ASP.NET 4 Unleased - p 127 pdf

For example, the web configuration file in Listing 27.21 modifies the default settings to enable you to enter a maximum of three bad passwords or bad password answers in 1 hour.. After y

Trang 1

WARNING

Make sure that you change the value of the decryptionKey attribute before using the

web configuration file in Listing 27.19 You can generate a new decryptionKey with

the GenerateKeys.aspx page described in the “Using Forms Authentication Across

Applications” section, earlier in this chapter

Modifying User Password Requirements

By default, passwords are required to contain at least 7 characters and 1 nonalphanumeric

character (a character that is not a letter or a number such as *,_, or !) You can set three

Membership provider attributes that determine password policy:

minRequiredPasswordLength—The minimum required password length (The default

value is 7.)

minRequiredNonalphanumericCharacters—The minimum number of

non-alphanu-meric characters (The default value is 1.)

passwordStrengthRegularExpression—The regular expression pattern that a valid

password must match (The default value is an empty string.)

The minRequiredNonAlphanumericCharacters attribute confuses everyone Website users

are not familiar with the requirement that they must enter a nonalphanumeric character

The web configuration file in Listing 27.20 illustrates how you can disable this

require-ment when using the SqlMembershipProvider

LISTING 27.20 Web.Config

<?xml version=”1.0”?>

<system.web>

<add

name=”MyProvider”

type=”System.Web.Security.SqlMembershipProvider”

minRequiredNonalphanumericCharacters=”0”

connectionStringName=”LocalSqlServer”/>

</providers>

</membership>

</system.web>

</configuration>

Trang 2

Locking Out Bad Users

By default, if you enter a bad password more than five times within 10 minutes, your

account is automatically locked out In other words, it is disabled

Also, if you enter the wrong answer for the password answer more than five times in a

10-minute interval, your account is locked out You get five attempts at your password and

five attempts at your password answer (These two things are tracked independently.)

Two configuration settings control when an account gets locked out:

maxInvalidPasswordAttempts—The maximum number of bad passwords or bad

password answers that you are allowed to enter (The default value is 5.)

passwordAttemptWindow—The time interval in minutes in which entering bad

pass-words or bad password answers results in being locked out

For example, the web configuration file in Listing 27.21 modifies the default settings to

enable you to enter a maximum of three bad passwords or bad password answers in 1 hour

<system.web>

<add

name=”MyProvider”

maxInvalidPasswordAttempts=”3”

passwordAttemptWindow=”60”

connectionStringName=”LocalSqlServer”/>

</providers>

</membership>

</system.web>

</configuration>

After a user has been locked out, you must call the MembershipUser.UnlockUser() method

to reenable the user account The page in Listing 27.22 enables you to enter a username

and remove a lock (see Figure 27.6)

Trang 3

FIGURE 27.6 Removing a user lock

LISTING 27.22 RemoveLock.aspx

<%@ Page Language=”C#” %>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”

“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

protected void btnRemove_Click(object sender, EventArgs e)

{

MembershipUser userToUnlock = Membership.GetUser(txtUserName.Text);

if (userToUnlock == null)

{

lblMessage.Text = “User not found!”;

}

else

{

userToUnlock.UnlockUser();

lblMessage.Text = “Lock removed!”;

}

</script>

Trang 4

<title>Remove Lock</title>

</head>

<body>

<div>

<asp:Label

id=”lblUserName”

Text=”User Name:”

AssociatedControlID=”txtUserName”

Runat=”server” />

<asp:TextBox

id=”txtUserName”

<asp:Button

id=”btnRemove”

Text=”Remove Lock”

Runat=”server” OnClick=”btnRemove_Click” />

<br />

<asp:Label

id=”lblMessage”

EnableViewState=”false”

</div>

</form>

</body>

</html>

Configuring the SQLMembershipProvider

The SqlMembershipProvider is the default Membership provider Unless otherwise

config-ured, it stores membership information in the local ASPNETDB.mdf Microsoft SQL Server

