oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Using the Security Controls in ASP.NET Whidbey

by Wei-Meng Lee

In ASP.NET 1.1, you can use form-based authentication to authenticate web users through the use of a custom login page. While this is a useful and straightforward technique, it still requires you to write your own code to perform the authentication, most often through the use of SQL Server. However, this mundane task has been reduced greatly by the introduction of new security controls in ASP.NET Whidbey. In this article, I will illustrate how to use the various security controls that comes with ASP.NET Whidbey to help in the securing of your web resources.

Creating a Login Page

Let's first take a look at how to create a simple web site that authenticates users using the built-in security controls. Launch Visual Studio .NET Whidbey, create a new web site, and name it "Membership." Rename the default.aspx Web form to main.aspx. Add a web.config file by right-clicking on the web site name in Solution Explorer and selecting Add New Item (see Figure 1).

Figure 1. Adding a new web.config file to the web site

Modify the web.config file by adding the following lines (shown in bold). This will change the authentication mode from the default "Windows" to "Forms." The web form to be used for authentication is named login.aspx:

<?xml version="1.0" encoding="UTF-8" ?>
     <compilation debug="false" />
     <authentication mode="Forms">
        <forms name=".ASPXAUTH" 
               timeout="999999" />
     <roleManager enabled="true">
     <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

The Membership Provider used in this case is the default one that uses Microsoft Access to store the users' information. Eventually, Whidbey will also include the following Membership Providers:

  • Access
  • SQL Server
  • Active Directory

We will discuss the Access database later in this article. In the Toolbox, you will see the various security controls under the Security tab (see Figure 2):

Figure 2. The security controls in ASP.NET Whidbey

Populate the main.aspx web form with the following controls (see Figure 3):

  • LoginStatus
  • LoginView

Figure 3. Populating the web form with the LoginStatus and LoginView controls

The LoginStatus control displays a hyperlink that shows "Login" when the user is un-authenticated, and "Logout" when the user is logged in. The LoginView control is a container that displays different information depending on whether the user is logged in or not. Configure the LoginView control by clicking on it and selecting the Edit Templates link (see Figure 4):

Figure 4. Editing the LoginView control

There are two templates you can configure: AnonymousTemplate and LoggedInTemplate. Change the Display drop-down box to AnonymousTemplate and key the text (as shown in Figure 5) into the LoginView control:

Figure 5. Editing the AnonymousTemplate

Likewise, change the Display drop-down box to LoggedInTemplate and key the text (as shown in Figure 6) into the LoginView control. Also, drag and drop the LoginName control into the LoginView control:

Figure 6. Editing the LoggedIn Template

Click on End Template Editing to complete the editing of the LoginView control. You should see something like Figure 7:

Figure 7. Viewing the LoginView control

Now that you have created the web.config file and populated the web form, let's add a new web form and name it login.aspx. On this web form, drag and drop a Login control (see Figure 8). You can click on Auto Format... to change the layout of the control:

Figure 8. Using the Login control

Pages: 1, 2, 3

Next Pagearrow