So you drop in the control, select "View in Browser" and BAM! A message tells you
that The control is configured for viewing by members of the Administrator Role
but Roles have not been enabled for this site.
Secure by default
The Membership Manager control is an administrative tool for which access should be carefully controlled.
Whether you are running a family web site or a large scale commercial application, it goes with saying that
you must never allow anonymous Internet access to your membership control panel.
While access to the membership control panel can be controlled in a number of ways, the control itself includes
a property, MembershipRole, that may be used to ensure that users of the control are in a particular membership role.
As a strong reminder for you to do something about security, the MembershipRole
property is set to Administrator by default.
For testing purposes (and to quickly get the control up and going), you may wish
to clear this property and bypass the security feature. You may also wish to clear
this property if you are not using the control on a public site or do not plan to use role management.
Knowing that the MembershipRole property works with your own
membership roles,
you can select the security strategy that best fits your particular needs.
- You can enable roles for your web site, create an Administrator Role and place yourself
into that role
- You can clear the membershipRole property and use the control on an intranet
page or other page that is inaccessible without proper authentication.
Enabling Membership Roles
Roles may be enabled using the Asp.Net Web Site Administration Tool (available in
the Visual Studio 2005 IDE) or by making certain updates in your application's web.config
file:
In case you've never worked with roles before, we've created a video to demonstrate
the entire process.
Watch a video on setting up role management
The video demonstrates how to work around an interesting dilemna that occurs when
you use the
Asp.Net Web Site Administration Tool to create your
Administrator Role on an already-established web site. The Asp.Net Web Site Administration
Tool is normally used with the development version of your web site rather than
the one that may already be living on your web server. You'll have no problem copying
the modified
web.config files to your web server but when the tool creates
new roles, it (normally) does so in your local SQLServer (.mdf) file and your live
database will have no knowledge of the new roles or role members. Of course,
you will not want to overwrite your live database with the one on your development
machine.
So how do you add an Administrator Role to the live database?
The methods for creating membership roles and for assigning users to roles are built
right into the roleManager and membership providers, and can easily be called with
a small amount of code. To make it a bit easier for you, the Membership Manager
control includes options for creating roles in the database and also for assigning
users to roles.
The following process may be used to set up roles and secure the page on which the
Membership Manager Control resides.
- Create a folder that will be secured and name it something like "admin"
- Create a web form in that folder and then drop the Membership Manager Control onto
that form. For this discussion, let's say you call it "Admin.aspx"
- Clear the MembershipRole property of the Membership Manager Control
- Copy the new admin folder (and its web form) to your server
- Navigate to "Admin.aspx" using your web browser and use the Role Management feature
on the Tools menu to create an Administrator Role.
- Use the control to create or locate your own membership record then add yourself
to the Administrator Role
- Back on your development machine, set the MembershipRole property back to Administrator
and use the Asp.Net Web Site Administration Tool to require Administrator rights
on your admin folder.
- Copy your local admin folder back up to the web server along with its updated "Admin.aspx"
and new web.config files.
If you have already implemented role management on your web site and have already
created access-controlled folders then you can skip most of the above steps and
simply set the
membershipRole property to a role for which you are a member
(and place your membership manager web form into the protected folder.)
This video shows you how to enable role management, create an Administrator role
and add a user into the role of a new or established web site.
Watch a video on setting up role management
Using the control on an access-controlled page
As an alternative to using membership roles, you can use the Membership Manager
Control on a web page that belongs to a completely separate web site. There are
many ways to do this so we'll keep this discussion at a fairly high level.
One possible method is to use a web site for which Internet Information Server (IIS)
has disabled Anonymous access and instead, requires authentication through Active
Directory. This is a typical Intranet scenario and is quite common for many organizations.
You could clear the
membershipRole property on the control since access
to its page is guarded by IIS. The only thing left to do would be to point the membership
provider's connection string over to the database that actually contains the members.
By default, the AspNetSqlMembershipProvider is configured to use a connection string
called
LocalSqlServer which, if not specified in web.config, will basically
point to a SQL Server Express database called AspNetDB.Mdf (in the local Bin folder.)
By simply creating a connection string called "LocalSqlServer" and pointing it over
to the active database, your protected site's Membership Manager Control can be
used remotely.
Related Topics
Configuration
Product Documentation