Express database located in your application’s App_Data folder This database is created for

you automatically the first time that you use Membership

If you want to store membership information in some other Microsoft SQL Server

data-base, you need to perform the following two tasks:

Add the necessary database objects to the Microsoft SQL Server database

Configure your application to use the new database

To complete the first task, you can use the aspnet_regiis command-line tool This tool is

located in the following folder:

\Windows\Microsoft.NET\Framework\v4.0.30319

Trang 5

FIGURE 27.7 Using the ASP.NET SQL Setup Wizard

NOTE

If you open the Visual Studio Command Prompt, you don’t need to navigate to the

Microsoft.NET folder before using the aspnet_regsql tool because that tool is already

in the path

If you execute the aspnet_regsql tool without supplying any parameters, the ASP.NET

SQL Server Setup Wizard appears (see Figure 27.7) You can use this wizard to select a

data-base and install the Membership objects automatically

If you prefer, rather than use the aspnet_reqsql tool, you can execute the following two

SQL batch files to install Membership:

\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallCommon.sql

\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql

If you don’t want to install.NET Framework on your database server, you can execute

these SQL batch files

After you have configured your database to support ASP.NET Membership, you must

configure your application to connect to your database when using Membership The web

configuration file in Listing 27.23 connects to a database named MyDatabase located on a

server named MyServer

Trang 6

<add name=”MyConnection” connectionString=”Data Source=MyServer;Integrated

➥Security=True;Initial Catalog=MyDatabase”/>

</connectionStrings>

<system.web>

<add

name=”MyMembershipProvider”

connectionStringName=”MyConnection” />

</providers>

</membership>

</system.web>

</configuration>

In Listing 27.23, a new default Membership provider named MyMembershipProvider is

configured The new Membership provider uses a connection string name that has the value

MyConnection The MyConnection connection string is defined in the connectionStrings

element near the top of the configuration file This connection string represents a

connec-tion to a database named MyDatabase located on a server named MyServer

Configuring the ActiveDirectoryMembershipProvider

The other Membership provider included in ASP.NET Framework is the

ActiveDirectoryMembershipProvider You can use this provider to store user information

in Active Directory or AD LDS (Active Directory Lightweight Directory Services)

AD LDS is a lightweight version of Active Directory You can download AD LDS from the

Microsoft website (www.microsoft.com/adam) AD LDS is compatible with both Windows

Vista and Windows 7

If you want to use ASP.NET Membership with AD LDS, you need to complete the

follow-ing two steps:

1 Create an AD LDS instance and create the required classes

2 Configure your application to use the ActiveDirectoryMembershipProvider and

connect to the ADAM instance

Trang 7

FIGURE 27.8 Creating a new AD LDS instance

The following sections examine each of these steps in turn

Configuring AD LDS

First, you need to set up a new instance of AD LDS After downloading and installing AD

LDS, follow these steps:

1 Launch the Active Directory Lightweight Directory Services Setup Wizard by

select-ing Active Directory Lightweight Directory Services Setup Wizard from Control

Panel, Administrative Tools (see Figure 27.8)

2 In the Setup Options step, select the option to create a unique instance

3 In the Instance Name step, enter the name WebUsersInstance.

4 In the Ports step, use the default LDAP and SSL port numbers (389 and 636)

5 In the Application Directory Partition step, create a new directory application

parti-tion named O=WebUsersDirectory

6 In the File Locations step, use the default data file locations

7 In the Service Account Selection step, select Network Service Account

8 In the AD LDS Administrators step, select Currently Logged on User for the

adminis-trator account

9 In the Importing LDIF Files step, select MS-AZMan.ldf, MS-InetOrgPerson.ldf,

MS-User.ldf, MS-UserProxy.ldf

After you complete the preceding steps, a new AD LDS instance named

WebUsersInstance is created The next step is to configure an AD LDS administrator

account Follow these steps:

