There are times when you want to validate users hitting a web site on your own rather than using Windows or Passport authentication. That requires forms based security. This article shows you how to implement Forms Based Authentication.
Hitting any web page on the site will automatically redirect to the login form. When the login form has authenticated the user, it will automatically redirect back to the originally requested page. Failure to log in will prohibit the user from hitting the originally requested page.
Each example below is shown in C#. Use the appropriate code for the language you are using.
In the web.config file in the root of the web site, insert this XML:
<authentication mode="Forms"> <forms name="login" loginUrl="login.aspx" /></authentication>
<authorization> <allow roles="bigboss" /> <allow roles="wimpyuser" /> <allow users="admin" /> <deny users="*" /></authorization>
Change the rules to give permissions to the proper users and roles. You may create a different web.config and its authorization section in each subdirectory with different rules.
In the global.asax file, insert this code:
c#]using System.Security.Principal;using System.Web.Security;
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
//Fires upon attempting to authenticate the use
if (!(HttpContext.Current.User == null))
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity.GetType() == typeof(FormsIdentity))
{
FormsIdentity fi = (FormsIdentity) HttpContext.Current.User.Identity;
FormsAuthenticationTicket fat = fi.Ticket;
String[] astrRoles = fat.UserData.Split('|');
HttpContext.Current.User = new GenericPrincipal(fi, astrRoles); }
}
}
}
Create a Web Form named login.aspx, set the style to Flow Layout, and put this onto the page:
<table height="66%" width="100%">
<tr>
<td align="middle">
<table id="loginbox" width="300" class="itemstyle">
<tr>
<td id="login" align="middle" colspan="3">Login</td>
</tr>
<tr>
<td>Username:</td>
<td><asp:textbox id="txtUsername" tabindex="4" runat="server"
columns="12"></asp:textbox></td>
<td valign="center" align="middle" rowspan="2">
<asp:button id="btnLogin" runat="server" text="Login"
cssclass="button"></asp:button></td>
<tr>
<td>Password:</td>
<td><asp:textbox id="txtPassword" runat="server" columns="12"
textmode="Password"></asp:textbox></td>
</tr>
<tr>
<td> </td>
<td colspan="2"><asp:label id="lblError" runat="server"
forecolor="Red" visible="False">Not a valid username or password.</asp:label>
</td>
</tr>
</table>
</td>
</tr>
</table>
In the CodeBehind for login.aspx, put this code:
[c#]using System.Web.Security; private void btnLogin_Click(object sender, System.EventArgs e) { if (ValidateUser(txtUsername.Text, txtPassword.Text)) { FormsAuthentication.Initialize(); String strRole = AssignRoles(txtUsername.Text); //The AddMinutes determines how long the user will be logged in after leaving //the site if he doesn't log off. FormsAuthenticationTicket fat = new FormsAuthenticationTicket(1, txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(30), false, strRole, FormsAuthentication.FormsCookiePath); Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(fat))); Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUsername.Text, false)); } else lblError.Visible = true; } private Boolean ValidateUser(String strUsername, String strPassword) { //Return true if the username and password is valid, false if it isn't return ((strUsername == "admin") && (strPassword == "password")); } private String AssignRoles(String strUsername) { //Return a | separated list of roles this user is a member of if (txtUsername.Text == "admin") return "bigboss|wimpyuser"; else return String.Empty; }
Change the ValidateUser and AssignRoles to do lookups into a database or other data store instead of the hardcoded validation and role assignment shown.
On each page on the site, you will need a way to log out. Simply put a hyperlink to the logout page:
<asp:HyperLink id="hlLogout" runat="server"NavigateUrl="logout.aspx">Logout</asp:HyperLink>
The logout.aspx page should have this on it:
<table width="100%"><tr>
<td align="middle">
You have been logged out.
<asp:hyperlink id="hlLogin" runat="server"
navigateurl="default.aspx">Log back in.</asp:hyperlink>
</td>
</tr>
</table>
The CodeBehind for the logout page should include this:
[c#]using System.Web.Security; private void Page_Load(object sender, System.EventArgs e) { // Put user code to initialize the page here Session.Abandon(); FormsAuthentication.SignOut(); }
You can put things that are only allowable to certain roles on your web page by using code like this:
[c#]hlAdmin.Visible = Page.User.IsInRole("bigboss");
No comments:
Post a Comment