set permissions for individual files in your project, so you’ll either need to place
all admin-related functionality into a separate folder (which would allow you to
continue using the tool to configure security options), or modify Web.config by
hand.
You can set individual access rules for files using the location element, which
can contain a system.web sub-element, which, in turn, can contain settings cus-
tomized for the location. Add this code to your Web.config file:
File: Web.config (excerpt)
<!-- Allow access to Images directory -->
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<!-- Only administrators may access AdminTools.aspx -->
<location path="AdminTools.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Now, administrators are allowed to access AdminTools.aspx, as this rule comes
first under the authorization element. If you switched the order of the allow
and deny elements, no one would be allowed to access AdminTools.aspx.
Now your site is accessible only to authenticated users, with the exception of the
administration page, which is accessible only to users in the Administrators role.
Now we just need to let users log in into the system.
Using the ASP.NET Login Controls
As we mentioned earlier in this chapter, ASP.NET 2.0 delivers a range of very
useful controls related to managing users on your site:
561
Using the ASP.NET Login Controls
Login
This control displays a login form that contains a User Name text box, a
Password text box, a Remember me next time checkbox, and a Log In button.
It’s integrated with the membership API, and performs the login functionality
without requiring you to write any code. The layout is customizable through
templates and multiple properties.
LoginStatus
This is a simple yet useful control that displays a Login link if the user isn’t
logged in; otherwise, it displays a Logout link. Again, this control requires no
additional coding in order to work with your application’s membership data.
LoginView
This control contains templates that display different data depending on
whether or not the user is logged in. It can also display different templates
for authenticated users depending on their roles.
LoginName
This control displays the name of the logged-in user.
PasswordRecovery
If the user has provided an email address and a secret question and answer
during registration, this control will use them to recover the user’s password.
ChangePassword
This control displays a form that requests the user’s existing password and a
new password, and includes the functionality to change the user’s password
automatically, without requiring you to write additional code.
CreateUserWizard
This control displays a wizard for creating a new user account.
Let’s see a few of these controls in action in our own application. In the following
pages, we’ll undertake these tasks:
1. Use a Login control in the Login.aspx page to give users a means of logging
in to our application.
2.
Use LoginStatus and LoginView controls to display Login and Logout links,
and ensure that the Admin Tools link is displayed only to site administrators.
562
Chapter 13: Security and User Authentication
Authenticating Users
Earlier in this chapter, we created a web form based on the Dorknozzle.master
master page, called Login.aspx. Remove the existing controls from the
ContentPlaceHolder, and also remove the LoginUser method from the code-
behind file.
Using the new ASP.NET 2.0 login controls, we can easily make the authentication
work. If you’re using Visual Web Developer, simply drag a Login control from
the Login section of the Toolbox to just below the Login header in Login.aspx.
If you’d prefer to add the control manually, here’s the code:
File: Login.aspx (excerpt)
<asp:Content ID="Content1"
ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<h1>Login</h1>
<asp:Login ID="Login1" runat="server">
</asp:Login>
</asp:Content>
If you switch to Design View, you should see a display like the one depicted in
Figure 13.15.
Figure 13.15. Using the Login control
Yes, that’s all you have to do! Start your project, and you’ll be sent to the Login
page. First, log in with the regular user that you created earlier (not with the admin
account), then browse through the links to see that they can indeed be accessed,
563
Using the ASP.NET Login Controls
Get Build Your Own ASP.NET 2.0 Web Site Using C# & VB, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