Trang 8

FIGURE 27.9 Using ADLDS ADSI Edit

WARNING

If you are using Windows XP, and you don’t have an SSL certificate installed, you need

to perform an additional configuration step Otherwise, you receive an error when you

attempt to reset a user password

By default, you are not allowed to perform password operations over a non-secured

connection to an AD LDS instance You can disable this requirement by using the

dsmgmt.exe tool included with AD LDS Open the AD LDS Tools Command Prompt and

type the following series of commands:

1 Type dsmgmt

2 Type ds behavior

3 Type connections

4 Type connect to server localhost:389

5 Type quit

6 Type allow passwd op on unsecured connection

7 Type quit

If you don’t use an SSL connection, passwords are transmitted in plain text Don’t do

this in the case of a production application

1 Open the AD LDS ADSI Edit application from the Control Panel, Administrative

Tools (see Figure 27.9)

Trang 9

2 Open the Connection Settings dialog box by selecting Action, Connect To

3 In the Connection Settings dialog box, select the option to connect to a node by

using a distinguished name, and enter the name O=WebUsersDirectory In the

Computer group, choose Select or Type a Domain or Server and enter localhost in

the field Click OK

4 Expand the new connection and select the O=WebUsersDirectory node.

5 Select Action, New, Object

6 In the Create Object dialog box, select the organizationalUnit class and name the

new class WebUsers

7 Select the OU=WebUsers node and select Action, New, Object

8 In the Create Object dialog box, select the user class and name the new class

ADLDSAdministrator

9 Select CN=ADLDSAdministrator and select Action, Reset Password and enter the

password secret.

10 Select the CN=Roles node and double-click the CN-Administrators node

11 Double-click the Member attribute and add the distinguished name for the

ADLDSAdministrator ADAM account (CN=ADLDSAdministrator,OU=WebUsers,

O=WebUsersDirectory)

After you complete this series of steps, an ADLDSAdministrator account is configured

You need to use this account when connecting to the ADLDS instance from the

ActiveDirectoryMembershipProvider

Configuring the ActiveDirectoryMembershipProvider

The next step is to configure your application to use the ActiveDirectoryMembership

provider You can use the web configuration file in Listing 27.24

<add

name=”ADLDSConnection”

connectionString=”LDAP://localhost:389/OU=WebUsers,O=WebUsersDirectory”/>

</connectionStrings>

<system.web>

<add

Trang 10

name=”MyMembershipProvider”

type=”System.Web.Security.ActiveDirectoryMembershipProvider”

connectionStringName=”ADLDSConnection”

connectionProtection=”None”

connectionUsername=”CN=ADLDSAdministrator,OU=WebUsers,O=WebUsersDirectory”

connectionPassword=”secret_”

enableSearchMethods=”true” />

</providers>

</membership>

</system.web>

</configuration>

The web configuration file in Listing 27.24 configures a new default Membership

provider named MyMembershipProvider This provider is an instance of the

ActiveDirectoryMembershipProvider

Several of the attributes used with the ActiveDirectoryMembershipProvider require

addi-tional explanation The connectionStringName attribute points to the connection string

defined in the connectionStrings section This connection string connects to a local

ADAM instance that listens on port 389

The connectionProtection attribute is set to the value None If you don’t modify this

attribute, you are required to use an SSL connection If you do use an SSL connection, you

need to change the port used in the connection string (typically port 636)

The connectionUsername and connectionPassword attributes use the ADLDSAdministrator

account that you configured in the previous section When you don’t use an SSL

connec-tion, you must provide both a connectionUsername and connectionPassword attribute

Finally, notice that the provider declaration includes an enableSearchMethods attribute If

you want to configure users by using the Web Site Administration Tool, you must include

this attribute

The ActiveDirectoryMembershipProvider class supports several attributes specific to

working with Active Directory:

connectionStringName—Enables you to specify the name of the connection to the

Active Directory Server in the connectionStrings section

connectionUsername—Enables you to specify the Active Directory account used to

connect to Active Directory

connectionPassword—Enables you to specify the Active Directory password used to

connect to Active Directory

connectionProtection—Enables you to specify whether or not the connection is

encrypted Possible values are None and Secure

Định dạng
Số trang	10
Dung lượng	765,9 KB