June 24 2012

ASP.NET MVC3 + Altairis Web Security Toolkit

In this post I'll show you how to install and configure the Altairis Web Security Toolkit in an MVC3 application. The Altairis Web Security Toolkit is a simple, easy to use ASP.NET Membership Provider with a clean table structure. It's much nicer to work with than the default ASP.NET Membership Provider.

To follow this tutorial you'll need Visual Studio 2010, SQL Server 2008 Express and ASP.NET MVC3 installed.

Create an MVC3 Application using the Internet Application template

The internet application project template includes login and registration functionality out of the box.

  • Open Visual Studio 2010
  • Select File -> New Project
  • Select ASP.NET MVC 3 Web Application
  • Enter a Name and Location for the project and click OK
  • Select the Internet Application project template and click OK

 

Install Altairis Web Security Toolkit

  • Right click your project and select Manage NuGet Packages
  • In the left column select Online and enter Altairis in the search field
  • Select Altairis Web Security Toolkit and click Install
  • After it's installed, click Close on the package manager window

 

Create Database and Membership Tables

  • Open SQL Server Management Studio and connect to your local server instance
  • Right click Databases and select New Database
  • Enter a Database name and click OK
  • Right click your database and select New Query
  • Execute the following SQL:
CREATE TABLE [RoleMemberships]
  (
     [UserName] NVARCHAR(100) NOT NULL,
     [RoleName] NVARCHAR(100) NOT NULL
  );

GO

CREATE TABLE [Roles]
  (
     [RoleName] NVARCHAR(100) NOT NULL
  );

GO

CREATE TABLE [Users]
  (
     [UserName]               NVARCHAR(100) NOT NULL,
     [PasswordHash]           BINARY(64) NOT NULL,
     [PasswordSalt]           BINARY(128) NOT NULL,
     [Email]                  NVARCHAR(100) NOT NULL,
     [Comment]                NVARCHAR(4000) NULL,
     [IsApproved]             BIT NOT NULL,
     [DateCreated]            DATETIME NOT NULL,
     [DateLastLogin]          DATETIME NULL,
     [DateLastActivity]       DATETIME NULL,
     [DateLastPasswordChange] DATETIME NOT NULL
  );

GO

ALTER TABLE [RoleMemberships]
  ADD CONSTRAINT [PK_RoleMemberships] PRIMARY KEY ([UserName], [RoleName]);

GO

ALTER TABLE [Roles]
  ADD CONSTRAINT [PK_Roles] PRIMARY KEY ([RoleName]);

GO

ALTER TABLE [Users]
  ADD CONSTRAINT [PK_Users] PRIMARY KEY ([UserName]);

GO

ALTER TABLE [RoleMemberships]
  ADD CONSTRAINT [FK_RoleMemberships_Roles] FOREIGN KEY ([RoleName]) REFERENCES
  [Roles]([RoleName]) ON DELETE CASCADE ON UPDATE CASCADE;

GO

ALTER TABLE [RoleMemberships]
  ADD CONSTRAINT [FK_RoleMemberships_Users] FOREIGN KEY ([UserName]) REFERENCES
  [Users]([UserName]) ON DELETE CASCADE ON UPDATE CASCADE;

GO

 

Create Login for Database

  • Expand the root Security folder (not the one under the database), right click the Logins folder and select New Login
  • Select SQL Server Authentication, enter a Login name and Password
  • Un-check the Enforce password policy checkbox
  • In the left column under Select a page, select User Mapping
  • Under Users mapped to this login, check the box next to your database
  • Under Database role membership for:, check the box next to db_owner
  • Click OK

 

Update Connection String in Web.config

  • Go back to visual studio and open Web.config 
  • Find the connection string TableAuthDB and update it to point to the database created in the previous step. It should look something like this:
<add name="TableAuthDB" providerName="System.Data.SqlClient" connectionString="server=.\SQLExpress;database=[DATABASE NAME];user id=[USERNAME];password=[PASSWORD]" />

 

Remove duplicate <roleManager>...</roleManager> from Web.config

  • Find the following section in the Web.config file and delete it:
<roleManager enabled="false">
    <providers>
    <clear />
    <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
    </providers>
</roleManager>


Press F5 and Test Your Website!


Sponsored by