AltairisWebSecurity Wiki & Documentation Rss Feed

Updated Wiki: Home

altair — Sun, 08 Jul 2012 14:18:52 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above. The relevant classes are still present in the assembly, but are now marked as obsolete.

Altairis Web Security toolkit is in the NuGet Gallery

You may install Altairis Web Security Toolkit using the NuGet package manager (former NuPack). The package name is Altairis.Web.Security,

For more info about NuGet visit http://www.nuget.org.

Database agnostic providers

Since release 2.2.0 are the TableMembershipProvider and TableRoleProvider classes database agnostic. They should be working with any SQL database, for which an ADO.NET provider is available. Currently, SQL Server and SQL Compact 4.0 are tested to work. See the following links for setup instructions:

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Using Entity Framework Code First

The Table*Providers work well with Entity Framework Code first. Read more in the following articles on Culbertson Exchange:

Further information

Author and contact

Updated Wiki: SQL Table Providers

altair — Sun, 08 Jul 2012 14:12:24 GMT

SQL Table Providers

The provider object model, as present in ASP.NET 2.0, is a great step forward from hand-coded behavior in ASP.NET 1.x. But the provider model is only as useful as are available providers. Microsoft .NET itself contains set of providers which can store their data in Microsoft SQL Server database: SqlMembershipProvider, SqlRoleProvider and SqlProfileProvider. However, database structure used by these providers is pretty complicated and almost impossible to interconnect with your own tables etc.

So I created set of my own providers, using very simple table structure. Some functionality of the original providers was lost, especially the ability to store data for several applications in single database. But the simple and straightforward database allows you to easily plug it into your existing infrastructure.

Features

Simplicity, ability to connect to rest of database infrastructure

The main goal of these providers is to use simple table structure, which can be easily connected to other database architecture using foreign keys etc. The tables used are also extendable, additional columns may be created, as long as they are nullable or have default values.

Database independence

The providers are written to be database agnostic, as long as the database has ADO.NET provider and understands SQL and named parameters. Microsoft SQL Server and SQL Compact are the main target databases and the providers are tested to work with them. See the following links for setup instructions:

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Account lockdown not supported

The ASP.NET Membership infrastructure supports the account lockdown feature. After several failed login attempts, the account is disabled. In my eyes this feature offers great opportunity for denial of service attack directed to certain users - I can write a program which will repeatedly login with random passwords and deny access to legitimate users. Therefore the functionality is intentionally not implemented in the providers. use other way to protect your application from dictionary attacks.

Differences from Simple SQL Providers

The first generation of providers was quite successful, so I retained the good bits, but the providers are basically rewritten from scratch, in new .NET 4.0.

The new SQL Table providers have several additional features:

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

The downside of the new password hashing and storage is that there is no upgrade path from the Simple SQL Providers. You can upgrade easily, but the passwords are lost. So in case of upgrading, you need to notify your users and issue new passwords or use some kind of password reset mechanisms.

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.
- useEmailAddressAsUserName - when set to true, user name is forced to be the same as e-mail address. The requiresUniqueEmail attribute must be set to true as well. By changing e-mail address, user name is changed too, which may cause interoperability problems, so use with caution.
- useDateTimeOffset* - when set to true, the datetimeoffset data type is used internally instead of datetime. Use when working with database structure using it.
- userKeyType - allows specify Custom Provider User Keys; may have following values:
  - UserName (default) - user name is used as provider user key
  - IntIdentity - integer generated by database backend (by means of IDENTITY clause or similar mechanism) is used as provider user key
  - Guid - GUID is generated by membership prpvoder and used as key

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

New Comment on "SQL Table Providers"

IslandTalker — Mon, 21 Feb 2011 07:58:58 GMT

Nice work, and thanks.

New Comment on "Microsoft SQL Server Support"

IslandTalker — Mon, 21 Feb 2011 07:55:31 GMT

Hi, Does the email have to be nvarchar(max)? Seem rather large for an email.

Updated Wiki: Custom Provider User Keys

altair — Thu, 27 Jan 2011 01:06:29 GMT

Custom Provider User Keys

Since release 2.3.0 you have three ways of using provider user keys (main identifiers): user names, integer identities and GUIDs.

