CodeProject: Custom Membership,Role Providers,Website Administration Tool,Role Based Access to individual files. Free source code and programming help

Report Article

Discuss

Send to a friend

5 votes for this Article.

Popularity: 1.94 Rating: 2.78 out of 5

Note: This is an unedited contribution. If this article is inappropriate, needs attention or copies someone else's work without reference then please Report This Article

Sample Image - maximum width is 600 pixels

Introduction

I present here sample custom membership provider and custom role provider. This gives the idea how we can easily implement our own custom providers using our own simple custom database.

In addition to it I provide complete website administration tool which can edit the website settings. It has both create/edit/manage users and create/edit/manage roles facility.

Finally I introduce a different approach towards role based access control to individual files itself. The information about multiple aspx files is stored in "Activities" database. Through website administration tool we can assign role based access rights to individual aspx files. ( The code is just an example for the point which I want to make. I have tested the providers but the activities module has not been tested for production yet. I would appreciate feedback and expert's advise as well for the same so that I am able to improve it. )

If you want to override my approach with the default role based access to the directories, try storing the location to the folders instead with "/" included at the end. I have written two methods "allowfolderaccess" and "denyfolderaccess" using the classic System.Web.Configuration approach.

Background

If we want form based authentication and role based authorization in our website, we can use the Membership API and Role API of the .Net Framework. The fun in using this feature is that, if you do not want to create your own classes and database structure and still want a strong membership and role management feature in place, you can use the default providers which are inbuilt into the database. These default providers create a default database ASPNETDB and stores the information about users and roles in this database.

A much bigger advantage with this feature is that, if you do not want to use the default classes and default database but want your own database structure, you can modify the entire behaviour of your web application according to your needs. The only thing you have to take care is that you will have to implement a defined set of interfaces in your class, so that API can use it. The Membership API and Roles API have a defined set of interfaces which you will have to implement. For Example, MembershipProvider interface for Membership API, RoleProvider interface for Roles API, Profileprovider for Profiles API etc.

Now, how do you do it? Just create a new class in App_Code folder named MyMembershipprovider or any name which you like and say that it implements Membershipprovider like this:

public class MyMembershipProvider : MembershipProvide

Then right click on the MembershipProvider and Click on "Implement Abstract Class". Blank functions are created automatically, only thing you have to do is fill in the blanks.

The proper steps to use custom membership provider are:

1. Configure forms authentication in your web.config file as usual, and deny access to anonymous
users. Like this:

<authentication mode="Forms">
<forms name="code-pro-ject" loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?"></deny>
<allow roles="Administrator"></allow>
</authorization>

2. Set up the data store. For example, if you are using SQL Server, you have to
create the necessary tables and stored procedures in a SQL Server database of your choice. I have created the following tables:

3. In the web.config file Configure the database connection string and the Membership provider you want to use like this:

  <connectionStrings>
    <add name="UsersDb" 
      connectionString="Server=.\SQLExpress;Database=SampleDb;Integrated Security=True;AttachDbFilename=|DataDirectory|UsersDb.mdf;User Instance=True;" 
      providerName="System.Data.SqlClient"/>
  </connectionStrings>

AND......

<membership defaultProvider="MyMembershipProvider" userIsOnlineTimeWindow="20">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyMembershipProvider"
connectionStringName="UsersDb"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresUniqueEmail="false"
requiresQuestionAndAnswer="false"
passwordStrengthRegularExpression=""
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<clear/>
<add name="MyRoleProvider" connectionStringName="UsersDb"
  applicationName="/"
  type="MyRoleProvider" />
</providers>
</roleManager>

4. Create users in your Membership store using the ASP.NET web configuration utility or using
a custom website administration pages which you can make yourself.
5. Create a login page that uses the prebuilt Login control, or create a login page that uses the
Membership class for validating the entered credentials and authenticating the user.

Using the code

You can download the code at the end of this article and directly copy the code to your machine to check the functionality. You can change the name of database in the web.config file's connectionStrings settings.

I have tested the application to be working fine with my activities thing included into it. **If you do not want to use the activity thing and are only interested in custom Membership Provider and custom Role Provider, you can store only the location of folders with "/" included in the end in the activities database and it should work fine.... I have included functions for this (but I have not properly checked it.. please bear with me untill I test it further, as I am presently working on the activities thing).

I have not used any stored procedures in these providers, so you can easily include the fields which I am using into your tables and change the sql statements accordingly. This means you can integrate it into your own website with lesser effort.

**Please take care that the web.config files in the sub directories of this project do not have xmlns="..." attributes to their configuration elements. This is because I am not very good at namespaces. The first update which I will post will be able to handle this. However, if you only store the folder informatio, I think it will work fine because it does not uses my Datamanager class instead it uses System.Web.Configuration's classes to modify the access rights.

Note:

Please follow the corrections suggested by zemma for Admin/Roles/Default.aspx: Button1_Click ,Admin/Roles/Default.aspx: Button2_Click and Admin/Roles/Default.aspx: denyfolderacces in the reply messages to this article below.

