Manage Custom Security Credentials the Smart (Client) Way Both Internet and intranet applications often require a custom store for user accounts and roles. ASP.NET 2.0 provides an out-of-the-box provider model as well as a SQL Sever database just for that propose. Unfortunately, the only way to administer the credentials databases is via Visual Studio 2005, and only for local Web applications. This article presents a full-blown custom security management application that administrators can use. The application wraps the ASP.NET 2.0 providers with a Web service and even adds missing features. This article presents the design approaches, challenges, and techniques involved in developing such an application. The article also walks you through some powerful yet useful techniques such as interface-based Web services, reflection-based Web service compatibility, advanced C# 2.0, Web services security, and Web services transactions. ASP.NET 2.0 Credentials Infrastructure Internet-based applications often don’t rely on Windows accounts and groups, and instead resort to form-based authentication, combined with some kind of a back-end custom credentials store such as SQL Server. To save developers the trouble of designing and building such solutions over and over, ASP.NET 2.0 ships with a ready-made security credentials infrastructure. The ASP.NET 2.0 credentials store is not just for the sole use of ASP.NET applications: ASP.NET Web services and even Windows Forms applications can use it to manage their user’s credentials. In addition, Windows Communications Foundation (codename Indigo) services can also be easily configured to use the ASP.NET 2.0 security credentials store. | " |
ASP.NET 2.0 ships with a ready-made security credentials infrastructure.
| " |
ASP.NET 2.0 uses a provider model for accessing and managing the credentials to avoid coupling the application to any particular store. It is up to the developers to develop the application while taking advantage of the abstract provider model. It is up to administrators to select and manage the specific credentials store. Figure 1 shows the architecture of the ASP.NET 2.0 security providers. Membership providers are responsible for managing users, and role providers are responsible for managing roles. In the credentials store, each user or role is scoped inside an application. This allows different applications to use the same credentials store without conflicting with each other’s user names or roles. Out of the box, ASP.NET offers support for the following credentials stores: SQL Server, Windows, and Active Directory (Figure 1). To install the SQL Server credentials database, run the aspnet_regsql.exe setup program, found under: 
Figure 1: The ASP.NET 2.0 Security Provider Model. <WINDOWS>\Microsoft.NET\Framework\<version>
The setup program creates a new database called aspnetdb, a set of tables for applications, users and roles, and stored procedures to access the tables. The SQL Server database is well designed, using the latest security best-practices such as password salting and challenges. In addition, ASP.NET 2.0 offers a set of classes that correspond to the providers in Figure 1. Which provider to use is kept in the application’s configuration file (App.Config or Web.Config). You hardly ever need to interact with the specific providers directly. Instead, there are two static helper classes, Membership and Roles, which read from the configuration file which provider to use. The default provider, that is, when no provider is specified, is SQL Server. The Membership class (Listing 1) allows you to create and delete users, retrieve information about users, and review the password policies. For example, to create a new user in the “MyApp” application you would simply write: Membership.ApplicationName = "MyApp";
Membership.CreateUser("MyUser","MyPassword",...);
The Roles class allows you to create and delete roles, add or remove users from roles, retrieve users’ role membership information, and verify role membership. For example, to add the role “Manager” to the application “MyApp” you would write: Roles.ApplicationName = "MyApp";
Roles.CreateRole("Manager");
| & | | 
By: Juval Lowy Juval Löwy is a software architect and the principal of IDesign, a consulting and training company focused on .NET architecture consulting and advanced .NET training. This article contains excerpts from his latest book (Programming .NET Components 2nd Edition (O'Reilly, 2005). Juval is a frequent presenter at development conferences and Microsoft's Regional Director for the Silicon Valley.
Over the last three years Juval has been part of the Strategic Design Review process for .NET 2.0.
Microsoft recognized Juval as a Software Legend as one of the world's top .NET experts and industry leaders.
Contact him at www.idesign.net
| Fast Facts | | ASP.NET 2.0 ships with a security credentials SQL Server database and a set of provider classes to manage it. However, to manage that database you have to use a local instance of Visual Studio 2005, which is not an option for most administrators. You can wrap the ASP.NET 2.0 providers with a Web service and use a Windows Forms application to manage the credentials store. | |
|
|  Listing 1: The Membership helper class | [Serializable]
public class MembershipUser
{
public virtual bool ChangePassword(string oldPassword,
string newPassword);
public virtual string GetPassword(string passwordAnswer);
public virtual string ResetPassword(string passwordAnswer);
public virtual bool UnlockUser();
//Additional members
}
public static class Membership
{
public static string ApplicationName{get;set;}
public static MembershipUser CreateUser(string username,
string password);
public static MembershipUser CreateUser(string username,
string password,
string email,
string passwordQuestion,
string passwordAnswer,
bool isApproved,
out MembershipCreateStatus status);
public static bool DeleteUser(string username,
bool deleteAllRelatedData);
public static MembershipUser GetUser(string username);
public static void UpdateUser(MembershipUser user);
public static bool ValidateUser(string username,
string password);
public static bool EnablePasswordReset{get;}
public static bool EnablePasswordRetrieval{get;}
//Additional members
}
|
| | Listing 2: The Roles helper class | public static class Roles
{
public static string ApplicationName{get;set;}
public static void CreateRole(string roleName);
public static bool DeleteRole(string roleName,
bool throwOnPopulatedRole);
public static void AddUserToRole(string username,
string roleName);
public static void RemoveUserFromRole(string username,
string roleName);
public static string[] GetAllRoles();
public static string[] GetRolesForUser(string username);
public static string[] GetUsersInRole(string roleName);
public static bool IsUserInRole(string username,
string roleName);
//Additional members
}
|
|