Embed Size (px)
Citation preview
1
CS 3870/CS 5870: Note 11
Authentication and Authorization
Membership Provider
2
Lab 5
Copy folder Lab4 as Lab5
Modify Lab4MasterPage
Name: Lab5MasterPage
Text: Lab 5
TreeView:
New root node
NavigationURL of master page
3
Lab 5
Modify the Content Pages
MasterPageFile
(top line of the source file)
4
Lab 5
Modify the Session Variables
Lab4_ to Lab5_
File Global
Code file
Aspx file
5
Lab 5
Make sure it’s working the same as Lab4
6
Format DetailsView on page Updating
<asp:BoundField DataField="ProductID"
HeaderText="ProductID"
ItemStyle-HorizontalAlign="Center"
ReadOnly="True"
SortExpression="ProductID" />
<asp:BoundField DataField="UnitPrice"
HeaderText="Unit Price"
DataFormatString="{0:c}"
HtmlEncode="False" >
<ItemStyle HorizontalAlign="Right"> </ItemStyle>
</asp:BoundField>
7
Lab 5
Make sure it’s working after formatting
Make Delete Work on Updating
• Open Updating.aspx
• Click source
• Remove the following from DeleteParameters
<asp:Parameter Name="original_UnitPrice" Type="Decimal" />
8
9
Web.Config• Machine.config
– Machine level settings
– Default settings for all Web applications
• Application Web.config
– Under the application root directory
– Apply to the entire application
– Overwrite some settings set in Machine.config
• Local Web.config
– A sub-folder can have its own Web.config file
– Overwrite some settings set in higher level Web.config
– Not every setting can be set in local Web.config
• AUTHENTICATION must be set in application Web.config
• AUTHORIZATION can be different for different sub-folders
• Page Directives
– Apply to the page only
– Overwrite settings set in Web.config
Machine.config on XrayC:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
<membership>
<providers>
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="true" applicationName="/"
requiresUniqueEmail="false" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""/>
</providers>
</membership> 10
Machine.config on Xray
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
<connectionStrings>
<add name="LocalSqlServer"
connectionString="data source=.\SQLEXPRESS;Integrated
Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
11
12
Web.Config• Application Configuration File under the main web site
<system.web>
<authentication mode="Forms" >
<forms name="formsAuth"
loginUrl="lab5/login.aspx"
path="/"
requireSSL="false"
slidingExpiration="true"
protection="All"
defaultUrl="~/Lab5/Default.aspx"
timeout="1"
cookieless="UseDeviceProfile" />
</authentication>
</system.web>
13
Authentication
• To identify the user
• Four Modes
– Windows: IntraNet
– Forms : Internet
– Passport: MS
– None
14
Forms Based Authentication
– name : cookie's name
– loginUrl : default is login.aspx
– path : the location to save the cookie, default is /
– protection: the amount of protection applied to the cookie
• Encryption
• Validation
• All (both, default)
• None
– timeout : minutes (default 30)
a durable cookie could be issued
15
Forms Based Authentication
– defaultUrl: if the user requests the login.aspx page
Otherwise, go to the requested page
– requiresSSL : credential be sent over an encrypted wire (SSL)
– slidingExpiration : timeout of the cookie is on a sliding scale
– cookieless:
• UseDeviceProfile: default
• UseCookies: require to use cookies
• UseUri: force to store credential within Uri
• AutoDetect: sending a test cookie first
Authentication
• All pages are still accessible to the public
16
Form Login
• Create form Login under the root folder
• Add control Login from tab Login
• All pages are still accessible to the public
17
18
Authorization
• Application Configuration File under the main folder
</system.web>
<authentication mode="Forms">
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
No Page Accessible
19
20
Authorization
• Application Configuration File under the main folder
</system.web>
<authentication mode="Forms">
</authentication>
</system.web>
<location path="Lab5">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!–- could have multiple locations -->
All Pages Are Accessible
Except those under folder Lab5
21
Control CreateUserWizard
• Add a form CreateUser.aspx under the main folder
• Add control CreateUserWizard
• Create one user– UserName: jim– Password: cs3870@UWP– Your email– Your choices for others
22
Event ContinueButtonClick
• In CreateUser.aspx.vb
• Select CreateUserWizard1
• Select event ContinueButtonClick
• Code
Response.Redirect("Lab5/Login.aspx")
23
24
Authorization
<deny users="*" />
<allow users="*" />
<allow users="[comma separated list of users]"
roles="[comma separated list of roles]"
verbs="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"
verbs="[comma separated list of roles]"/>
* : everyone
? : anonymous
verbs: POST, GET, HEADER, DEBUG
Other Login Controls
• ChangePassword
• LoginName
• LoginStatus
• LoginView
• PasswordRecovery
25
Lab5MasterPage
• Add LoginName and LoginStatus
26
New Page Checkout
• Maintain a shopping bag for each session
• Add items into the shopping bag when shopping
• GridView to display all items in the shopping bag on checkout
• Clear the bag when checkout
27
Shopping Bag
• Your Choice– DataTable– ArrayList– New class– . . .
• Location– SQLDataClass– . . .
28
Shopping BagPublic Shared Function NewShoppingBag() As Data.DataTable
Dim bag As New Data.DataTable
bag.Columns.Add("Product ID")
bag.Columns.Add("Product Name")
bag.Columns.Add("Unit Price")
bag.Columns.Add("Quantity")
bag.Columns.Add("Cost")
Dim PK() As Data.DataColumn = {bag.Columns(0)}
bag.PrimaryKey = PK
Return bag
End Function
29
Global.vb
Sub Session_Start(. . .)
. . .
' For Lab5
Session("Lab5_Bag") = SQLDataClass.NewShoppingBag
. . .
End Sub
30
Page Shopping
• New Button “Add to Shopping Bag”
• Click Event Dim myBag As Data.DataTable = Session("Lab5_Bag")
Dim row As Data.DataRow = myBag.NewRow
row(0) = txtID.Text
row(1) = txtName.Text
row(2) = txtPrice.Text
row(3) = txtQuanity.Text
row(4) = txtSubTotal.Text
Dim r As Data.DataRow = myBag.Rows.Find(row(0))
If Not r Is Nothing Then
myBag.Rows.Remove(r)
End If
myBag.Rows.Add(row)31
Page Checkout
Protected Sub Page_Load(. . .) Handles Me.Load
GridView1.DataSource = Session("Lab5_Bag")
GridView1.DataBind()
End Sub
32
Page Checkout
Protected Sub Button1_Click(. . .) Handles Button1.Click
‘ End the current session
‘ will clear all session variables
Session.Abandon()
' Logout of Membership
FormsAuthentication.SignOut()
‘ Go to Login.aspx
Response.Redirect(FormsAuthentication.LoginUrl)
End Sub
33