Points of Interest

If you need more information about these topics, you can follow these links:

1. Role-based Security with Forms Authentication
2. Examining ASP.NET 2.0's Membership, Roles, and Profile - Part 1
3. Rolling Your Own Website Administration Tool - Part 1

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Amit Kumar Thakur

"go back and revise the stuff from where you copied this.... Your employer would probably not be happy to see you publishing such a poor reflection on the quality of his employees......actually.... you should be Embarrassed...."

Amit Kumar Thakur wrote:
however I request further comments please. -
How about this: Based on your response to the two comments already made, I have no intention of wasting any time commenting on this half-baked, badly written first draft..

KICKING HARDER THAN EVER BEFORE.....
STILL.... THIS IS NOT THE LAST BATTLE AND STILL.... THIS IS NOT THE BEST FIGHT WHICH I CAN PUT UP.

Occupation:	Web Developer
Location:	India

Other popular ASP.NET articles:

Multiple File Upload With Progress Bar Using Flash and ASP.NET
How to use Flash to upload multiple files in a medium-trust hosting environment
CAPTCHA Image
Using CAPTCHA images to prevent automated form submission.
10 ASP.NET Performance and Scalability Secrets
10 easy ways to make ASP.NET and AJAX websites faster, more scalable and support more traffic at lower cost
Paging of Large Resultsets in ASP.NET
An article about optimization and performance testing of MS SQL Server 2000 stored procedures used for paging of large resultsets in ASP.NET
File Upload with ASP.NET
This article shows you how work with uploading of the files using ASP.NET and C#.

Article Top

You must Sign In to use this message board.

Msgs 1 to 7 of 7 (Total in Forum: 7) (Refresh)

FirstPrevNext

15hrs 57mins ago

9:33 21 Nov '08

how do insert Activities [modified]

1:21 4 Sep '08

13:02 13 Jun '08

3:53 10 Jun '08

Hi! Before anything, this is a great article! Thanks!
My english is not the best, so i hope you can understand me.

I've been testing this work, and found a few things to correct or modify, please tell me if I'm wrong.
This is what I've found:

1. Admin/Roles/Default.aspx: Button1_Click (Click on right arrow)
In this part:

                else if (activitylink.EndsWith("/"))
                {
                    allowfolderaccess(activitylink, rolename);
                }

i added this:

                else if (activitylink.EndsWith("/"))
                {
                    allowfolderaccess(activitylink, rolename);
		    AuthDataManager.assignActivitytoRole(chkd.Value.ToString(), rolename);
                }

This is because it was modifying the web.config but it wasn't saving the data in the DB.

2. Admin/Roles/Default.aspx: Button2_Click (Click on left arrow)
In this part:

                else if (activitylink.EndsWith("/"))
                {
                    denyfolderaccess(activitylink, rolename);
                }

i added this:

                else if (activitylink.EndsWith("/"))
                {
                    denyfolderaccess(activitylink, rolename);
		    AuthDataManager.removeActivityFromRole(chkd.Value.ToString(), rolename);
                }

Same reasons than previous point.

3. Admin/Roles/Default.aspx: denyfolderaccess method.
The problem here is that the "Remove" method can't be used inside the foreach loop; it gives an error (something that the collection has been modified, so that enumeration operation cannot be done.)
For solving this I created an auxiliar AuthorizationRule in which I put only the roles that must remain in the web.config.
After that, I created an auxiliar AuthorizationSection from the same SystemWebSectionGroup, cleared its Rules and added the new auxiliar rules.
Finally, I replaced the section with the new auxiliar section (before saving the config).
Here is the code:

    private void denyfolderaccess(string folderpath, string rolename)
    {
        string virtualFolderPath = folderpath;
        Configuration config = WebConfigurationManager.OpenWebConfiguration(virtualFolderPath);
        SystemWebSectionGroup systemWeb = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
        AuthorizationSection section = (AuthorizationSection)systemWeb.Sections["authorization"];

        AuthorizationRule ruleAux = new AuthorizationRule(AuthorizationRuleAction.Allow);
        foreach (AuthorizationRule rule in section.Rules)
        {
            if (rule.ElementInformation.IsPresent)
            {
                foreach (string str in rule.Roles)
                {
                    if (str != rolename)
                        ruleAux.Roles.Add(str);
                }
            }
        }
        AuthorizationSection sectionAux = (AuthorizationSection)systemWeb.Sections["authorization"];
        sectionAux.Rules.Clear();

        if (ruleAux.Roles.Count > 0)
            sectionAux.Rules.Add(ruleAux);
        
        section = sectionAux;
        config.Save();
    }

That's all. Thanks again for your article. I wait comments.
Greetings.

2:56 2 Sep '08

5:34 2 May '08

Last Visit: Wednesday, December 3, 2008 9:27 PM Last Update:Wednesday, December 3, 2008 9:27 PM

General News Question Answer Joke Rant Admin