LogoASPAlliance: Articles, reviews, and samples for .NET Developers
Securing Applications in ASP.NET 2.0
by Uday Denduluri
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 22849/ 42


Securing an ASP.NET application is one of the toughest challenges programmers face. The reason for this is simple. All applications evolve from time to time. It would have been bliss for programmers if the websites do not change and remain static.

Let us take a scenario where we are developing a simple shopping cart application for company X. Here, the security is not the key and rather, identifying the user and displaying the items in the cart related to the user is the most important factor. Keeping in view the requirements, we developed the application in the same sense. The application is moved to production and doing fine. Now, this simple shopping cart application has done really well and has brought lot of revenues to company X. Suddenly the strategy is to build a bidding site on top of the shopping cart site. This change in the strategy has brought security as a key component for the applications. A bidding site needs to uniquely identify the user and also let him choose his biddings. Before, the application never had the user profile with it. Now, it needs to maintain the user profile with all the mandatory fields. This change can be addressed well with the provider model. In the next few sections we will discuss this.

A Brief on the Provider Model

Before we understand the provider model we need to know about the Factory Method design pattern. As factory method is out of scope for this article, we will only cover it in brief.

We have an abstract creator class that is responsible for creating a product. The concrete implementation for this class creates a concrete product. The creator class has a method "Factory Method." This method decides what product the creator creates (based on some parameters).

Provider model extends/implements the factory method pattern. ProviderBase Class is the base class for all the providers that implement all the basic methods and properties that are common to all the providers. In ASP.NET applications we simply give the type of the class that needs to be loaded. For specifying the type of the class the contract for the base class type is the ProviderBase class, we specify the type of the class name in the web.config file. Let us see how we configure an application with different security providers.

Different Security Providers

Let us discuss all the security providers in detail.

·         Authentication providers for ASP.NET – Authentication is the process of identifying a user before actually deciding whether he can be given the requested resource. ASP.Net implements authentication using the authentication providers. There are 3 authentication providers that are shipped with .net framework.

1.    Windows Authentication Provider – This provider uses the class WindowsAuthenticationModule. The event "Authenticate" in the WindowsAuthenticationModule gets the fired application’s authenticating request.

2.    Forms Authentication Provider – Similarl, the FormsAuthenticationModule class is responsible for the authentication in case the forms authentication is set. In case of successful authentication, the FormsAuthentication class takes the lead by redirecting from the login page. It is to be noted that for both Forms Authentication and Windows Authentication the base class for the provider is IHttpModule.

3.    Passport Authentication Provider

·         Authorization providers – Once a user is successfully authenticated and requests for a resource, the user needs to be authorized whether he/she can be given access to the requested resource. Only then should he/she be granted the requested resource. We have an interface known as “IAuthorizationProvider.” This interface has a method Authorize. The entire concrete authorization providers implement the method authorize.

·         ProfileProvider class in ASP.Net 2.0 – A user profile corresponds to the user information pertaining to the application. It mostly contains when was the last time the user logged in, when were the user details updated, etc. ProfileInfo is the class that encapsulates all these functionalities. ProfileProvider class has all the methods and properties that are used to manage the Profile for a user.

·         In most of the cases we need to create custom profile providers using the ProfileProvider base class. The reason is that in most of the cases the data source that we deal may not be the one supported by .Net framework. We need to write some extra code for it. Also, if we do not have our application database schema exactly the same as the database schema required by the ProfileProvider, we need to implement the ProfileProvider. SqlProfileProvider class is used by ASP.NET to store and retrieve profile settings for an ASP.NET application that is using a SQL Server database. This class extends and implements the ProfileProvider class.

·         MembershipProvider – MembershipProvider class forms the basis for managing the membership services for Application(s). This class provides all the basic methods which are needed for creating, Updating, and managing users' information. Apart from the methods related to the user, it also has methods related for password management. We have methods in which the password encryption and decryption are provided. MembershipProvider class is derived from the ProviderBase class. Hence, it supports the provider model architecture.

·         Concrete class that implements MembershipProvider class is SqlMembershipProvider. This class has all the methods defined for the SQL Server. For using this provider we need to specify the type information in the configuration file "type="System.Web.Security.SqlMembershipProvider." When the type of the class is specified the .net runtime searches for all the namespaces with “System.Web.Security” in all the assemblies referred and searches for the type. Then using CreateInstance method of the Activator class it creates an instance of the class.

·         RoleProvider – MembershipProvider class mainly takes care of the services based on the user management. But RoleProvider is designed to provide role-management services for all the ASP.NET applications. RoleProvider class is the abstract base class for all the custom RoleProvider classes. It has methods for creating a role, deleting a role, mapping a role to a user, retrieving roles for a user, etc.


Securing Applications is always one of the toughest challenges programmers face. This is because of the changes the application undergoes. The security policies do change and thus the security code needs to be rewritten. For such scenarios Microsoft has come up with the provider model. The inbuilt classes such as MembershipProvider, RoleProvider, and ProfileProvider help us to create our own custom classes. In case of any changes in the security policy we just need to write a new custom class that deals with the changes. Also, since its assembly names are mentioned in the configuration, we can maintain different versions of the custom classes.

Product Spotlight
Product Spotlight 

©Copyright 1998-2021  |  Page Processed at 2021-02-27 10:58:42 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search