Create Custom Membership Provider for ASP.NET Website Security
by David Hayden ( Florida .NET C# SQL Server Developer ), Filed: ASP.NET 2.0
More often than not you need to use an existing database / datasource that already contains usernames and passwords to secure an ASP.NET website. I have noticed that numerous examples and tutorials on the Internet accidentally make it seem like a fairly involved scenario, mainly because they allude that you need to implement every single abstract property and method on a custom membership provider. The fact is you don't unless you explicitly need the functionality.
To show how simple it really is from a programming standpoint, I created a couple of ASP.NET Web Pages where Page1.aspx can only been seen by an authenticated user who logs on via Default.aspx.
I have enabled forms authentication and disallowed access to Page1.aspx as follows:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Default.aspx" />
</authentication>
<location path="Page1.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
I want to go ahead and use a custom membership provider for use with the ASP.NET Login Control and ASP.NET LoginStatus Control as used in the pages shown above. Let's register it in the Web.config as well:
<membership defaultProvider="SimpleMembershipProvider">
<providers>
<clear/>
<add
name="SimpleMembershipProvider"
type="Hayden.Providers.SimpleMembershipProvider,
Hayden.Providers"/>
</providers>
</membership>
The class to be created, SimpleMembershipProvider, will now be providing all the membership related functionality needed by the website. It will derive from the abstract base class, System.Web.MembershipProvider, like all new membership providers. And, if you look at MembershipProvider, it looks like we have our work cut out for us as it requires us to override a whole lot of members. Here are a few:
- ChangePassword
- ChangePasswordQuestionAndAnswer
- CreateUser
- DeleteUser
- FindUsersByEmail
- FindUsersByName
- GetAllUsers
- GetNumberOfUsersOnline
- GetPassword
- GetUser
- GetUserNameByEmail
- ResetPassword
- UnlockUser
- UpdateUser
- ValidateUser
We certainly can implement all of those features, but unless you specifically need them you can just have them throw a NotSupportedException or NotImplementedException depending on your intentions.
To just authenticate users and have the ASP.NET Login Control and ASP.NET LoginStatus Control working as desired in the application, you really ownly need to implement one method: ValidateUser.
Let's go ahead and hardcode a username and password in the custom membership provider ( do not do this in production apps ):
public override bool ValidateUser(string username,
string password)
{
return (username.Equals("Dave")
&& password.Equals("pass"));
}
The membership provider will now provide all the needs for our application for a username of Dave and a password of pass. You would never do this in a production application, but you can see how easy creating a custom membership provider can be. From there, you can go ahead and add functionality as needed or required.
The point being don't be initimidated by creating a custom membership provider because there are a lot of abstract methods and properties suggesting to be overridden. You don't need to provide functionality that won't be used and you can certainly tackle the functionality as needed during the development of the application.
by David Hayden ( Florida .NET C# SQL Server Developer ), Filed: ASP.NET 2.0