Muhammad Haroon's WebLog: Securing ASP.NET 2.0 Apps Using Membership and Role Providers

Thursday, August 17, 2006

Securing ASP.NET 2.0 Apps Using Membership and Role Providers

I recently designed an intranet application using ASP.NET 2.0 and really loved the membership and role providers that tremendously simplifified our implementation of security features in the application. Membership and role information can be stored in a SQL Server database or another repository such as Active Directory. For our intranet application it made sense to use Active Directory as the membership provider and SQL Server as the role provider.

Configuring Role and Membership Providers:

Essentially everything is configured declaritively using Web.config:

<configuration>
    <connectionStrings>
      <remove name="LocalSqlServer"/>
      <add name="LocalSqlServer" providerName="System.Data.SqlClient" connectionString="Data Source=(local);Initial Catalog=AspNetServices;Integrated Security=True"/>
      <add name="ADConnectionString" connectionString="LDAP://VOCALSOFT/CN=Users,DC=VOCALSOFT,DC=COM"/>
    </connectionStrings>
    <system.web>
      <compilation debug="true">

<authentication mode="Forms">
          <forms name=".MyAppAuthCookie" timeout="10" loginUrl="LogOn.aspx"/>
        </authentication>
        <authorization>
          <deny users="?"/>
        </authorization>
        <roleManager
                            enabled="true"
                            cacheRolesInCookie="true"
                            defaultProvider="MyAppRoleManagerSqlProvider"
                            cookieName=".MyAppRoles"
                            cookiePath="/"
                            cookieTimeout="30"
                            cookieRequireSSL="false"
                            cookieSlidingExpiration="true"
                            createPersistentCookie="false"
                            cookieProtection="All">
          <providers>
            <add name="MyAppRoleManagerSqlProvider"
                type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                connectionStringName="LocalSqlServer"
                applicationName="MyApplication"/>
          </providers>
        </roleManager>

<membership defaultProvider="MyADMembershipProvider">
          <providers>
            <add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" attributeMapUsername="sAMAccountName" enableSearchMethods="true" connectionStringName="ADConnectionString" applicationName="MyApplication"/>
          </providers>
        </membership>
      </system.web>

<location path="Administration/Security">
      <system.web>
        <authorization>
          <allow roles="Administrators,Security Managers"/>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>
    <location path="Reports">
      <system.web>
        <authorization>
          <allow roles="Administrators,Report Viewers"/>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>
  </configuration>

In the above configuration file, note that we first specify our connection strings starting at line 2. LocalSqlServer points to a SQL Server database which has been configured using aspnet_regsql. The second connection string points to the domain controller for membership authentication.

In the authentication section we specify that we are using forms authentication, and provide the URL for our logon page.

In the roleManager section we configure our role provider, pointing back to LocalSqlServer as the role repository.

In the membership section we configure our membership provider pointing back to ADConnectionString (domain controller) specified in the connectionStrings section.

Finally we restrict users from accessing certain folders based on their roles using location sections (role-based security).

No comments:

Subscribe to: Post Comments (Atom)