1. Chapter 13 Security, Membership, and Role Management If thou be’st not immortal, look about you: security gives way to conspiracy. The mighty gods defend thee! William Shakespeare, Julius Caesar, Act II, Scene 3
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17. Trust Levels No capability to interact with resources. Intended for sites with little dynamic content. Minimal Models a read-only application because no network access to other servers is allowed. Low Permissions are limited to what the application can access in its own folder structure. Thus, although a medium trust application can access a SQL Server database, it cannot access files or folders outside its own virtual directory hierarchy. As well, it has no reflection permissions, so those applications that require reflection (such as the typical object/relational mapper) may not work. Intended to be used for hosting environments that contain multiple customers’ sites. Medium Code can use most of the .NET Framework. The limitations are no unmanaged code, no enterprise services, and limited use of reflection. High The application is fully trusted. All .NET code is allowed to run and thus any .NET classes can be used (however, still subject to operating system and Windows ACL limitations). This is the default. Full Description Trust Name
31. Provider-based Services Manages the special set of controls for creating Web sites that enable end users to modify the content, appearance, and behavior of Web pages directly within the browser. Web Parts Used by ASP.NET health monitoring subsystem that allows the monitoring of a Web application. Web events Provides a description of a site’s structure. Site map Maintains user state between requests. Session state Handles role-based security. Role management Manages user preferences and user information across visits. Profile Manages user accounts. Membership Handles encryption and decryption of sections of the ASP.NET configuration files. Encryption Description Service
37. Membership Class Returns true if the specified user name and password are valid (i.e., exist in the data store). ValidateUser Updates the data source with the information contained in the specified MembershipUser object. UpdateUser Returns the user name for the specified email. GetUserNameByEmail Returns a MembershipUser object for the current logged on user. GetUser Gets the number of users that is currently accessing the application. GetNumberOfUsersOnline Returns a MembershipUserCollection of all users. GetAllUsers Generates a random password of the specified length. GeneratePassword Returns a MembershipUserCollection of users whose user name matches the passed user name. FindUsersByName Returns a MembershipUserCollection of users whose email matches the passed email. FindUsersByEmail Deletes an existing user from the membership data store. DeleteUser Adds a new user to the membership data store. CreateUser Description Name
38.
39.
40. Login Controls Allows user passwords to be retrieved and sent to the email for that account. PasswordRecovery Displays one of two possible interfaces: one for authenticated users and one for anonymous users. LoginView Displays a login link for nonauthenticated users and a logout link for authenticated users. LoginStatus Displays the name of the authenticated user. LoginName Displays a customizable user interface for gathering user credentials. Login Based on the Wizard control covered in Chapter 4. A multistep process for gathering the user name, password, email address, and password question and answer. CreateUserWizard Lets users change their password. ChangePassword Description Name