One of my disappointments with Ruby on Rails is that it provides no support whatsoever for site logins/membership, which I consider to be a fundamental part of many database-driven websites. Of course, the Rails community has responded — and responded, and responded, and responded — to this need. The Rails wiki notes that there are about a "gazillion" different systems for solving this problem in Rails. I’ve tried acts_as_authenticated, which does work, but, at least at the time I tried it, required quite a bit of manual tweaking and patching to get it going.
ASP.NET 2.0 and higher, on the other hand, includes a standard membership framework which is sufficiently extensible that I’ve never seen an application which it couldn’t be adapted to fit, and, for most applications, it will work right out of the box.
The usual way to configure page access rights for the ASP.NET membership (in web.config), however, isn’t really applicable to the new MVC framework. Scott Guthrie had promised to cover this subject, but it was Rob Conery who finally delivered the goods. In short, you decorate your controller actions with attributes specifying whether the current user must be logged in, or be within a certain role, and a controller filter handles the work of validating those security assertions at runtime. Troy Goode built upon Rob’s original code, producing the ASP.Net MVC Membership Starter Kit.
The Starter Kit includes a lot of really valuable code, but very little documentation, so I’m going to write out instructions for "getting started with the Starter Kit." I’m presuming that you’re going to use the SQL membership provider in this example, although the membership framework does include support for OpenID and Windows Live authentication as well. You can, of course, use any authentication framework you care to.
- Download the full installer from the Releases tab at CodePlex. I’d also strongly recommend getting the source code download, which is available on the same page.
- Run the installer.
- If you’re using Visual Studio, you want to install the templates into VS. There’s an item on your Start menu (in the "Starter Kits") folder which will do that.
- If you are creating a brand-new site, you can start by just copying the sample project included with the download. Skip ahead to step 10.
- If you are adding membership support to an existing project, there’s a few things you need to do. First, you need to reference the assembly you’ve just installed. One way to do this is to simply reference the StarterKits.Mvc assembly in your project. But I chose to add the source code for the StarterKits.Mvc project to my solution instead, which helps with debugging.
- If you haven’t done so already, edit your web.config to include Forms authentication and set the Login URL, and specify a ConnectionString if you’re not using the default. I’ll include an example of this below. Note that you need to include a membership provider and a role provider. Also, if you’re not using the default database, run aspnet_regsql.exe to add the required metadata to your database.
- You are not required to use the controllers or views supplied with the Starter Kit. The filters in the Starter Kit will work fine with any controller you care to write. However, it’s probably easiest, especially at the beginning, to use the supplied code. If you’re using Visual Studio, you can do this with the templates you installed in step 3. Right click the Controllers folder in Solution Explorer, choose Add New Item, then choose MvcMembership Controllers FormsAuthenticationController. Do the same for FormsAuthenticationAdministrationController. Right click the Views folder, and add both View templates.
- The current release of the Starter Kit has a bug where the codebehind and codegen files are not added along with the aspx files to the FormsAuthenticationAdministration views. This will be fixed in the next release (see Troy Goode’s comment below for details), but if you encounter this bug, I’ve included a workaround in my defect report.
- You need to add a couple of lines to Global.asax in order to register the routes for the new controllers. You can copy those from the sample project.
- Your site should now work, but there are a few things you need to do in order to configure e-mail and the like. These are indicated with TODO comments. You can find these in the Task List.
As promised, here is what you need to add to web.config to use a custom database. I’ve omitted the connection string definition, which is specified like any other connection string.
<authentication mode="Forms"> <forms loginUrl="/Login"/> </authentication> <roleManager enabled="true"> <providers> <clear/> <add name="AspNetSqlRoleProvider" connectionStringName="MyConnectionString" applicationName="MyApp" type="System.Web.Security.SqlRoleProvider, System.Web, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="MySqlMembershipProvider"> <providers> <add name="MySqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="MyConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="MyApp" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/> </providers> </membership>