Membership Provider and Role Manager


Introduction

ASP.NET provides all the features we need to use a database to store all kinds of security, user, and role membership details. It also provides a series of server controls that help we build the pages that users need and that administrators require creating accounts, change passwords, and maintain the login information and role membership for each user. The two features of ASP.NET that support this are:

  • The membership provider and the associated database tables and procedures
  • The role manager and its associated database tables and procedures
Membership Provider Configuration

The ASP.NET membership provider manages the tables in the ASP.NET application database that store details of the users we define for Web site. The <membership> section of web.config defines the configuration of the membership provider, including the connection to the database using <membership> element (located within the <system.web> section) and the content.

The <membership> element consists of a series of one or more <add> elements within the <providers> section, each of which defines the parameters for a provider that will be available for the membership system to use. By default, it includes just the first one, named AspNet-SqlMembershipProvider. We have added two more to the list to demonstrate how we can choose a different configuration for your providers, if required.

The connectionStringName attribute refers to a value in the <connectionStrings> section of this web.config file, or a value defined in a web.config file nearer the root folder of this application. The remaining attributes set specific properties of the provider that control how ASP.NET pages and controls can interact with it.

<system.web>
  ...
  <membership>
    <providers>
      <add name="AspNetSqlMembershipProvider"
           type="System.Web.Security.SqlMembershipProvider, ..."
           connectionStringName="LocalSqlServer"
           applicationName="/"
           enablePasswordRetrieval="false"
           enablePasswordReset="true"
           requiresQuestionAndAnswer="true"
           requiresUniqueEmail="false"
           passwordFormat="Hashed"
           maxInvalidPasswordAttempts="5"
           minRequiredPasswordLength="7"
           minRequiredNonalphanumericCharacters="1"
           passwordAttemptWindow="10"
           passwordStrengthRegularExpression="" />

      <!-- following added to use SQL Server 2005 database ->
      <add name="Sql2005MembershipProvider"
           type="System.Web.Security.SqlMembershipProvider, ..."
           connectionStringName="SqlServer2005"
           ... />

      <!-- following uses remote SQL Server attached database ->
      <add name="Sql2005RemoteMembershipProvider"
           type="System.Web.Security.SqlMembershipProvider, ..."
           connectionStringName="Sql2005Remote"
           ... />

    </providers>
  </membership>
  ...
</system.web>


Specifying the Database Connection Strings

The <add> elements in the <membership> section of web.config correspond to values defined in the <connectionStrings> section. These are, in order:

  • A connection to the local SQL Server Express Edition database that is an optional component we can install with Visual Studio 2005. SQL Server 2005 and SQL Server Express Edition can auto-attach an .mdf database file as they connect. The AttachDBFilename and User Instance properties of the connection string specify that this will occur, and they provide the required location and instance information.
  •  
  • A connection to a local instance of SQL Server 2005 using the database auto-attach feature.
     
  • A connection to a remote SQL Server that has the database already attached, specifying the login details required to connect to this database.
Notice that all specify the database named aspnetdb in the file named aspnetdb.mdf. This is the default database name, though we can specify a different name if we wish when we create the database. The physical location, when using the auto-attach feature, is the App_Data subfolder within the root of the Web site or Web application virtual directory.
Note that the <connectionStrings> element does not reside within the <system.web> section, because it stores connection strings for all other types of applications (such as Windows Forms applications) as well as Web Forms pages.

<connectionStrings>
  <add name="LocalSqlServer"
       connectionString="data source=.\SQLEXPRESS;
                         Integrated Security=SSPI;
                         AttachDBFilename=|DataDirectory|aspnetdb.mdf;
                         User Instance=true"
       providerName="System.Data.SqlClient" />
 
  <!-- following added to use SQL Server 2005 database ->
  <add name="SqlServer2005"
       connectionString="data source=localhost;
                         Integrated Security=SSPI;
                         AttachDBFilename=|DataDirectory|aspnetdb.mdf;
                         User Instance=true"
       providerName="System.Data.SqlClient" />
 
  <!-- following added to use remote SQL Server attached database ->
  <add name="Sql2005Remote"
       connectionString="data source=myremoteserver;
                         Initial Catalog=aspnetdb;
                         User ID=myusername;
                         Password=secret"
       providerName="System.Data.SqlClient" />
 
</connectionStrings>


Role Manager Configuration

Having looked at the configuration of the built-in membership provider in ASP.NET, we will not be surprised to discover that the built-in role 
provider follows much the same pattern. The <roleManager> section of web.config defines a list of providers that are available. It contains, by default, two providers:
  1. The SqlRoleProvider uses the same database as the membership provider to hold details of the roles and role membership, and
    we can configure the roles and members using the ASP.NET Web Site Administration Tool.
  2.  
  3. The WindowsTokenRoleProvider is a read-only provider, and exposes information about roles for a specific Windows user account. It takes
    this information from the account groups held in Active Directory or on your server or local machine, depending on the configuration. We
    cannot create, add, or delete roles with this provider.
    <system.web>   ...   <roleManager>     <providers>         <add name="AspNetSqlRoleProvider"            type="System.Web.Security.SqlRoleProvider ..."            connectionStringName="LocalSqlServer"            applicationName="/" />       <add name="AspNetWindowsTokenRoleProvider"            type="System.Web.Security.WindowsTokenRoleProvider, ..."            applicationName="/" />

      <!-- following added to use SQL Server 2005 database ->
      <add name="Sql2005RoleProvider"
           type="System.Web.Security.SqlRoleProvider, ..."
           connectionStringName="SqlServer2005"
           applicationName="/" />

      <!-- following uses remote SQL Server attached database ->t;
      <add name="Sql2005RemoteRoleProvider"
           type="System.Web.Security.SqlRoleProvider, ..."
           connectionStringName="Sql2005Remote"
           applicationName="/" />

    </providers>
  </roleManager>
  ...
</system.web>

HAVE A HAPPY CODING!
 

Up Next
    Ebook Download
    View all
    Learn
    View all