Programming Microsoft Web Forms (Pro Developer)
Administering an ASP.NET 2.0 Site
As I mentioned in the conclusion of the last chapter, a chapter based only on ASP.NET 1.x administration support would be short. There is no real user interface for administration in ASP.NET 1.1. Any changes require manual modifications to the Web.config or Machine.config file or the Internet Information Services (IIS) Manager. Although the error messages improved over the years as ASP.NET 1.0 became ASP.NET 1.1, the messages resulting from an errant setting in one of the configuration files could result in an error message that was very difficult to associate with the actual problem setting. In no area was this more true than in setting up user security.
Fortunately, all that has changed in ASP.NET 2.0. In addition to the basics, such as setting up the type of authentication, the new ASP.NET Web Site Administration Tool allows you to create users, roles, and access rules. The result is that you can create users for a site by using the ASP.NET Web Site Administration Tool, enabling user authentication even before you create the interface that allows users to register on the site. The icing on the cake is that creating the user registration interface is easy, requiring no code at all if the standard implementation satisfies your requirements. In many cases, the standard implementation will be just fine. If you need something a little different, modifying the default implementation of all security settings is not very difficult.
For this chapter, I created a Web site called BikeBlogSecured, which is similar to the versions of the bike blog in previous chapters.
Tip | In earlier versions of the bike blog that allowed editing of blog entries, the listing of all entries and the editing screen were both on the same page. An unintended consequence of that structure was that there was no way, using a URL with command-line arguments, to jump to a particular entry for editing or display. Blogs almost always provide a way to jump to a particular entry by using a URL known as a permalink. Having the listing and the editing on a single page would also require code to ensure that only authorized users added entries. As you will see later in this chapter, creating a new page for editing existing entries and adding new entries, and placing it in a subfolder, allows for easy configuration of security with very little code. |
A common pattern used by ASP.NET developers to secure portions of an application is to create a folder for Web Forms that should be accessed only by certain users or certain groups. This pattern is quite reasonable, and I will use it in the BikeBlogSecured Web site. To create a new folder in a Web site within Microsoft Visual Studio, right-click the Web site in Solution Explorer, and then select New Folder from the context menu. Name the folder Admin.
More Info | In addition to securing folders, as I will do in this Web site, you can secure individual files in any folder that is part of an ASP.NET Web Forms application. It is easier to apply security to one folder at a time rather than to one file at a time, and the ASP.NET Web Site Administration Tool supports only folder-level restrictions. (Single-file restrictions can be added manually to the Web.config file.) Complete details on how this is done can be found in the MSDN documentation. |
To configure a new site, click ASP.NET Configuration on the Website menu in Visual Studio. You should see a page similar to Figure 7-1.