Using Membership API for Secured Coding in .NETIf you are using Form Based Authentication Provider you have to create your own login screen, write logic to perform authentication, create database and necessary tables for storage, and ensure confidentiality and integrity of user credentials. Though Form Based Authentication is advantageous, performing the above mentioned tasks has a considerable work overhead. Is there any way to minimize this work? Yes, Membership API solves your purpose. Membership API implements login page and storage for you.
Membership API Architecture CHART In Form Based Authentication, the first task is to create a login page. Even when you use Membership API, you have to create your own login page but you can do it by simply including certain controls in your page. Those controls will in turn perform the task and they are termed as Security Controls. Few Security Controls are Login Control, LoginStatus Control, LoginView Control, PasswordRecovery Control, ChangePassword Control and CreateUserWizard Control. Login control will display textboxes for username, password and a login button. It also performs the validation for you. Similarly all other controls have a specific purpose. On click of the login button, how does the validation happen? Login Control coordinates with the Membership API classes which have a membership provider communicating with the database and providing the output. The database is maintained in the membership store. All that you will be aware of is the usage of security controls and membership API. Communication across membership providers and membership store are hidden. Configuring and Using Membership API For using Membership API, you have to perform the following configuration: Configure Forms Authentication: To configure forms authentication and to ensure restricted access for anonymous users, make the following entry in web.config file: <system.web> Create Membership Data Store: Membership Provider has to interact with the data store to perform authentication. Hence this data store has to be configured and necessary tables have to be created in it. If you are using SQL Server as your applications database, then you can easily create the data store and its corresponding tables by executing aspnet_regsql.exe. Configure Connection String: If you are using the default configuration along with SQL Server 2005, both Membership Provider and Connection String are automatically created. If not, then you have to configure connection string in web.config file as below: <connectionStrings> You have to place this section after configuration section. Configure Membership Provider: you have to configure Membership Provider inside system.web section of web.config file. <membership
defaultProvider=provider1> The add tag can also include many other properties like RequiresUniqueEmail, MinRequiredPasswordLength, EnablePasswordReset. Creating
and Authenticating Users: You can now create and authenticate users
by using the Membership API and its methods, which are dealt in detail
in the section below. Membership API has components like Membership, MembershipProvider, MembershipUser, MembershipUserCollection and many more. Each of these classes has many methods defined. Given below are few of these classes and its associated methods to achieve basic authentication. Create Users: CreateUser command of Membership API is used to create users. However the parameters passed to it vary depending on the providers configuration. Few providers accept just the username and password. Few other providers also ask for secret question and answer while configuring the user. Given below is an example of user creation accepting only username and password. MembershipCreateStatus class is used along with Membership API to provide information on the status of user creation. MembershipCreateStatus
outputStatus; Delete Users: Use Membership.Delete method passing the username as argument. Retrieve Users from the Store: Use the following lines of code to retrieve all users: MembershipUserCollection
userList; Update User: You can select a user record from the sampleGrid constructed above and update it using the following lines of code: string userSelected
= (string) sampleGrid.SelectedValue; Remember that Membership API is used only for authentication. It doesnt help you in authorization. If you want API for managing roles and performing authorization, then use Roles API.
|