Using user names

Primary key in database (or "provider user key" in membership terminology) is the user name string. This is default value. No special configuration and changes in database are needed.

Using integer identities

To use integer identities, set the userKeyType configuration attribute to IntIdentity. In this case, integer identifier is used as primary key. The key is to be generated on database side, by means of the IDENTITY clause or similar mechanism on column named UserId. Is recommended (although not technically required) to specify additional unique index over the UserName table.

The following SQL command can be used to create required table in MS SQL Server:

CREATE TABLE Users (
    UserId                  int identity        NOT NULL,
    UserName                nvarchar(100)       NOT NULL,
    PasswordHash            binary(64)          NOT NULL,
    PasswordSalt            binary(128)         NOT NULL,
    Email                   nvarchar(max)       NOT NULL,
    Comment                 nvarchar(max)       NULL,
    IsApproved              bit                 NOT NULL,
    DateCreated             datetime            NOT NULL,
    DateLastLogin           datetime            NULL,
    DateLastActivity        datetime            NULL,
    DateLastPasswordChange  datetime            NOT NULL,
    CONSTRAINT PK_UsersByIntIdentity PRIMARY KEY CLUSTERED (UserId)
)
CREATE UNIQUE NONCLUSTERED INDEX IX_Users_UserName ON Users (UserName)

Using GUIDs

To use GUID identities, set the userKeyType configuration attribute to Guid. In this case, uniqueidentifier is used as primary key. The key is generated on provideer side, you only need to add uniqueidentifier column named UserId. Is recommended (although not technically required) to specify additional unique index over the UserName table.

In this setting, you can explicitly specify providerUserKey argument in the CreateUser method, as long as it's unique GUID. If you don't specify it, the key would be generated automatically.

The following SQL command can be used to create required table in MS SQL Server:

CREATE TABLE Users (
    UserId                  uniqueidentifier    NOT NULL,
    UserName                nvarchar(100)       NOT NULL,
    PasswordHash            binary(64)          NOT NULL,
    PasswordSalt            binary(128)         NOT NULL,
    Email                   nvarchar(max)       NOT NULL,
    Comment                 nvarchar(max)       NULL,
    IsApproved              bit                 NOT NULL,
    DateCreated             datetime            NOT NULL,
    DateLastLogin           datetime            NULL,
    DateLastActivity        datetime            NULL,
    DateLastPasswordChange  datetime            NOT NULL,
    CONSTRAINT PK_UsersByGuid PRIMARY KEY CLUSTERED (UserId)
)
CREATE UNIQUE NONCLUSTERED INDEX IX_Users_UserName ON Users (UserName)

Sample

See the TableProviderSampleUserKeys sample for info how to use and configure this feature.

Updated Wiki: Custom Provider User Keys

altair — Tue, 25 Jan 2011 02:25:51 GMT

Custom Provider User Keys

Since release 2.3.0 you have three ways of using provider user keys (main identifiers): user names, integer identities and GUIDs.

Using user names

Primary key in database (or "provider user key" in membership terminology) is the user name string. This is default value. No special configuration and changes in database are needed.

Using integer identities

CREATE TABLE Users (
    UserId                  int identity        NOT NULL,
    UserName                nvarchar(100)       NOT NULL,
    PasswordHash            binary(64)          NOT NULL,
    PasswordSalt            binary(128)         NOT NULL,
    Email                   nvarchar(max)       NOT NULL,
    Comment                 nvarchar(max)       NULL,
    IsApproved              bit                 NOT NULL,
    DateCreated             datetime            NOT NULL,
    DateLastLogin           datetime            NULL,
    DateLastActivity        datetime            NULL,
    DateLastPasswordChange  datetime            NOT NULL,
    CONSTRAINT PK_UsersByIntIdentity PRIMARY KEY CLUSTERED (UserId)
)
CREATE UNIQUE NONCLUSTERED INDEX IX_UsersByIntIdentity_UserName ON UsersByIntIdentity (UserName)

