A client requests access to a protected resource. If the client is unauthenticated, the server redirects the client to a login page. The client submits the login form to the server. The server attempts to authenticate the user. To deploy the example using deploytool , follow these steps:. The login form displays in the browser, as shown in Figure Enter a user name and password combination that corresponds to the role of loginUser , and then click the Submit button.
Form-based authentication is case-sensitive for both the user name and password. If you entered Debbie as the name and if there is a user defined for the Application Server with the user name of Debbie that also matches the password you entered and is assigned to the group of loginUser that we mapped to the role of loginUser , the display will appear as in Figure Note: For repetitive testing of this example, you may need to close and reopen your browser.
Passwords are not protected for confidentiality with HTTP basic or form-based authentication, meaning that passwords sent between a client and a server on an unprotected session can be viewed and intercepted by third parties. To overcome this limitation, you can run these authentication protocols over an SSL-protected session and ensure that all message content is protected for confidentiality.
Read the section Specifying a Secure Connection for more information. HTTP basic authentication. A client requests access to a protected resource. The web server returns a dialog box that requests the user name and password. The server validates the credentials and, if successful, returns the requested resource. If the client is unauthenticated, the server redirects the client to a login page.
If the login succeeds, the server redirects the client to the resource. If the login fails, the client is redirected to an error page. Certificate-based mutual authentication see Figure User name- and password-based mutual authentication see Figure If successful, the server grants access to the protected resource requested by the client. If successful, the client sends its user name and password to the server, which verifies the client's credentials.
If the verification is successful, the server grants access to the protected resource requested by the client. Select one of the user authentication methods described earlier. Specify a security realm. If omitted, the file realm is assumed. Select the Settings button beside the User Authentication Mechanism field to specify the realm.
If the authentication method is specified as form-based, specify a form login page and form error page. Select the Settings button beside the User Authentication Mechanism field to specify the login page and the error page to be used for form-based authentication. Map the role name to the appropriate users and groups defined for the Application Server. See Adding Authorized Users for more information on needed modifications. Edit the build. The build. See Building the Examples for information on which properties need to be set.
Create the web client. For this example, the web client, a very simple JSP page, is already created. Create the login form and login error form pages. For this example, these files are already created.
Add the appropriate security elements using deploytool. You will use the asant tool to compile the example application and to run the client. You will use deploytool to package and deploy the server. A security constraint, which is used to define the access privileges to a collection of resources using their URL mapping. A web resource collection, which is used to identify a subset of the resources within a web application to which a security constraint applies.
An authorized roles list, which indicates the user roles that should be permitted access to this resource collection. In this example, it is users assigned the role of loginUser. If no role name is provided, no user is allowed to access the portion of the web application described by the security constraint. A user authentication method, which is used to configure the authentication method used and the attributes needed by the form login mechanism.
The login page parameter provides the URI of a web resource relative to the document root that will be used to authenticate the user. The error page parameter requires a URI of a web resource relative to the document root that sends a response when authentication has failed. Follow the instructions in Building the Examples. Follow the instructions in Adding Authorized Users. The FormsIdentity class always returns the string "Forms" for its AuthenticationType property and true for its IsAuthenticated property.
The Name property returns the username specified when creating the forms authentication ticket. In addition to these three properties, FormsIdentity includes access to the underlying authentication ticket via its Ticket property. The important point to take away here is that the username parameter specified in the FormsAuthentication. Moreover, the authentication ticket created by these methods is available by casting User. Identity to a FormsIdentity object and then accessing the Ticket property:.
Let's provide a more personalized message in Default. Displaying different content to authenticated and anonymous users is a common requirement; so is displaying the name of the currently logged on user. For that reason, ASP. NET includes two Web controls that provide the same functionality shown in Figure 13, but without the need to write a single line of code. The LoginView control is a template-based Web control that makes it easy to display different data to authenticated and anonymous users.
The LoginView includes two predefined templates:. Let's add the LoginView control to our site's master page, Site. The rationale for this decision will become apparent shortly. Role-specific templates show markup only to those users that belong to a specified role. We will examine the role-based features of the LoginView control in a future tutorial. Content placed into the master page's ContentPlaceHolder controls are considered default content for the ContentPlaceHolder.
That is, ASP. NET pages that use this master page can specify their own content for each ContentPlaceHolder or use the master page's default content. The LoginView's templates can be defined from the Designer or the declarative markup. From Visual Studio's Designer, expand the LoginView's smart tag, which lists the configured templates in a drop-down list.
The LoginName control , as its name implies, displays the name of the currently logged in user. Internally, the LoginName control simply outputs the User. Name property. After making these additions to the LoginView's templates, the markup should look similar to the following:.
