لطفا منتظر باشید ...
ASP.NET 2.0: A Developer''''s NotebookBy
Table of Contents
| Index
| Errata
When ASP.NET hit the street a couple of years ago, it was a
real eye-opener. Microsoft''''s tool for creating dynamic,
server side web applications introduced Web Forms, a feature
with the same rapid drag and drop convenience enjoyed by
Visual Basic developers, along with a method for creating
XML-based web services. ASP.NET was more than an upgrade of
Active Server Pages it was a quantum leap ahead.
Now Microsoft has a new version of ASP.NET as part of its
upcoming next generation release of the Visual Studio .NET
development platform. ASP.NET 2.0 is already available in
beta release, and web developers are anxious to get a good
look at it. That''''s exactly what our new Developer''''s Notebook
allows you to do.
More than just an introduction to ASP.NET 2.0, this
practical guide acquaints you with all of the new features
through nearly 50 hands-on projects. Each one places
emphasis on changes in the new release that can increase
productivity, simplify programming tasks, and help you add
functionality to your applications. For example, ASP.NET 2.0
includes master pages, themes, and skins so you can build
applications with a consistent page layout and design. Other
changes allow for the automatic creation of web pages for
use on mobile devices, while wizards and controls allow you
to perform frequent tasks (like data access) without having
to write a single line of code.
ASP.NET 2.0: A Developer''''s Notebook
also includes suggestions for further experimentation, links
to on-line documentation, and practical notes and warnings
from the author regarding changes to the new version.
The new Developer''''s Notebooks series from O''''Reilly offers an
in-depth first look at important new tools for software
developers. Emphasizing example over explanation and
practice over theory, they focus on learning by doing you''''ll
get the goods straight from the masters, in an informal and
code-intensive style. If you want to get up to speed on
ASP.NET 2.0 before its official release, this all lab, no
lecture book will get you there.
5.1. Create a Login Page Using the New Security Controls
In ASP.NET 1.x, you can use form-based authentication to authenticateweb users through a custom login page. While this is a useful and
straightforward technique, it still requires
you to write your own code to perform
the authentication, most often through the use of a data store such
as SQL Server. However, this mundane task has now been simplified by
the introduction of new security controls in ASP.NET 2.0.
5.1.1. How do I do that?
In this lab, you will build a login page that employs the built-insecurity controls that ship with ASP.NET 2.0 to authenticate users.
You will use the various new Login controlsin particular,
Login, LoginView,
LoginStatus, and
LoginNameto help you accomplish tasks such
as user authentication, display of login status and login name, and
more. You will create two forms: one to display the login status of
the user and another to allow the user to log into your application.Note: Using the various Login controls, you can now perform user
authentication with ease!
The Web Forms created in this lab will lay the groundwork for the
next lab, Section 5.2, which will
add users to the site for you to test the security controls.First, we'll create a new site to use as a test bed
for the new security controls. Launch Visual Studio 2005 and create a
new web site project. Name the project
C:\ASPNET20\chap-5-SecurityControls.You'll find the security controls
you'll be using in this chapter in the Toolbox,
under the Login tab, as shown in Figure 5-1.
Figure 5-1. The security controls in ASP.NET 2.0
is
a container that displays different information depending on whether
the user is logged in or not. This page will be used to display the
status of the user (whether she is logged in or not). This
Default.aspx form will be used to display the
login status of a user.
Figure 5-2. The LoginView control
AnonymousTemplate views in the LoginView Tasks menu (see Figure 5-3). Type the following text into the LoginView
control: "You must Login to the
O'Reilly Network to post a
talkback." The Anonymous view displays this content
when a user is not yet authenticated.
Figure 5-3. Configuring the LoginView control for Anonymous view
control onto the LoginView control, as shown in Figure 5-4. The LoginStatus control displays a hyperlink
that shows "Login" before the user
is authenticated and "Logout" when
the user is logged in. Using the LoginStatus control, you can let the
user click on the link to either log into or log out of the site.
Figure 5-4. Using the LoginStatus control to display login status
LoggedInTemplate views in the LoginView Tasks menu (see Figure 5-3). Type the following text into the LoginView
control: "You are logged in as."
The LoggedIn view displays this content when a user is authenticated.Drag and drop a
LoginName control and an additional LoginStatus control onto the
LoginView control in Default.aspx, as shown in
Figure 5-5. When a user logs into the site, the
LoginName control will display the user's name that
was used to log into the application. The user will also be able to
log out of the site by clicking on the LoginStatus control.
Figure 5-5. Using the LoginName control to display a username
Login.aspx. This form will be used to let users
log into the site. Drag and drop a Login control (see Figure 5-6) onto the Login.aspx Web
Form. The Login control provides user interface elements for logging
into a web site.
