Monday, February 1, 2010

Using Oracle Providers for ASP.NET






Purpose

This tutorial demonstrates Oracle Providers for ASP.NET usage and how tightly the providers integrate with existing ASP.NET management tools, controls, and services.

This tutorial covers the following topics:
Overview
Prerequisites
Enabling a Web Site for Authentication
Enabling Oracle Providers for ASP.NET and Creating a Web User
Testing Web Site Authentication
Summary

Overview

Oracle Providers for ASP.NET integrates directly with Microsoft ASP.NET controls and services to provide state management capabilities for web sites. State management is critical for managing persistent data, such as user information, user roles, and session information.

This tutorial builds upon the "Building ASP.NET Web Applications with Oracle Developer Tools for Visual Studio" tutorial. In that tutorial, you created a data grid retrieving employee information. In this tutorial, you now want to secure this employee data to ensure only authorized users can view the data. To accomplish this task, you will create an ASP.NET web user using the Oracle Membership Provider and test the web site's authentication with the provider with valid and invalid credentials.

Prerequisites

Before you perform this tutorial, you should:
1. Install Microsoft Visual Studio 2005 or 2008
2. Install Oracle Database 10g or later or Database XE. You may want to configure an Oracle NET connection alias if you do not have one already.
3. Install Oracle 11g Oracle Data Access Components (ODAC) with Oracle Developer Tools for Visual Studio version 11.1.0.6.20 or later from OTN
4. Setup an Oracle database schema for storing data from the Oracle Providers for ASP.NET. Follow these steps if you have not created and configured an Oracle database schema for this purpose yet.
5. (Optional) Complete the Building ASP.NET Web Applications with Oracle Developer Tools for Visual Studio OBE.


Enabling a Web Site for Authentication.

This section shows you how to add web site authentication to limit the users that can access the employee data. You will authenticate using an ASP.NET login control, verifying against users created and stored with the Oracle Providers for ASP.NET. Perform the following steps:

1. Reopen the web site you created in the Building ASP.NET Web Applications
with Oracle Developer Tools for Visual Studio tutorial.

2. Select View > Solution Explorer.


3. Right-click on the web site and Add New Item.

4. Select Web Form, enter the name login.aspx and click Add.

5. When the login.aspx page appears, switch to the Design tab.

6. From the View menu, open the Toolbox, expand the Login section, and drag and drop the login control onto the form, into the dotted rectangle labeled div.

7. The Login control is displayed. This is a standard ASP.NET login control, which can retrieve and verify user login credentials stored in the Oracle database.

8. Right-click the login control and select Properties.
9. Under the Behavior section, for DestinationPageUrl, select "..." button

10. Select Default.aspx and click OK.
When a user successfully logs in, that user will be directed to the Default.aspx page, which contains the employee data. If a user does not successfully log in, they will be redirected back to the login page.

11. The value now appears for DestinationPageUrl in the properties window.
12. Select File > Save Login.aspx.


Enabling Oracle Providers for ASP.NET and Creating a Web User

In this section, you will use the ASP.NET Web Site Administration Tool to direct the web site to use the Oracle ASP.NET providers and create a new web user specific to this web site to demonstrate the authentication features for the login page you created in the previous section. Perform the following steps:
1. Select Website > ASP.NET Configuration.

2. The ASP.NET Web Site Administration Tool appears in a browser window. Select the Provider tab.

3. On the Provider page, select the second link: Select a different provider for each feature (advanced).

4. When the Provider page reappears, change the Membership Provider to OracleMembershipProvider and Role Provider to OracleRoleProvider and select the Security tab.

5. Under Users, click Select authentication type.
By default, the ASP.NET site uses Windows authentication to identify users. You are building a web site that will identify users by their site-specific logins and passwords. Therefore, the site must be configured to expect to use logins and passwords.

6. Select From the internet and click Done.

7. Select Create user.

8. In the Create User section, enter your name and a password that contains at least 7 characters, including one non-alphanumeric character. Enter your email, and a security question and answer, then click Create User.

9. The user account has been created. Click the Security tab.

Note: If you click Continue, you will be allowed to enter another user.

10. Note that there is now one existing user. Under Access Rules, select Manage access rules.

11. Select Add new access rule.

12. Select Anonymous users and Deny, then click OK.
By default, anonymous access to the web site is enabled. The above settings secure the web site by disabling anonymous access. Now, only authenticated users can view the employee data.

13. The access rule was created successfully. The web site will now deny anonymous users access to the site. Click Done.
14. Close the browser.


Testing Web Site Authentication

Now that you have created a web user specific to this web site, the web site will allow this user access to the employee data and deny access to all other users, including anonymous users. In this section, you will attempt to access the employee data as an anonymous user, as an unauthorized user, as an authorized user with an incorrect password, and finally as an authorized user with the correct password. Only in the last scenario will the web site grant access to the employee data. Perform the following steps:

Note: Five or more consecutive invalid passwords entered for an ASP.NET provider user within a ten minute period will lock the account to prevent unauthorized users from gaining access through password guessing. Oracle Membership Provider sets these security measures through the following properties, which you can modify in the machine.config file or web.config files: MaxInvalidPasswordAttempts (default: 5 attempts) and PasswordAttemptWindow (default: 10 minutes). If the account is locked, then you can unlock the user by calling the UnlockUser method.
1. Switch to Microsoft Visual Studio. Select Debug > Start Without Debugging.

2. The login web page appears.
3. Change the URL to end with Default.aspx rather than login.aspx and press the enter key. You are denied access and redirected back to the login page. This shows that anonymous users cannot browse the web site; only users with credentials have access. If you are experimenting with the authentication mechanism, you will likely repeat this step or try variations. For each variation, either start a new browser or clear the browser cache. Because browsers cache web pages, if you access Default.aspx again, you may see the cached version of this web page. This is not the intended behavior, rather the web page should undergo the ASP.NET provider authentication process, which is accomplished by using a new browser instance or clearing the browser cache.

4. Remove the text of the URL after login.aspx. This returns the URL back to the original state when you first accessed the site. Enter some other username and password which is different than the user you created earlier in the ASP.NET Web Site Administration Tool. Then click Log In.
5. Notice that you receive an error indicating that the user you entered is not valid. The web site correctly denies access to the user.
6. Enter the user name you entered in the in the ASP.NET Web Site Administration Tool but with an incorrect password for that web site user. Click Log In. As the screen shot indicates, the user is denied access, demonstrating that the control could not verify this user's credentials with those stored by the Oracle Membership Provider.

7. Enter the correct username and password for the web site user. Click Log In. The employee data appears. This demonstrates that only authorized users can access the data. Thus, Oracle Providers for ASP.NET provided web site security in a very simple manner.

You have now built a data-driven ASP.NET web application. It performs authentication and retrieves employee data from the database.

Summary

In this tutorial, you learned how to:
Enable a web site for authentication
Enable Oracle Providers for ASP.NET and create a web user
Test web site authentication


No comments:

Post a Comment