Custom Membership, Role Providers, Website administration tool, and Role based access to individual files

• Download source code - 256 KB
• Download demo - 257 KB
• Download database script - 0.6 KB

Introduction

I present here a sample custom membership provider and a custom role provider. This article explains how to easily implement your own custom providers using your own simple custom database.

In addition, I will provide a complete website administration tool which can edit website settings. It has a create/edit/manage users feature and a create/edit/manage roles feature.

Finally, I will introduce a different approach towards role based access control to individual files. The information about multiple ASPX files is stored in an "Activities" database. Through the website administration tool, we can assign role based access rights to individual ASPX files. (The code is just an example for the point which I want to make. I have tested the providers, but the Activities module has not been tested for production yet. I would appreciate feedback and expert advise as well for the same so that I will be able to improve it.)

If you want to override my approach with the default role based access to directories, try storing the location to the folders instead, with "/" included at the end. I have written two methods, "allowfolderaccess" and "denyfolderaccess", using the classic System.Web.Configuration approach.

Background

If you want form based authentication and role based authorization in your website, you can use the Membership API and the Role API of the .NET Framework. The fun in using these is that, if you do not want to create your own classes and database structure and still want a strong membership and role management feature in place, you can use the default providers which are inbuilt into the database. These default providers create a default database, ASPNETDB, and stores the information about the users and roles in this database.

A much bigger advantage with this feature is that, if you do not want to use the default classes and default database but want your own database structure, you can modify the entire behaviour of your web application according to your needs. The only thing you have to take care is that you will have to implement a defined set of interfaces in your class so that the API can use it. The Membership API and Roles API have a defined set of interfaces which you will have to implement. For example, the MembershipProvider interface for the Membership API, the RoleProvider interface for the Roles API, the ProfileProvider for the Profiles API etc.

Now, how do you do it? Just create a new class in the App_Code folder named MyMembershipprovider, or use any name which you like, and make it implement MembershipProvider like this:

public class MyMembershipProvider : MembershipProvider

Then, right click on the MembershipProvider and click on "Implement Abstract Class". Blank functions are created automatically, and the only thing you have to do is fill in the blanks.

The proper steps to use a custom membership provider are:

1. Configure Forms Authentication in your web.config file as usual, and deny access to anonymous users. Like this:

   <authentication mode="Forms">
   <forms name="code-pro-ject" loginUrl="login.aspx" />
   </authentication>
   <authorization>
   <deny users="?"></deny>
   <allow roles="Administrator"></allow>
   </authorization>

2. Set up the data store. For example, if you are using SQL Server, you have to create the necessary tables and Stored Procedures in a SQL Server database of your choice. I have created the following tables:

   

3. In the web.config file, configure the database connection string and the Membership Provider you want to use, like this:

   <connectionStrings>
       <add name="UsersDb" 
         connectionString="Server=.\SQLExpress;Database=SampleDb;
            Integrated Security=True;AttachDbFilename=|DataDirectory|UsersDb.mdf;
            User Instance=True;" 
         providerName="System.Data.SqlClient"/>
   </connectionStrings>

   and......

   <membership defaultProvider="MyMembershipProvider" userIsOnlineTimeWindow="20">
   <providers>
   <clear/>
   <add name="MyMembershipProvider"
   type="MyMembershipProvider"
   connectionStringName="UsersDb"
   enablePasswordRetrieval="false"
   enablePasswordReset="true"
   requiresUniqueEmail="false"
   requiresQuestionAndAnswer="false"
   passwordStrengthRegularExpression=""
   minRequiredPasswordLength="1"
   minRequiredNonalphanumericCharacters="0"
   passwordFormat="Hashed"
   applicationName="/" />
   </providers>
   </membership>
   
   <roleManager enabled="true" defaultProvider="MyRoleProvider">
   <providers>
   <clear/>
   <add name="MyRoleProvider" connectionStringName="UsersDb"
     applicationName="/"
     type="MyRoleProvider" />
   </providers>
   </roleManager>

4. Create users in your Membership store using the ASP.NET web configuration utility, or using a custom website administration page which you can make yourself.
5. Create a login page that uses the prebuilt Login control, or create a login page that uses the Membership class for validating the entered credentials and authenticating the user.

Using the code

You can download the code provided with this article and directly copy the code to your machine to check the functionality. You can change the name of the database in the web.config file's connectionStrings settings.

I have tested the application to be working fine with my Activities thing included into it. If you do not want to use the activity thing and are only interested in a custom Membership Provider and a custom Role Provider, you can just store the location of the folders with "/" included in the end in the Activities database, and it should work fine.... I have included functions for this (but I have not properly checked them.. please bear with me until I test it further, as I am presently working on the Activities thing).^**

I have not used any Stored Procedures in these providers, so you can easily include the fields which I am using into your tables and change the SQL statements accordingly. This means you can integrate it into your own website with lesser effort.

^**Please note that the web.config files in the sub directories of this project do not have xmlns="..." attributes to their configuration elements. This is because I am not very good at namespaces. The first update which I will post will be able to handle this. However, if you only storing folder information, I think it will work fine because it does not uses my Datamanager class; instead, it uses System.Web.Configuration's classes to modify access rights.

Note

Please follow the corrections suggested by zemma for Admin/Roles/Default.aspx: Button1_Click, Admin/Roles/Default.aspx: Button2_Click, and Admin/Roles/Default.aspx: denyfolderacces in the messages posted to this article below.

Other links

If you need more information about these topics, you can follow these links:

• Role-based Security with Forms Authentication
• Examining ASP.NET 2.0's Membership, Roles, and Profile - Part 1
• Rolling Your Own Website Administration Tool - Part 1

History

• 12 July, 2011: UsersDb_Log.LDF has been deleted as it was corrupt. Re-attaching the database solves the problem. The SQL script for the database is included as well, just in case it doesn't work. If creating database from script, the user needs to input a few values before using the system. (A lot of users complained that the log file was corrupt. Removing the previous LDF and re-attaching the new one works.)