ArticleDirectory
- Role providers
- Integration
- Conclusion
Membership provider and role provider of Asp.net 2.0 Address: http://odetocode.com/Articles/428.aspx
Translation: Ji Jun, European Union software technology company
In the first part, we discussed the Provider Model, authorization, and sqlmembershipprovider class. In this article, we will focus on Role provider and authorization.
Once the user identity is determined, you need to decide what the user is allowed to do and what pages they are allowed to access. Usually, the technology of permission management is to divide users into groups or roles that are not needed and assign permissions based on user roles. For example, your applicationProgramThere may be 10000 registered users, but there are only three roles: Administrator, registered user, and anonymous user. Roles are used to reduce management operations on website operations. When you want to authorize or restrict all registered users of the website, you only need to set permissions for a role and will not affect other user accounts.
Typically, we use the web. config file to allow and deny user groups to access files and folders. The configuration information is in the <authorization> section of Web. config, which is similar to <allow roles = "administgrators">. Compared with listing user accounts, using roles can easily cover more groups of users. In Asp.net 2.0, you can use ASP. NET web site administration tool to define these authorization configurations.
The roleprovider class is the base class of all role providers. As we mentioned in the first part, the roleprovider class defines the protocols for all Asp.net 2.0 role providers. It includes creating and deleting roles, adding and Deleting Users in a role, and checking the role permissions of a given user. It aims to define all the methods you will use to perform the authorization check in the program. If Asp.net does not have the expected role provider (you may need to store user role permissions in Oracle), you can write your own provider (from roleprovider) add your components to Asp.net.
If you want to interact with the role provider, use the roles class of the system. Web. Security namespace. The static roles class provides methods and attributes for calling the currently configured role provider. For example, roles. getallroles calls the getallroles method of the current role provider to obtain an array of all valid role names. If you are performing an authorization check, the roles. isuserinrole method will be of great help.
Role providers
Each role provider interacts with different data sources.
Each role provider packaged by system. Web. dll includes sqlroleprovider. As mentioned in the first section, sqlmembershipprovider stores role information in the SQL Server database.
Window#enroleprovider obtains role information from the Windows user group information. Window#enroleprovider is read-only (you cannot create a role or modify the role's permissions), but it is useful when the program uses Windows to authorize and disable anonymous access.
Authorizationstoreroleprovider and Microsoft authorization Manager (Azman) are jointly assisted. Azman can use the role information stored in an XML file or Active Directory. Authorizationstoreroleprovider can be very good in LAN and WAN applications, but it is very difficult to run in a trusted environment.
Configuration
Role manager in Asp.net is disabled by default. You can open the role manager on the Security page of the website management tool. Zhe will add the following section in the web. config file of the program:
<System. Web>
<Rolemanager enabled = "true"/>
</System. Web>
The default provider configuration is available in machine. config:
<Rolemanager>
<Providers>
<Add name = "aspnetsqlroleprovider"
Connectionstringname = "localsqlserver"
Applicationname = "/"
Type = "system. Web. Security. sqlroleprovider,..."/>
<Add name = "aspnetwindow#enroleprovider"
Applicationname = "/"
Type = "system. Web. Security. window#enroleprovider,..."/>
</Providers>
</Rolemanager>
Note that the localsqlserver connection string is the default connection string of sqlroleprovider. As we mentioned in the first part, localsqlserver is the connection string defined in machine. config pointing to the aspnetdb SQL Server express database under the app_data path. If your sqlroleprovider and sqlmembership providers use a database other than app_data, you must first use the aspnet_regsql.exe tool (In \ windows \ Microsoft. net \ framework \ v2.0.xxxx path, where XXXX is the last four digits of the current version ). For more information, see the first part of this article.
The applicationname attribute of sqlroleprovider is important when non-app_data databases are used. If you have two website applications that need to share the role permission information, make the two applications have the same applicationname and point them to the same database instance. If you want the program to apply to the same database but do not share the role permission information, make the applicationname of the two programs different. The applicationname attribute limits data to a specific website application.
Let's take a look at the example of configuring membership provider and role provider to use the SQL Server database named aspnetdb on the local server in the web. config file.
<? XML version = "1.0"?>
<Configuration>
<Connectionstrings>
<Add name = "myaspnetdb"
Connectionstring = "Server =.; database = aspnetdb; Integrated Security = true"/>
</Connectionstrings>
<System. Web>
<Rolemanager enabled = "true">
<Providers>
<Clear/>
<Add name = "aspnetsqlroleprovider" connectionstringname = "myaspnetdb"
Applicationname = "/samplerolesapp"
Type = "system. Web. Security. sqlroleprovider, system. Web, version = 2.0.0.0, culture = neutral, publickeytoken = b03f5f7f11d50a3a"/>
</Providers>
</Rolemanager>
<Membership>
<Providers>
<Clear/>
<Add name = "aspnetsqlmembershipprovider"
Connectionstringname = "myaspnetdb"
Enablepasswordretrieval = "false"
Enablepasswordreset = "true"
Requiresquestionandanswer = "true"
Applicationname = "/samplesrolesapp"
Requiresuniqueemail = "false"
Passwordformat = "hashed"
Maxinvalidpasswordattempts = "5"
Minrequiredpasswordlength = "7"
Minrequirednonalphanumericcharacters = "1"
Passwordattemptwindow = "10"
Passwordstrengthregularexpression = ""
Type = "system. Web. Security. sqlmembershipprovider, system. Web, version = 2.0.0.0, culture = neutral, publickeytoken = b03f5f7f11d50a3a"/>
</Providers>
</Membership>
<Authentication mode = "forms"/>
</System. Web>
</Configuration>
The first step is to define the connection string for the Asp.net database to locate. We can activate rolemanager and remove all existing providers inherited from higher-level configurations. Like the membership provider configured in this file, the connectionstringname and applicationname attributes here are set to the same database and Application name.
If you want to use window#enroleprovider, no configuration is required. It does not need a database and can only read the permissions of the Windows user group members. To use windowcemenroleprovider, you only need to add the following sentence in Web. config (the website administrator can also configure the providers page ).
<Rolemanager enabled = "true"
Defaultprovider = "aspnetwindow#enroleprovider"/>
As we mentioned earlier, authorizationstoreroleprovider uses Azman. For more information, see "How to Use Authorization manager from ASP. NET" and "how to use Active Directory Application Mode (Adam) from ASP. NET ".
Integration
Once you have configured the role provider, you should add the role information to the program and set the corresponding permissions. By using web. config, We can restrict visitors of website applications to specific roles in certain regions. For example, placing the following section in Web. config will make its directory accessible only to users of the admin role.
<System. Web>
<Authorization>
<Allow roles = "admin"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
When writing a program, you can use isuserinrole to slightly check the permissions.
If roles. isuserinrole ("admin") then
'Perform an admin action
Else
'Give user an error message
End if
You can also use the principalpermission attribute to explicitly query whether a user belongs to a certain role. You can use this attribute in a class or method. If the current user does not belong to this role,CodeWill not be executed and an exception will be thrown.
<Principalpermission (securityaction. Demand, role: = "registered")> _
Protected sub dosomethingimportant ()
'...
End sub
Conclusion
The extensible Provider Model in Asp.net 2.0 implements the features we have to write for years-like membership and role management. This model can be configured and extended, that is, when there is no provider in the toolbar, we can write code to expand it.