 |
BOOK: Beginning ASP.NET 4 : in C# and VB
 | This is the forum to discuss the Wrox book Beginning ASP.NET 4: in C# and VB by Imar Spaanjaars; ISBN: 9780470502211 |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the BOOK: Beginning ASP.NET 4 : in C# and VB section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|
|
August 27th, 2013, 01:01 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Login not working
I successfully deployed the Planet Wrox website as described in the book Beginning ASP.NET 3.5 in C# and VB. Now I am trying to create my own website. I am unable to get the Login control to work. I am using WSAT to manage user roles and access. I have three roles: User, Admin and SuperUser. I would like to allow users in all three roles access to the UserPages folder. I have users that have been assigned each of the three roles. But what is happening is that when I deny access to anonymous users, no one can get in, and when I do not deny access to anonymous users, anyone can get in. By that, I mean that I can type any text in the name and password textboxes and get access to the application. I think I am missing some basic understanding of how web.config files are utilized. I have put basic information about membership, etc. in the root level web.config file whereas WSAT put access info into the folder level web.config file. Is that where I am going wrong?
This is the web.config file for the UserPages folder:
Code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="User" />
<allow roles="SuperUser" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Here is the root level web.config file:
Code:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<configSections>
<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
<appSettings>
<add key="ChartImageHandler" value="storage=file;timeout=20;dir=c:\TempImageFiles\;" />
</appSettings>
<connectionStrings>
<add name="iMASSQLConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\iMASSQL.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
<add name="iMASSQLConnectionString1" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\iMASSQL.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
Visual Basic options:
Set strict="true" to disallow all data type conversions
where data loss can occur.
Set explicit="true" to force declaration of all variables.
-->
<roleManager enabled="true" defaultProvider="AspNetRoleProvider">
<providers>
<add connectionStringName="iMASSQLConnectionString" applicationName="/iMAS" name="AspNetRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>
<compilation debug="true" strict="false" explicit="true">
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Data.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/></assemblies>
</compilation>
<pages>
<namespaces>
<clear />
<add namespace="System" />
<add namespace="System.Collections" />
<add namespace="System.Collections.Generic" />
<add namespace="System.Collections.Specialized" />
<add namespace="System.Configuration" />
<add namespace="System.Text" />
<add namespace="System.Text.RegularExpressions" />
<add namespace="System.Linq" />
<add namespace="System.Xml.Linq" />
<add namespace="System.Web" />
<add namespace="System.Web.Caching" />
<add namespace="System.Web.SessionState" />
<add namespace="System.Web.Security" />
<add namespace="System.Web.Profile" />
<add namespace="System.Web.UI" />
<add namespace="System.Web.UI.WebControls" />
<add namespace="System.Web.UI.WebControls.WebParts" />
<add namespace="System.Web.UI.HtmlControls" />
</namespaces>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add tagPrefix="asp" namespace="System.Web.UI.DataVisualization.Charting"
assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</controls>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<membership defaultProvider="AspNetMembershipProvider">
<providers>
<add connectionStringName="iMASSQLConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/iMAS" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="AspNetMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, 
 Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider"
connectionStringName="iMASSQLConnectionString"
applicationName="/iMAS"
type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</profile>
<authentication mode="Forms"/>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<httpHandlers>
<remove path="*.asmx" verb="*" />
<add path="*.asmx" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
validate="false" />
<add path="*_AppService.axd" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
validate="false" />
<add path="ScriptResource.axd" verb="GET,HEAD" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
validate="false" />
<add path="ChartImg.axd" verb="GET,HEAD" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
validate="false" />
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</httpModules>
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="OptionInfer" value="true"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
</compilers>
</system.codedom>
<!--
The system.webServer section is required for running ASP.NET AJAX under Internet
Information Services 7.0. It is not necessary for previous version of IIS.