Using GUIDs

CREATE TABLE Users (
    UserId                  uniqueidentifier    NOT NULL,
    UserName                nvarchar(100)       NOT NULL,
    PasswordHash            binary(64)          NOT NULL,
    PasswordSalt            binary(128)         NOT NULL,
    Email                   nvarchar(max)       NOT NULL,
    Comment                 nvarchar(max)       NULL,
    IsApproved              bit                 NOT NULL,
    DateCreated             datetime            NOT NULL,
    DateLastLogin           datetime            NULL,
    DateLastActivity        datetime            NULL,
    DateLastPasswordChange   datetime           NOT NULL,
    CONSTRAINT PK_UsersByGuid PRIMARY KEY CLUSTERED (UserId)
)
CREATE UNIQUE NONCLUSTERED INDEX IX_UsersByGuid_UserName ON UsersByGuid (UserName)

Sample

See the TableProviderSampleUserKeys sample for info how to use and configure this feature.

Updated Wiki: SQL Table Providers

altair — Tue, 25 Jan 2011 02:13:25 GMT

SQL Table Providers

Features

Simplicity, ability to connect to rest of database infrastructure

Database independence

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Account lockdown not supported

Differences from Simple SQL Providers

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.
- useEmailAddressAsUserName - when set to true, user name is forced to be the same as e-mail address. The requiresUniqueEmail attribute must be set to true as well. By changing e-mail address, user name is changed too, which may cause interoperability problems, so use with caution.
- userKeyType - allows specify Custom Provider User Keys; may have following values:
  - UserName (default) - user name is used as provider user key
  - IntIdentity - integer generated by database backend (by means of IDENTITY clause or similar mechanism) is used as provider user key
  - Guid - GUID is generated by membership prpvoder and used as key

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

Updated Wiki: Home

altair — Sun, 23 Jan 2011 23:01:32 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

Altairis Web Security toolkit is in the NuGet Gallery

You may install Altairis Web Security Toolkit using the NuGet package manager (former NuPack). The package name is Altairis.Web.Security,

For more info about NuGet visit http://www.nuget.org.

Database agnostic providers

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Further information

Author and contact

Updated Wiki: SQL Table Providers

altair — Sun, 23 Jan 2011 22:43:56 GMT

SQL Table Providers

Features

Simplicity, ability to connect to rest of database infrastructure

Database independence

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Account lockdown not supported

Differences from Simple SQL Providers

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

Updated Wiki: SQL Table Providers

altair — Sun, 23 Jan 2011 22:31:48 GMT

SQL Table Providers

The provider object model, as present in ASP.NET 2.0, is a great step forward from hand-coded behavior in ASP.NET 1.x. But the provider model is only as useful as are available providers. Microsoft .NET itself contains set of profiles which can store their data in Microsoft SQL Server database: SqlMembershipProvider, SqlRoleProvider and SqlProfileProvider. However, database structure used by these providers is pretty complicated and almost impossible to interconnect with your own tables etc.

So I created set of my own providers, using very simple table structure. Some functionality of the original providers was lost, especially the ability to store data for several applications in single database. But the simple and straightforward database allows you to easily plug it into your existing infrastructure.

Features

Database independence

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Account lockdown not supported

Differences from Simple SQL Providers

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

Updated Wiki: Microsoft SQL Server Support

altair — Sun, 23 Jan 2011 22:28:58 GMT

Microsoft SQL Server Support

You may use Microsoft SQL Server as database for TableMembershipProvider and TableRoleProvider. Any version and edition of Microsoft SQL Server should work, tested versions are 2005, 2008 and 2008 R2.

Database setup

You need to create tables, based on what providers you want to use

Membership provider

Single table (by default named Users) is required by membership provider. Use the following SQL code to create it:

CREATE TABLE dbo.Users (
    UserName                nvarchar(100)  NOT NULL,
    PasswordHash            binary(64)     NOT NULL,
    PasswordSalt            binary(128)    NOT NULL,
    Email                   nvarchar(max)  NOT NULL,
    Comment                 nvarchar(max)  NULL,
    IsApproved              bit            NOT NULL,
    DateCreated             datetime       NOT NULL,
    DateLastLogin           datetime       NULL,
    DateLastActivity        datetime       NULL,
    DateLastPasswordChange  datetime       NOT NULL,
    CONSTRAINT PK_Users PRIMARY KEY CLUSTERED (UserName)
)

You may add other columns needed by your application, as long as they are either nullable or have defaults assigned. The membership provider would not touch them.