With this addition to the Site. Figure 15 shows the Default. The "Welcome back, Jisun" message is repeated twice: once in the master page's navigation section on the left via the LoginView control we just added and once in the Default.
Because we added the LoginView to the master page, it can appear in every page on our site. However, there may be web pages where we don't want to show this message. One such page is the login page, since a link to the login page seems out of place there.
Since we placed the LoginView control in a ContentPlaceHolder in the master page, we can override this default markup in our content page. Open Login.
Since we have not explicitly defined a Content control in Login. To override the default markup for the LoginContent ContentPlaceHolder, simply right-click on the region in the Designer and choose the Create Custom Content option from the context menu. When using Visual Studio the ContentPlaceHolder includes a smart tag that, when selected, offers the same option.
This adds a new Content control to the page's markup and thereby allows us to define custom content for this page. You could add a custom message here, such as "Please log in…", but let's just leave this blank. NET page. In Visual Studio , however, creating custom content copies the master page's default content into the newly created Content control. If you are using Visual Studio , then, after creating the new Content control make sure to clear out the content copied over from the master page.
Figure 17 shows the Login. In Step 3 we looked at building a login page to log a user in to the site, but we have yet to see how to log a user out. In addition to methods for logging a user in, the FormsAuthentication class also provides a SignOut method. The SignOut method simply destroys the forms authentication ticket, thereby logging the user out of the site.
Offering a log out link is such a common feature that ASP. NET includes a control specifically designed to log a user out.
A "Login" LinkButton is rendered for anonymous users, whereas a "Logout" LinkButton is displayed to authenticated users. Clicking the "Login" LinkButton causes a postback, from which a redirect is issued to the login page. SignOff method and then redirects the user to a page. The page the logged off user is redirected to depends on the LogoutAction property, which can be assigned to one of the three following values:.
You may be curious as to why a redirect is performed here. If the user wants to remain on the same page, why the need for the explicit redirect? The reason is because when the "Logoff" LinkButton is clicked, the user still has the forms authentication ticket in their cookies collection. Consequently, the postback request is an authenticated request. Therefore, an explicit redirect causes the browser to re-request the page.
By the time the browser re-requests the page, the forms authentication ticket has been removed and therefore the incoming request is anonymous.
Let's add a LoginStatus control to the master page and configure it to use the Redirect option to send the user to a page that displays a message confirming that they have been signed out. Start by creating a page in the root directory named Logout. Don't forget to associate this page with the Site. Next, enter a message in the page's markup explaining to the user that they have been logged out.
Next, return to the Site. Figure 18 shows Default. Note that the left column displays the message, "Welcome back, Jisun" along with a link to log out.
Clicking the log out LinkButton causes a postback, signs Jisun out of the system, and then redirects her to Logout. As Figure 19 shows, by the time Jisun reaches Logout. Consequently, the left column shows the text "Welcome, stranger" and a link to the login page. Figure 18 : Default. Figure 19 : Logout. I encourage you to customize the Logout. The reason is because the "Login" LinkButton rendered by the LoginStatus control the one beneath "Hello, stranger" sends the user to the login page passing the current URL in the ReturnUrl querystring parameter.
In short, if a user who has logged out clicks this LoginStatus's "Login" LinkButton, and then logs in, they will be redirected back to Logout. In this tutorial we started with an examination of the forms authentication workflow and then turned to implementing forms authentication in an ASP. NET application. Forms authentication is powered by the FormsAuthenticationModule, which has two responsibilities: identifying users based on their forms authentication ticket, and redirecting unauthorized users to the login page.
NET Framework's FormsAuthentication class includes methods for creating, inspecting, and removing forms authentication tickets. IsAuthenticated property and User object provide additional programmatic support for determining whether a request is authenticated and information about the user's identity. There are also the LoginView, LoginStatus, and LoginName Web controls, which give developers a quick, code-free way for performing many common login-related tasks.
We will examine these and other login-related Web controls in greater detail in future tutorials. This tutorial provided a cursory overview of forms authentication. We did not examine the assorted configuration options, look at how cookieless forms authentication tickets work, or explore how ASP.
NET protects the contents of the forms authentication ticket. Scott works as an independent consultant, trainer, and writer. He can be reached at mitchell 4GuysFromRolla. This tutorial series was reviewed by many helpful reviewers. Lead reviewer for this tutorial was This tutorial series was reviewed by many helpful reviewers.
Interested in reviewing my upcoming MSDN articles? If so, drop me a line at mitchell 4GuysFromRolla. Previous Next. Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
Privacy policy. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.
0コメント