Authorization and Authentication

Asp.net Authentication mechanism.

1) Windows Authentication.
2) Passport Authentication
3) Forms-Based authentication.

Membership Service model Architecture

ASP.NET membership gives you a built-in way to validate and store user credentials.
ASP.NET membership therefore helps you manage user authentication in your Web sites.
You can use ASP.NET membership with ASP.NET forms authentication by using with the
ASP.NET login controls to create a complete system for authenticating users.

ASP.NET membership supports facilities for:

 Creating new users and passwords.
 Storing membership information (user names, passwords, and supporting data) in
Microsoft SQL Server, Active Directory, or an alternative data store.
 Managing passwords, which includes creating, changing, and resetting them .
Depending on membership options you choose, the membership system can also
provide an automated password-reset system that takes a user-supplied question
and response.
Membership Providers

ASP.NET membership provider is a feature that enables ASP.NET developers to

create Web sites that allow users to create unique user name and password
combinations. With this facility, any user can establish an account with the site, and
sign in for exclusive access to the site and its services.

The membership feature requires using a SQL Server database to store the user
information. The feature also includes methods for prompting with a question any
users who have forgotten their password.

or

The purpose of the MembershipProvider is to provide a layer of indirection between

membership controls, like the LoginControl, and the data store containing
membership information. The indirection means we can use any data store (SQL
Server, Oracle, XML, Web Service, Active Directory), as long as we have a provider
to hide the details behind the public methods and properties of a concrete class.
Membership Controls

ASP.NET provides robust login (authentication) functionality for ASP.NET Web

applications without requiring programming. Login controls integrate with ASP.NET
membership and ASP.NET forms authentication to help automate user
authentication for a Web site.

The Login Control

The LoginView Control
The LoginStatus Control
The LoginName Control
The PasswordRecovery Control
The CreateUserWizard Control
The ChangePassword Control

Membership Api’s

Asp.net membership consist of a set of classes and interfaces that create and
manage users and authenticate user based on credentials that they supply.

Membership Classes

Creates a new user.

Deletes a user.
Updates a user with new information.
Returns a list of users.
Finds a user by name or e-mail.
Validates (authenticates) a user.
Gets the number of users online.
Searches for users by username or e-mail address.

MembershipUser Class

Represent a single user stored in a membership api credential store.

Includes properties for getting and setting user information.

Include method for retrieving , changing and resetting.

Comment Gets or sets application-specific information for the membership user.

CreationDate Gets the date and time when the user was added to the membership data
store.

Email Gets or sets the e-mail address for the membership user.
IsApproved Gets or sets whether the membership user can be authenticated.

LastLoginDate Gets or sets the date and time when the user was last authenticated.

PasswordQuestion Gets the password question for the membership user.

Role Management Services.

Role management helps you manage authorization, which enables you to specify
the resources that users in your application are allowed to access. Role
management lets you treat groups of users as a unit by assigning users to roles
such as manager, sales, member, and so on. (In Windows, you create roles by
assigning users to groups such as Administrators, Power Users, and so on.) After
you have established roles, you can create access rules in your application. For
example, your site might include a set of pages that you want to display only to
members. Similarly, you might want to show or hide a part of a page based on
whether the current user is a manager. By using roles, you can establish these
types of rules independent from individual application users. For example, you do
not have to grant individual members of your site access to member-only pages.

Role management API

Role management is not limited to restricting rights to pages or folders. Role

management provides an API that you can use to determine programmatically
whether a user is in a role. This enables you to write code to take advantage of
roles and perform any application tasks based not only on who the user is but also
on what roles the user is in.
If you establish user identity in your application, you can use the role-management
API methods for creating roles, adding users to roles, and obtaining information
about which users are in which roles. These methods enable you to create your own
interface for managing roles.

Role Classes
Role management consists of a set of classes and interfaces that establish roles for
the current user and that manage role information. The following table shows the
role management classes and functions that they provide.

Creates roles.
Adds users to roles.
Determines whether specific user is in role.
Gets roles for users.
Removes users from role.
Manages the cookie containing role information.
Role Management Providers

Role management services use the provider model to separate the functionality of
role management — the API — from the data store that contains role information.
The .NET Framework includes the following providers that maintain role information
in different data stores:
 SQL Server. Role information is stored in a SQL Server database. The SQL
provider is suitable for medium to large Internet applications. This is the
default provider.
 Windows (WindowsToken). Role information is based on Windows accounts
(users and groups). The Windows provider is useful only if your application
runs on a network where all users have domain accounts.
 Authorization Manager (AzMan). Role information is managed using an
Authorization Manager XML file or a directory-based policy store.
You specify a provider by setting the defaultProvider attribute when you configure
role management in your application's Web.config file.
ASP.NET Profile Properties

If you want to store and use information that is unique to a user. When a user visits
your site, you can use the information you have stored to present the user with a
personalized version of your Web application. Personalizing an application requires
a number of elements: you must store the information using a unique user
identifier, be able to recognize users when they visit again, and then fetch the user
information as needed. To simplify your applications, you can use the ASP.NET
profile feature, which can perform all of these tasks for you.

The ASP.NET profile feature associates information with an individual user and
stores the information in a persistent format. Profiles allow you to manage user
information without requiring you to create and maintain your own database. In
addition, the ASP.NET profile feature makes the user information available using a
strongly typed API that you can access from anywhere in your application.