Role provider

Role provider requires two tables. First (called Roles by default) contains the role definitions. Second (called RoleMemberships by default) contains which users are members of which roles. Use the following SQL code to create the two tables:

CREATE TABLE dbo.Roles (
    RoleName                nvarchar(100)  NOT NULL,
    CONSTRAINT PK_Roles PRIMARY KEY CLUSTERED (RoleName)
)
CREATE TABLE dbo.RoleMemberships (
    UserName                nvarchar(100)  NOT NULL,
    RoleName                nvarchar(100)  NOT NULL,
    CONSTRAINT PK_RoleMemberships PRIMARY KEY CLUSTERED (UserName, RoleName),
    CONSTRAINT FK_RoleMemberships_Roles 
        FOREIGN KEY (RoleName) REFERENCES dbo.Roles (RoleName) 
        ON UPDATE CASCADE ON DELETE CASCADE,
)

Using membership and role providers together

The membership and role providers are totally independent and can be combined with any other providers. However, if you use both the TableMembershipProvider and TableRoleProvider, you might want to add foreign key constraint between their tables, so when you delete the user, its role mappings are deleted as well:

ALTER TABLE dbo.RoleMemberships 
    ADD CONSTRAINT FK_RoleMemberships_Users 
    FOREIGN KEY (UserName) REFERENCES dbo.Users (UserName) 
    ON UPDATE CASCADE ON DELETE CASCADE

Updated Wiki: Home

altair — Sun, 23 Jan 2011 22:11:09 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above.

Altairis Web Security toolkit is in the NuGet Gallery

You may install Altairis Web Security Toolkit using the NuGet package manager (former NuPack). The package name is Altairis.Web.Security,

For more info about NuGet visit http://www.nuget.org.

Database agnostic providers

Microsoft SQL Server Support (version 2005, 2008, 2008 R2, including Express editions)
SQL Server Compact Support (version 4.0)

Further information

Author and contact

New Comment on "SQL Table Providers"

selarom — Tue, 11 Jan 2011 18:05:04 GMT

never mind I see it is in the "SimpleSqlSample" of the download, thanks

New Comment on "SQL Table Providers"

selarom — Tue, 11 Jan 2011 18:02:41 GMT

What about setting up profile providers? how is this done?

Updated Wiki: Home

altair — Thu, 30 Dec 2010 15:06:35 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above.

Altairis Web Security toolkit is in the official NuGet feed

You may install Altairis Web Security Toolkit using the NuGet package manager (former NuPack). The package name is Altairis.Web.Security,

For more info about NuGet visit http://nuget.codeplex.com.

Beta support for Microsoft SQL Server Compact Edition

The latest beta release (2.1.0.0) adds experimental support for the Microsoft SQL Server Compact Edition (SQL CE 4.0) to be used for storage. See wiki page SQL Server Compact Support for more information about using SQL CE for membership.

Further information

Author and contact

Updated Wiki: Home

altair — Sat, 25 Dec 2010 23:29:22 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, working with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above.

Beta support for Microsoft SQL Server Compact Edition

Further information

Author and contact

Updated Wiki: Home

altair — Sat, 25 Dec 2010 22:40:10 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, woring with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above.

Beta support for Microsoft SQL Server Compact Edition

Further information

Author and contact

Updated Wiki: SQL Server Compact Support

altair — Sat, 25 Dec 2010 22:18:34 GMT

SQL Server Compact Support

The Compact Edition of Microsoft SQL Server is embedded database, which can serve as lightweight database server for smaller applications. The new version 4.0 (in CTP stage at time of writing) supports the ASP.NET web applications (unlike the previous versions).

The TableMembershipProvider and TableRoleProvider classes in this release support SQL CE as their data store.

