Advanced Personalization Services in ASP.NET 2.0 Part1
Khaled Hussein.
E-Business Solution Developer
February 2005
Applies to:
Microsoft ASP.NET 2.0
Microsoft Access 2003
Microsoft Visual Studio 2005 Beta 1 Codename "Whidbey"
Summery: Learn about personalization, how to implement the first aspect of personalization features in your web applications using membership object provided by ASP.NET 2.0.
Introduction
People have different personalities. Each one of them in the real life likes to customize and tailor his surrounding environment to fit his personality in order to be more productive and more comfortable with the environment during the long hours.
For example "Your Room", the first thing you notice about it that you already customized it for your needs and your personality. You started placing your books in some where that makes it easy for you to get them, you placed your notes some where else, and you placed your CDs probably near your computer. If you check your brother's room you will find something different, but both of you are happy with this customization of his room.
Web based applications offer variety of solutions for business activities that can serve different types of users. These users have different personalities and access the internet for different reasons eliminating the design of one user 'Anonymous' architecture for your web application.
Implementing such personalization features in your web applications wasn't an easy task to do. You have to keep thinking of session management, integrating your solution with the profiles data source, and even with this entire headache still you don't provide a real customizable web application.
ASP.NET 2.0 has provided us with 'Personalization Services', which is exactly all what you need to provide tailored, user-based web applications that are more flexible and customizable for each user.
ASP.NET 2.0 framework integrates seamlessly with SQL Server 2005, manages all session activities for you and provides a number of new server controls that allow users to customize the layout and appearance of a website.
Personalization
When I first started to write this article I thought about having a suitable definition for personalization, so I started searching the internet and I got lots of definitions but the most appropriate one was that, Personalization is determining the user's interests based on his preferences or behavior, constructing business rules to decide how to deal with such a person and dealing with that person according to this preferences.
This simple definition drives us to examine personalization process. In order for a web application to provide personalization process it must perform the following tasks:
· Recognizing the user: the web application has to be able to identify the user by a means of authentication, and managing the user's session through requests.
· Provided personalized features: the web site has to offer the personalization itself for example, the permissions to do some tasks, or the layout of the page, or maybe the contents of a page.
· Storing the information: after the user has changed 'customized' the website to fit his personality, the web application should have a means of storing and analyzing this data to be able to provide the user with the same customizations he made before. And to offer him suitable services for his needs.
Web application developers shouldn't only provide these functionalities in a web application to provide personalization but they have to provide these functionalities in a very integrated way to get the business advantage of personalization.
ASP.NET 2.0 provides us with a lot of new server controls that make life much easier for developers to implement personalization features rapidly in their web applications using the default values. But as this article's topic is 'Advanced Personalization Services in ASP.NET 2.0' then we will examine how to use the provider framework to provide custom solutions to go on with other aspects of the system.
ASP.NET 2.0 framework is composed of 3 main areas which are membership, profiles, and web parts.
In this article we will start talking about membership and we will continue talking about profiles, and web parts in part2 and part3 of the series.
Membership
If you remember as we mentioned above that any web application that needs to implement personalization in its logic, then it must follow some processes and implement some functionalities, one of these functionalities was authentication and authorization.
ASP.NET 1.1 provided authentication and authorization through simple configurations in web.config and authenticating the users to a backend data source. But developers need to implement their own set of controls to validate user input, and checks these authentication credentials to the back end data source, and keeps in mind the user authentication session management, as well as authorization implementation.
ASP.NET 2.0 has evolved over ASP.NET 1.1 and followed its new concept which is 'Reduce writing code by 70%' and provided developers with a whole set of new server controls which include a login control that is configurable with just simple clicks to validate the user input and handle the session, and even to retrieve passwords in case that the user forgot it, also some other server controls like CreateUserWizard and develop can even enable the user to change his password without writing a single line of code.
ASP.NET 2.0 memberships' architecture provides us with a provider model which enables developers to customize such login and CreateUserWizard controls to other application aspects and to change the data source and how to enable these controls to integrate with other data providers.
Profiles
A profile is simple a set of user related data and information that gets stored in a data source. ASP.NET 2.0 provided us with Personalization Service Stack which is responsible for handling personalization issues, this stack contains a profile, this profile contains user related data and data can vary from basic data types (int, string, … etc.) to complex objects, Not only this, but it also provides a
In ASP.NET 1.x developer had to handle the entire process of creating, storing and retrieving user related data to session. But in ASP.NET 2.0 everything is taken care of automatically, and just in case you want to customize the features to your specific needs, you should go to the heart of the profiling feature which is the profile provider framework.