ASP.NET Profile Services.

Features

Provide a transparent way to manage user information.

No need to design database tables.

Data access component can be written to work with db.

Stores per-user data persistently using sql server.

Strongly typed access (unlike session).

Long lived (unlike session).

Support authenticated and anonymous user.

Provider based for flexible data storage.

How Asp.net profile work

To start with profile we need to create a profile data base in sql server using
aspnet_regsql.exe

So it can store persistent data.

Installing the data base using aspnet_regsql.exe

ASP.NET includes a tool for installing the SQL Server database used by the SQL
Server providers, named Aspnet_regsql.exe. The Aspnet_regsql.exe tool is located
in the drive:\WINDOWS\Microsoft.NET\Framework\versionNumber folder on your
Web server. Aspnet_regsql.exe is used to both create the SQL Server database and
add or remove options from an existing database.

The database elements that are installed in the feature database will always be
owned by the SQL Server database owner account (dbo). In order to install the
feature database, a SQL Server login must be permitted to
the db_ddladmin and dd_securityadmin roles for the SQL Server database.

To run the Aspnet_regsql.exe wizard, run Aspnet_regsql.exe without any command

line arguments, as shown in the following example:
C:\WINDOWS\Microsoft.NET\Framework\<versionNumber>\aspnet_regsql.exe
You can also run the Aspnet_regsql.exe tool as a command-line utility. For example,
the following command installs the database elements for membership and role
management on the local computer running SQL Server:
aspnet_regsql.exe -E -S localhost -A mr

Once we are done with sql server configuration now we need to add profile in
web .config file.

You configure the profile feature by defining a list of properties whose values you
want to maintain. For example, you might want to store the user's postal code so
that your application can offer region-specific information, such as weather reports.
In the configuration file, you would define a profile property named PostalCode.
The profile section of the configuration file might look like the following:

<profile>
<properties>
<add name="PostalCode" />
</properties>
</profile>
When your application runs, ASP.NET creates a ProfileCommon class, which is a
dynamically generated class that inherits the ProfileBase class. The
dynamic ProfileCommon class includes properties created from the profile
property definitions you specify in your application configuration. An instance of this
dynamic ProfileCommon class is then set as the value of the Profile property of
the current HttpContext and is available to pages in your application.

In your application, you collect the value or values you want to store and assign
them to the profile properties you have defined. For example, your application's
home page might contain a text box that prompts the user to enter a postal code.
When the user enters a postal code, you set a Profileproperty to store the value for
the current user, as in the following example:

Profile.PostalCode = txtPostalCode.Text;

Profile Property attribute.

When you define a property in the profile, you specify a name that you will use to
refer to the property. For example, if you want to store a postal code, you can name
the property PostalCode and you can then get and set the property value
as Profile.PostalCode.

type Specifies the type for the property. The default is String. You can
specify any .NET class as the type (Int32, DateTime, StringCollection, and so
on). If the type is not defined in the .NET Framework, you must ensure that
your Web application has access to the type. You can include the type's
compiled assembly in the Web site's Bin directory or in the global assembly
cache (GAC), or you can put the source code for the type in the Web site's
App_Code directory.
serializeAs Specifies the serialization formatter (string, binary, XML, or
provider-specific serialization). For details, see Serialization in the .NET
Framework. The default serialization is string.
allowAnonymous Specifies a Boolean value that indicates whether the
property is managed for anonymous users. By default, this is false. If you
want the property to be available for unauthenticated users, you can set the
property to true.
defaultValue Specifies a value that the property is initialized with.
readOnly Specifies a Boolean value that indicates whether the property
can be modified.
provider Specifies a provider specific to the property. By default, all
properties are managed using the default provider specified for profile
properties, but individual properties can also use different providers.
Anonymous Personalization

Profiles can also work with anonymous users. Support for anonymous profiles is not enabled
by default, so you must explicitly enable it. In addition, when you define profile properties in
the Web.config file, you must explicitly make them available individually for anonymous
users. Profile properties do not support anonymous access by default because profiles may
be designed to work with authenticated users, and many properties are likely to pertain to
personal information that is not available for anonymous users.

<anonymousIdentification enabled="true" />

Globalization is defined as the process of developing a program or an application so
that it is usable across multiple cultures and regions, irrespective of the language
and regional differences. For example, you have made a small inventory
management program and you live in a region where English is the main language,
assume England. Now, if you want to sell your program in a different country, let’s
say Germany, then you need to make sure that your program displays and takes
input in German language.

Localization is the process of creating content, input, and output data, in a region
specific culture and language. Culture will decide date display settings (like,
mm/dd/yyyy or dd/mm/yyyy), currency display formats etc. Now, the process by
which we can make sure that our program will be localized is known as
Internationalization or Globalization. In simpler terms, Globalization can be defined
as the set of activities which will ensure that our program will run in regions with
different languages and cultures.

localization is related to intrinsic code changes to support such changes like using
Resource files etc. Whereas, localization is the process of using a particular culture and
regional info so that the program uses the local languages and culture. This means
translating strings into a particular local language. This covers putting language specific
strings in the resource files. Globalization starts in the main construction phase along
with the code development. Localization generally comes later.

Difference

Globalization' is the process of designing and developing a software product that functions
in multiple cultures/locales.

Localizability' is an intermediate process for verifying that a globalized application is ready

for localization.