Creating the SDF file

The SQL Compact database lives in .sdf file. Right now it's quite tricky to create SQL CE 4.0 sdf files, because of limited tooling support. There are third-party tools (like SQL CE Toolbox. Service Pack 1 for Visual Studio 2010 will add supprt to VS 2010 and you can also manage SDF files with WebMatrix.

The source includes SDF file with empty tables in /trunk/Altairis.Web.Security/Resources/TableProvidersCE.sdf. You can also use the following SQL commands to create the required tables (please note that you must run only one command at a time, as SQL CE does not understand batches):

-- Table for TableMembershipProvider
CREATE TABLE Users (
    UserName                nvarchar(100)   NOT NULL,
    PasswordHash            binary(64)      NOT NULL,
    PasswordSalt            binary(128)     NOT NULL,
    Email                   nvarchar(100)   NOT NULL,
    Comment                 nvarchar(4000)  NULL,
    IsApproved              bit             NOT NULL,
    DateCreated             datetime        NOT NULL,
    DateLastLogin           datetime        NULL,
    DateLastActivity        datetime        NULL,
    DateLastPasswordChange  datetime        NOT NULL,
    CONSTRAINT PK_Users PRIMARY KEY (UserName)
)

-- Tables for TableRoleProvider
CREATE TABLE Roles (
    RoleName                nvarchar(100)    NOT NULL,
    CONSTRAINT PK_Roles PRIMARY KEY (RoleName)
)
CREATE TABLE RoleMemberships (
    UserName                nvarchar(100)    NOT NULL,
    RoleName                nvarchar(100)    NOT NULL,
    CONSTRAINT PK_RoleMemberships PRIMARY KEY (UserName, RoleName),
    CONSTRAINT FK_RoleMemberships_Roles FOREIGN KEY (RoleName) 
        REFERENCES Roles (RoleName) ON UPDATE CASCADE ON DELETE CASCADE
)

-- When using both these providers together, you may want to add the foreign key
ALTER TABLE RoleMemberships 
    ADD CONSTRAINT FK_RoleMemberships_Users FOREIGN KEY (UserName)
    REFERENCES Users (UserName) ON UPDATE CASCADE ON DELETE CASCADE

Configuring providers to use database

No special configuration is needed. The only requirement is to set providerName attribute of connection string to System.Data.SqlServerCe.4.0. The library will use the right provider based on this. You must also reference the

See sample web.config file for using SQL CE database:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" 
             providerName="System.Data.SqlServerCe.4.0" 
             connectionString="Data Source=|DataDirectory|TableAuthDB.sdf"/>
    </connectionStrings>
    <!-- No furhter changes required, common provider configuration included for reference  -->
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security" 
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security" 
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Sample

The download includes example TableProviderSampleCE, which is similar to TableProviderSample, just uses the SQL CE instead of SQL Server.

Updated Wiki: SQL Table Providers

altair — Sat, 25 Dec 2010 20:33:25 GMT

SQL Table Providers

The provider object model, as present in ASP.NET 2.0, is a great step forward from hand-coded behavior in ASP.NET 1.x. But the provider model is only as useful as are available providers. Microsoft .NET itself contains set of profiles which can store their data in Microsoft SQL Server database: SqlMembershipProvider, SqlRoleProvider and SqlProfileProvider. However, database structure used by these providers is pretty complicated and almost impossible to interconnect with your own tables etc.

So I created set of my own providers, using very simple table structure. Some functionality of the original providers was lost, especially the ability to store data for several applications in single database. But the simple and straightforward database allows you to easily plug it into your existing infrastructure.

Features

Database independence

At this time, the providers are written for Microsoft SQL Server 2005 and above. But the way code is written allows easy support for other databases, as long as they understand SQL and named parameters.

Version 2.1 will support SQL Server Compact 4.0 (currently in CTP). If you wish to add support for other databases, feel free to do so and drop me a line, so I can merge it to main branch.

Account lockdown not supported

Differences from Simple SQL Providers

For hashing, the standard HMACSHA512 class and algo are supported, instead of homebrew salting.
Password hash and salt (or key, in HMAC terminology) are stored as binary database fields, not Base64-encoded strings.
The int UserId column was dropped and UserName is now used as primary key instead.
Implemented better tracking of user activity and now supporting the GetNumberOfUsersOnline method.
Names of all tables are now configurable.