-->
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="ScriptModule" />
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated" />
<remove name="ScriptHandlerFactory" />
<remove name="ScriptHandlerFactoryAppServices" />
<remove name="ScriptResource" />
<remove name="ChartImageHandler" />
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode"
type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd"
preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD"
path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add name="ChartImageHandler" preCondition="integratedMode" verb="GET,HEAD"
path="ChartImg.axd" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</handlers>
</system.webServer>
<system.net>
<mailSettings>
<smtp deliveryMethod="Network" from="Monaco <[email protected]>">
<network host="mail.cjnetworks.com"/>
</smtp>
</mailSettings>
</system.net>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
<location path ="UserPages"></location>
</configuration>
|
|
August 28th, 2013, 03:27 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Making progress, I guess. I again used WSAT to remove the denial of anonymous user access and now the Login control is at least functioning. The login control loggingIn and authenticate events are firing. The problem is that it rejects valid username and password combinations as well as invalid ones. The other problem is that I am no closer to understanding what is going on. 
|
|
August 28th, 2013, 04:02 PM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Quote:
|
The problem is that it rejects valid username and password combinations as well as invalid ones.
|
This usually happens when the resource you're trying to access is not accessible to the user logging in. So even though the account details are valid, the user is not in one of the groups to which the file or folder is accessible.
You may want to take a look at the Planet Wrox sample site. The Management folder is blocked for users that are not in the Managers role. You find the configuration for it in the main web.config (where authentication is set up) and in the <location> elements at the bottom of that same file to configure access to the Management folder.
Imar
|
|
August 28th, 2013, 05:12 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Thanks, Imar. It is good of you to keep track of your lost sheep.
When you talk of the file or folder being accessible, are you referring to the folder properties? I checked the security settings on the UserPages folder and I should be able to get in. In fact I made it fully accessible to all Users.
Then I copied the system.web authorization info from the folder level web.config file to the root level web.config file so that it looks just like what we did in the Planet Wrox website:
Code:
<location path ="UserPages">
<system.web>
<authorization>
<allow roles="User" />
<allow roles="SuperUser" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>
I'm still not getting in. I am trying two logins that have been assigned "User" status and one with "SuperUser" status in WSAT. But it is rejecting me in the authenticate event, so I would not think it is getting far enough to check roles.
I have the aspnet tables installed inside my database (which is iMASSQL) and it was quite a struggle to get things set up so the program would use those tables, rather than creating a separate ASPNETDB database outside my database. I would assume that since the program is finding the tables to create the user account, it should also be able to find them to authenticate the user, or at least if it couldn't find the tables I would get an error message.
I don't at present know what to consider next. Any help or hints would be much appreciated. Thanks.
|
|
September 2nd, 2013, 03:25 PM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Hi there,
Quote:
|
When you talk of the file or folder being accessible, are you referring to the folder properties?
|
Nope; I was talking about being accessible in the browser by browsing to them.
Quote:
|
so that it looks just like what we did in the Planet Wrox website:
|
Did you also copy the configuration part in <system.web> in the core configuration? E.g. before the <location /> elements?
Quote:
|
I would assume that since the program is finding the tables to create the user account
|
Do you see new roles and users show up in the database? And are you 100% sure the database you're checking is the one that is in use for the site you're testing?
Imar
|
|
September 3rd, 2013, 12:23 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
OK, yes, I am able to browse to the file location of the database through my browser. (I am testing this application locally and using my own user account to test.)
I do see the new users and user roles showing up in the database as I create them. Everything looks right in the database.
I did copy the <membership> element from machine.config to my web.config file.
As to being 100% sure that the Login control is using the same database as the CreateUserWizard, it is certainly acting like it isn't. Since the method these two controls use to find the database is not transparent, I don't know how to be sure they are looking at the same database. Am I correct in assuming that they both refer to the same membership element to find the database?
Again, thanks for your help in thinking through this problem.
|
|
September 3rd, 2013, 01:53 PM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Could it be as simple as this:
Code:
<allow roles="User" />
<allow roles="SuperUser" />
<allow roles="Admin" />
<deny users="?" />
Allow and deny is processed top to bottom. At the first match (whether it's a deny or an allow), the appropriate access rule is applied. In this case when a user is in one of the three roles, access is granted. If the user is not in one of these roles, access is still granted, regardless of the role the user is in, as long as that user is currently logged in.
