credentials, such as username and password. This is
particularly useful when you do not know who will access the website
and you want a user to log in with credentials. Moreover, if a website
is available on the Internet it can be reached by non-Windows
environments and therefore Windows authentication is not appropriate.
Instead the local intranet option should be used only when the web
application runs only inside of your company, because it relies on
Windows and domain authentication only, although this simplifies your
work because you will not have to configure users. For the current
example, where user administration is also covered, select the Internet
security and then click Next.
Simply click Next at step 3, because we do not need to change storage information (such as the database provider);
Click the Enable Roles for This Website check box and then click Next.
This is important because securing the web application requires at
least one role. Typically a website includes at least an administration
role, so in the New Role Name textbox, type Administrator and then click Add Role. The new role will be added to the roles list, so click Next.
up for a new account by providing required information. This is
important because the web application requires at least one user that
later will be associated to the role. When ready, click Create User. You will be told that adding the new user was successful, so click Next.
access rules to the web application by allowing or denying access
permissions to specific roles or users. The default rule is that all
registered users and roles can access the application, but you can
delete the existing rule and create new rules granting permissions to
selected users/roles. For example you can select a folder of the
application, by first expanding the root folder on the left and then
selecting the permission (Allow or Deny) for the users or roles in the Rules Applies To item. When set this, click Next.
In the last step simply click Finish.
When you configure users or
when users register to claim access to the Web application, the user
information is stored inside a default SQL Server database that Visual
Studio generates for you. If you want to use a SQL Server database
different from the default one, use the Aspnet_regsql.exe command-line
tool that creates the appropriate tables.
With a few steps you
quickly configured your application for requesting registration and
login. The last step before running the application is associating the
main user to the Administrator role. To accomplish this, click Manage Users and then Edit User. When the user administration page appears, click the check box for Administrator. Finally, click Save.
Now close the configuration tool, run the application, and try to open
the Orders page. As you see, you cannot view the requested page until
you do not log in with the previously created user’s credentials. When
you log in you can browse the application. The really cool thing is
that the Login page generated for you by Visual Studio 2010 is bound to
the SQL Server database where user information is stored, so you do not
need to write code to check if a user has permissions to access. This
is performed for you behind the scenes by the application that takes
advantage of auto-generated elements.