Forum
 
ForumForumDiscussions and...Discussions and....Net framework ....Net framework ...How To: Customize ASP.NET Security--Replacing the Security ProviderHow To: Customize ASP.NET Security--Replacing the Security Provider
Previous Previous
 
Next Next
New Post
 14/03/2008 10:15
 
 Modified By PeterVogel  on 14/03/2008 11:29:58

ASP.NET's security system is probably TOO complete for most organizations--the default settings, for instance, set up a new database in the website that holds the site's usernames and passwords. Most organizations probably already have a list of usernames and passwords and want to use that list. Fortunately, the ASP.NET provider model lets you replace the "security management" portion of ASP.NET with code that you probably alread have lying around. Writing a security provider to use your own list of usernames and passwords shouldn't take you more than 20 or 30 minutes.

There are three steps to implementing your own security provider:

1. Add a class module to your ASP.NET application and have it inherit from System.Web.Security.MembershipProvider

2. In the class file, put code in those methods or properties that you want to use. The more routines that you provide code for, the more of ASP.NET's security features you'll be able to use--but the only method that you must fill in is the ValidateUser method.

3. In the site's web.config file, tell ASP.NET that you want to use your security provider by adding these tags after the <system.web> tag. In the type attribute put the name of the class you added:

<system.web>

   <membership defaultProvider="MyNewProvider">
     <providers>
      <add name="MyNewProvider" type="nameOfYourSecurityProviderClass" />
     </providers>
   </membership>

The ValidateUser method is automatically passed the username and password so, in the ValidateUser routine, all you have to do is validate those two strings against your existing list of users (this is code you probably already have). ValidateUser must either return True (if the username/password is a valid combination) or False (if they're not). The ValidateUser method is the method called from the ASP.NET Login control so, once you've written this method, you can use the Login control on your website. ASP.NET will handle setting up the ASP.NET security cookie and checking that cookie each time the user accesses the site.

If you fill in the other methods in your class file you can use other ASP.NET security controls. For instance, if you put code in the class' ChangePassword method, you can use the ASP.NET ChangePassword control. It just depends on how much work you want to do and what security functionality you want to add to your site.

One caveat: If you only fill in the ValidateUser method then you'll have to use user-based security (rather than role-based security) to control access to the pages on your site. If you want to use role-based security with your own security provider, you'll need to write your own role manager. Fortunately, that's just as easy.

New Post
 15/03/2008 04:51
 

One of my favourite new features in .NET 2.0 was the introduction of the 'application services' like Membership as providers.  Much better OOP design by letting you program against interfaces instead of concrete implementations.

Previous Previous
 
Next Next
ForumForumDiscussions and...Discussions and....Net framework ....Net framework ...How To: Customize ASP.NET Security--Replacing the Security ProviderHow To: Customize ASP.NET Security--Replacing the Security Provider

Forum Usage Guidelines

The forums are a place for all to exchange ideas and techniques, and to post and answer questions.  All are welcome to read, registration is required to post. 

If you learn somthing new, discover or acquire a new technique, then please take a moment to register and rate the post that just helped you.  This site does not send spam and it does not release your personal details.  Full details in the site privacy policy.

We have some simple posting guidelines to keep the forums a pleasant and informative environment.

  • No flames, no trolls
  • No profanity, no racism
  • Site management has the final word on approving or removing any thread, post, or comment
  • English language only please

 

Copyright 2002-15 by Dynamisys Ltd