Custom Membership,Role Providers,Website Administration Tool,Role Based Access to individual files

• Download innovative_rolebased_WAT - 287 KB
• Download innovative_rolebased_WAT_demo - 293 KB

Introduction

I present here sample custom membership provider and custom role provider. This gives the idea how we can easily implement our own custom providers using our own simple custom database.

In addition to it I provide complete website administration tool which can edit the website settings. It has both create/edit/manage users and create/edit/manage roles facility.

Finally I introduce a different approach towards role based access control to individual files itself. The information about multiple aspx files is stored in "Activities" database. Through website administration tool we can assign role based access rights to individual aspx files. ( The code is just an example for the point which I want to make. I have tested the providers but the activities module has not been tested for production yet. I would appreciate feedback and expert's advise as well for the same so that I am able to improve it. )

If you want to override my approach with the default role based access to the directories, try storing the location to the folders instead with "/" included at the end. I have written two methods "allowfolderaccess" and "denyfolderaccess" using the classic System.Web.Configuration approach.

Background

If we want form based authentication and role based authorization in our website, we can use the Membership API and Role API of the .Net Framework. The fun in using this feature is that, if you do not want to create your own classes and database structure and still want a strong membership and role management feature in place, you can use the default providers which are inbuilt into the database. These default providers create a default database ASPNETDB and stores the information about users and roles in this database.

A much bigger advantage with this feature is that, if you do not want to use the default classes and default database but want your own database structure, you can modify the entire behaviour of your web application according to your needs. The only thing you have to take care is that you will have to implement a defined set of interfaces in your class, so that API can use it. The Membership API and Roles API have a defined set of interfaces which you will have to implement. For Example, MembershipProvider interface for Membership API, RoleProvider interface for Roles API, Profileprovider for Profiles API etc.

Now, how do you do it? Just create a new class in App_Code folder named MyMembershipprovider or any name which you like and say that it implements Membershipprovider like this:

public class MyMembershipProvider : MembershipProvide

Then right click on the MembershipProvider and Click on "Implement Abstract Class". Blank functions are created automatically, only thing you have to do is fill in the blanks.

The proper steps to use custom membership provider are:

1. Configure forms authentication in your web.config file as usual, and deny access to anonymous
users. Like this:

<authentication mode="Forms">
<forms name="code-pro-ject" loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?"></deny>
<allow roles="Administrator"></allow>
</authorization>

2. Set up the data store. For example, if you are using SQL Server, you have to
create the necessary tables and stored procedures in a SQL Server database of your choice. I have created the following tables:

3. In the web.config file Configure the database connection string and the Membership provider you want to use like this:

  <connectionStrings>
    <add name="UsersDb" 
      connectionString="Server=.\SQLExpress;Database=SampleDb;Integrated Security=True;AttachDbFilename=|DataDirectory|UsersDb.mdf;User Instance=True;" 
      providerName="System.Data.SqlClient"/>
  </connectionStrings>

AND......

<membership defaultProvider="MyMembershipProvider" userIsOnlineTimeWindow="20">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyMembershipProvider"
connectionStringName="UsersDb"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresUniqueEmail="false"
requiresQuestionAndAnswer="false"
passwordStrengthRegularExpression=""
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<clear/>
<add name="MyRoleProvider" connectionStringName="UsersDb"
  applicationName="/"
  type="MyRoleProvider" />
</providers>
</roleManager>

4. Create users in your Membership store using the ASP.NET web configuration utility or using
a custom website administration pages which you can make yourself.
5. Create a login page that uses the prebuilt Login control, or create a login page that uses the
Membership class for validating the entered credentials and authenticating the user.

Using the code

You can download the code at the end of this article and directly copy the code to your machine to check the functionality. You can change the name of database in the web.config file's connectionStrings settings.

I have tested the application to be working fine with my activities thing included into it. **If you do not want to use the activity thing and are only interested in custom Membership Provider and custom Role Provider, you can store only the location of folders with "/" included in the end in the activities database and it should work fine.... I have included functions for this (but I have not properly checked it.. please bear with me untill I test it further, as I am presently working on the activities thing).

I have not used any stored procedures in these providers, so you can easily include the fields which I am using into your tables and change the sql statements accordingly. This means you can integrate it into your own website with lesser effort.

**Please take care that the web.config files in the sub directories of this project do not have xmlns="..." attributes to their configuration elements. This is because I am not very good at namespaces. The first update which I will post will be able to handle this. However, if you only store the folder informatio, I think it will work fine because it does not uses my Datamanager class instead it uses System.Web.Configuration's classes to modify the access rights.

Note:

Please follow the corrections suggested by zemma for Admin/Roles/Default.aspx: Button1_Click ,Admin/Roles/Default.aspx: Button2_Click and Admin/Roles/Default.aspx: denyfolderacces in the reply messages to this article below.

Points of Interest

If you need more information about these topics, you can follow these links:

1. Role-based Security with Forms Authentication
2. Examining ASP.NET 2.0's Membership, Roles, and Profile - Part 1
3. Rolling Your Own Website Administration Tool - Part 1