Database setup

Membership provider

Single table (by default named Users) is required by membership provider. Use the following SQL code to create it:

CREATE TABLE dbo.Users (
    UserName                nvarchar(100)  NOT NULL,
    PasswordHash            binary(64)     NOT NULL,
    PasswordSalt            binary(128)    NOT NULL,
    Email                   nvarchar(max)  NOT NULL,
    Comment                 nvarchar(max)  NULL,
    IsApproved              bit            NOT NULL,
    DateCreated             datetime       NOT NULL,
    DateLastLogin           datetime       NULL,
    DateLastActivity        datetime       NULL,
    DateLastPasswordChange  datetime       NOT NULL,
    CONSTRAINT PK_Users PRIMARY KEY CLUSTERED (UserName)
)

You may add other columns needed by your application, as long as they are either nullable or have defaults assigned. The membership provider would not touch them.

Role provider

CREATE TABLE dbo.Roles (
    RoleName                nvarchar(100)  NOT NULL,
    CONSTRAINT PK_Roles PRIMARY KEY CLUSTERED (RoleName)
)
CREATE TABLE dbo.RoleMemberships (
    UserName                nvarchar(100)  NOT NULL,
    RoleName                nvarchar(100)  NOT NULL,
    CONSTRAINT PK_RoleMemberships PRIMARY KEY CLUSTERED (UserName, RoleName),
    CONSTRAINT FK_RoleMemberships_Roles 
        FOREIGN KEY (RoleName) REFERENCES dbo.Roles (RoleName) 
        ON UPDATE CASCADE ON DELETE CASCADE,
)

Using membership and role providers together

ALTER TABLE dbo.RoleMemberships 
    ADD CONSTRAINT FK_RoleMemberships_Users 
    FOREIGN KEY (UserName) REFERENCES dbo.Users (UserName) 
    ON UPDATE CASCADE ON DELETE CASCADE

Configuring the providers in web.config

To use the SQL Table providers, include the following settings in your web.config file:

<configuration>
    <appSettings/>
    <connectionStrings>
        <add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="..."/>
    </connectionStrings>
    <system.web>
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear/>
                <add name="MyMembershipProvider"
                     type="Altairis.Web.Security.TableMembershipProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB" />
            </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="MyRoleProvider">
            <providers>
                <clear/>
                <add name="MyRoleProvider" 
                     type="Altairis.Web.Security.TableRoleProvider, Altairis.Web.Security"
                     connectionStringName="TableAuthDB"/>
            </providers>
        </roleManager>
    </system.web>
</configuration>

Configuring membership provider

The following configuration attributes are supported:

Common for all membership providers:
- applicationName (can be set, but is ignored)
- minRequiredNonAlphanumericCharacters
- minRequiredPasswordLength
- passwordStrengthRegularExpression
- requiresUniqueEmail
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- tableName - name of database table to store user information. Default is Users.

Configuring role provider

The following configuration attributes are supported:

Common for all role providers:
- applicationName (can be set, but is ignored)
Specific for this provider:
- connectionStringName - name of connection string defined in the connectionStrings section to use for database connectivity.
- rolesTableName - name of database table to store roles. Default is Roles.
- roleMembershipsTableName - name of database table to store information about role members. Default is RoleMemberships.

Updated Wiki: Home

altair — Sat, 25 Dec 2010 19:32:48 GMT

The Altairis Web Security Toolkit consists of several parts:

SQL Table Providers are re-implementation of standard ASP.NET membership, profile and role providers, but using simple database structure.
PlainTextMembershipProvider is basic low-security membership provider using plain text file as its user database.
BasicAuthenticationModule is authentication module for ASP.NET/IIS7, implementing standard HTTP Basic Authentication, woring with any membership provider (including, but not limited to the two contained in this library)

The original release (older than 2.0) contained also Simple SQL Providers, which are no longer developed and were replaced by SQL Table Providers mentioned above.

Further information

Author and contact