Figure 5-6. Add the Login control to the Web Form
Default Login Page in ASP.NET 2.0
Note that in ASP.NET 2.0, the default login page is namedLogin.aspx (this is the default
"burned" into ASP.NET 2.0 and can
be verified by looking at
machine.config.comments).However, if you do wish to use a different name for your login page,
you can modify the Web.config file by adding the
following lines (shown in bold). This will change the authentication
mode from the default Login.aspx to
Authenticate.aspx:
<system.web>Here are the attributes of the <forms> element:nameSpecifies the name of the HTTP cookie to use for authenticationloginUrlSpecifies the name of the page to use for loginprotectionSpecifies the type of encryption, if any, to use for cookiestimeoutSpecifies the amount of time, in integer minutes, after which the
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Authenticate.aspx"
protection="Validation"
timeout="999999" />
</authentication>
...
cookie expiresNote that ASP.NET forms authentication does not perform any type of
encryption on the credentials that are submitted via the login page,
so any login page should be protected by SSL encryption so that
credentials can't be stolen.Tip: To learn how to configure SSL on IIS, check out http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/nntp_sec_securing_connections.mspx.It's time to dress up the Login control. Apply the
Elegant scheme to the control by clicking on the Auto Format... link
in the Login Tasks menu. Your Login control should now look like the
one shown in Figure 5-7.
Figure 5-7. Applying autoformat to the Login control
(right-click the project name in Solution Explorer and select Add New
Item..., and then select Web Configuration File).In Web.config, change the authentication mode
from Windows to Forms by adding
the following line of code. You use forms authentication so that you
can add users to your web site without needing to create the user
accounts in Windows:
<system.web>You are now ready to test your application. But before you do that,
<authentication mode="Forms"/>
you have to add a user to your project. You will see how to do this
in the next lab.Tip: You should set the DestinationPageUrl property of the Login control
to one of your sites pages so that if the
Login.aspx page is loaded directly, it can
direct the user to a default page once the user is authenticated.
(The DestinationPageUrl property applies only when
Login.aspx is loaded directly.)
5.1.2. How does it work?
ASP.NET 2.0 uses a new security model known as the MembershipProvider Model. The Provider Model allows for maximum flexibility and
extensibility by enabling developers to choose the way they add
security features to their applications.As an example of the extensibility of the Provider Model, consider
the new set of Login controls, some of which you've
put to work in this lab. The controls, APIs, and providers that make
up this new model are shown in Figure 5-8.
Figure 5-8. The Membership Provider Model
Login, LoginStatus, and LoginView controls. Underlying the controls
are the APIs that perform the work required to implement their
functionality. The Membership class takes care of tasks such as
adding and deleting users, while the MembershipUser class is
responsible for managing users' information, such as
passwords, password questions, and so on. The Membership APIs use the
Membership Providers to saveor persist,
in today's jargonuser information in data
stores. Visual Studio 2005 ships with one default Membership
Provider: the SQL Express 2005 Membership Provider. The role of the
Membership Provider is to act as a bridge between the Membership APIs
and the data stores, so that information can be persisted without
requiring a developer to write the low-level code needed to access
data.If the provider supplied by Microsoft does not meet your needs, you
can either extend them or simply write your own. For instance, if you
want to save the membership information for your site in an XML
document rather than a relational database (such as SQL Server), you
can write your own provider to talk to the XML file.
5.1.3. What about...
...authenticating users without the use ofcookies?Forms authentication in ASP.NET 1.x uses an HTTP cookie to store the
encrypted username. In ASP.NET 2.0, it now supports an
additional mode of forms authentication: cookieless forms
authentication. To use cookieless forms authentication, you just need
to set the <cookieless> attribute within the
Web.config file:
<authentication mode="Forms">The cookieless attribute supports four modes:AutoDetect Automatically detects whether the browser supports cookies and will
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
protection="Validation"
timeout="999999"
cookieless="UseUri"/>
</authentication>
automatically use cookies if the browser supports themUseCookiesUses cookies for forms authentication (default behavior)UseDeviceProfileUses cookies (or not) based on device profile settings in
machine.configUseUriUses cookieless forms authentication through the URLNote: If you use cookieless forms authentication, you will notice
a long string of text embedded within your URL.
...configuring the LoginView control in Source
View?If you do not like using the LoginView wizard, you
can switch to Source View and manually
add the attributes you need to configure the control. Here is the
source view of the LoginView control that will achieve the same
result as discussed earlier:
<asp:LoginView ID="LoginView1" runat="server">
<LoggedInTemplate>
You are logged in as
<asp:LoginName ID="LoginName1" runat="server" />
<asp:LoginStatus ID="LoginStatus2" runat="server" />
</LoggedInTemplate>
<AnonymousTemplate>
You must <asp:LoginStatus ID="LoginStatus1"
runat="server" /> to the O'Reilly Network to
post a talkback.
</AnonymousTemplate>
</asp:LoginView>
5.1.4. Where can I learn more?
For more information about the various parameters in the<forms> element in Web.config, check out
the MSDN Help topic
"<forms> Element."For an overview of the Membership feature in ASP.NET 2.0, check out
the MSDN Help topic "Introduction to
Membership."