What you really want is this:
Code:
<allow roles="User" />
<allow roles="SuperUser" />
<allow roles="Admin" />
<deny users="*" />
This blocks access to all users, except for those in one of the three roles.
Hope this helps,
Imar
|
|
September 3rd, 2013, 04:35 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Thanks, Imar. What I have neglected to say in my previous posts is that when I try to log in I get rejected in the login_authenticate event. I know this because I have stepped through the code and because I get the "Your login attempt was not successful..." message. I have taken steps to be absolutely sure I am using correct username/password combinations. It really is as if the Login control is looking at a different database than the CreateUserAccount control or the PasswordRecovery control, both of which work fine.
|
|
September 3rd, 2013, 04:43 PM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Do you have any custom code in that page? Can you show the markup and code behind?
Imar
|
|
September 3rd, 2013, 04:52 PM
|
|
Authorized User
|
|
Join Date: Jan 2013
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
No custom code. Here's the markup:
Code:
<%@ Page Language="VB" MasterPageFile="~/MasterPages/LoginMaster.master" AutoEventWireup="false" CodeFile="login.aspx.vb" Inherits="login" title="iMAS2 Login" %>
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<table style="width:100%;" cellpadding="5px">
<tr>
<td align="center">
<asp:Login ID="Login1" runat="server" BackColor="#FFFBD6" BorderColor="#FFDFAD"
BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
Font-Size="0.8em" ForeColor="#333333" TextLayout="TextOnTop"
DestinationPageUrl="~/UserPages/Default.aspx">
<TextBoxStyle Font-Size="0.8em" />
<LoginButtonStyle BackColor="White" BorderColor="#CC9966" BorderStyle="Solid"
BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#990000" />
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
<TitleTextStyle BackColor="#990000" Font-Bold="True" Font-Size="0.9em"
ForeColor="White" />
</asp:Login>
</td>
</tr>
<tr>
<td align="center">
<asp:Button ID="btnForgotPsw" runat="server" Text="I forgot my password." />
</td>
</tr>
<tr>
<td align="center">
<asp:PasswordRecovery ID="PasswordRecovery1" runat="server" BackColor="#FFFBD6"
BorderColor="#FFDFAD" BorderPadding="4" BorderStyle="Solid" BorderWidth="1px"
Font-Names="Verdana" Font-Size="0.8em" Visible="False">
<MailDefinition From="[email protected]" Subject="Your new password for iMAS2">
</MailDefinition>
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
<SuccessTextStyle Font-Bold="True" ForeColor="#990000" />
<TextBoxStyle Font-Size="0.8em" />
<TitleTextStyle BackColor="#990000" Font-Bold="True" Font-Size="0.9em"
ForeColor="White" />
<SubmitButtonStyle BackColor="White" BorderColor="#CC9966" BorderStyle="Solid"
BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#990000" />
</asp:PasswordRecovery>
</td>
</tr>
<tr>
<td align="center">
<asp:LinkButton ID="LinkButton1" runat="server"
PostBackUrl="~/CreateAccount.aspx">Create a new User Account</asp:LinkButton>
</td>
</tr>
<tr>
<td align="center">
<asp:LoginStatus ID="LoginStatus1" runat="server" />
</td>
</tr>
</table>
</asp:Content>
and the code behind:
Code:
Partial Class login
Inherits System.Web.UI.Page
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnForgotPsw.Click
PasswordRecovery1.Visible = True
End Sub
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate
End Sub
Protected Sub Login1_LoggedIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.LoggedIn
Session("MyUserName") = Login1.UserName
Session("MyUserID") = Membership.GetUser
End Sub
Protected Sub Login1_LoggingIn(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.LoginCancelEventArgs) Handles Login1.LoggingIn
End Sub
End Class
|
|
|
|
button below this post to show your appreciation!