Profile provider framework is like Membership framework, gives developer the ability to customize their own data sources and how provide the functionality of profiles session management for the customized data sources.
We will go in more details about profiles in this article.
Web parts
Web part is the new key factor that enables users to truly customize layout, and contents of the web page. This enables developers to develop their web pages as components of web parts which are categorized to give the user enough flexibility to choose the contents or the layout that he mostly interested in.
Web parts are integrated with Profile Providers, once the user is authenticated and he finishes customizing the web pages it is automatically preserved through sessions using the profile provider.
Figure 1 shows the components of Personalization Services Stack and the relation among these components and each others.
The data providers provides a means to customize the way you store your users data, and then we notice the profile API is the API that developers user to interact with data providers which in turn interacts with Web Parts to retrieve the new customization arguments for each user and then this process of personalization is controlled and stored in the data source through the data providers.
Membership
The first functionality that web developers have to implement is to provide a means for users to identify themselves so that web applications recognize them. Once the user is recognized to the application the personalization starts automatically to retrieve the user's profile and show up the customizations for this specific user and keeps track of other customizations during the session throughout page requests.
ASP.NET 1.x enables developers to make authentication and login pages where developer connects to a data base and calls a stored procedure to verify the username and password and then uses the FormsAuthentication API to recognize and log the user in to start dealing with him, or you will tell him that the log in credentials weren't correct.
One of the things you may have noticed about ASP.NET Team is that they are concerned about making the easy things even easier.
FormsAuthentication class is simply used to encrypt the credential information and store them securely in a HTTP cookie and handles encrypted data through page requests.
FormsAuthentication class is definitely a great feature but what makes it even better if we can reduce the code that developers write to do the authentication process and at this point ASP.NET 2.0 membership features comes in handy for developers.
ASP.NET 2.0 memberships is just to provide a secure user credential storage with simple and easy to use API. So Forms Authentication and membership complement one another however you can use them independently, that is you don't have to use them together.
The Membership class contains only static methods, which means you don't have to create an instance in order to use its functionality. But what happens behind the scenes?
Membership class forwards the calls through a configured membership provider. The provider in turn knows which data source to use and how to verify the user credentials. So what's the provider mode? Look at figure 2.
Before going on we need to mention that provider models are a new design pattern introduced with ASP.NET 2.0 as providers are pluggable abstraction layer used within ASP.NET. And therefore all of the ASP.NET features that rely on data storage expose a provider layer.
The beauty of a provider model is that it enables developers to have full control over data and their storage location. Developers can implement their own providers and plug it in the framework.
The membership has a lot to do more than that so let's dig deeper.
Setting up Membership
Here is good news, setting up membership is an easy task to do; it just works. By default visual studio .net 2005 creates a new folder called \data\ in your project and it creates AspNetDb.mdb which is the default access data base that is used by Microsoft Access Provider, which is in turn the default provider that is used with ASP.NET 2.0 features.
Before we can go deeper and use the membership to its main purpose which is validating user credentials we need to learn how to create users to validate them.
Creating a New User
The membership API exposes two methods for creating a new user these methods are:
· CreateUser(string userName, string password)
· CreateUser(string userName, string password, string email)
Both of the methods create a user using his username, and password, while the second one takes also the e-mail.
So let's see how we can create a user in code. Don't forget to compare the number of code lines you used to write to accomplish such a task with ASP.NET 1.x.
The CreateUser method adds the user in the data base.
Hint: you may ask, hey where do I store first name, last name … etc. The answer is very simple Membership is not used to store this type of data. But personalization is the feature responsible for storing user's data. Membership is only responsible for storing user credentials used in authentication.
Validating User Credentials
Now as we created some users we can examine the primary function of membership which is validating user credentials. This is accomplished by the Membership static method ValidateUser.
· bool ValidateUser(string userName, string password)
This function validates the username and password credentials and return true if the user exists other wise returns false.
Then simply to validate user credentials and to authenticate him you have to do as follows.
Getting a User
Membership has lots of cool features that we can use. Here is another one which is getting a user. There are different ways to get a user.
· MembershipUser GetUser()
· MembershipUser GetUser(bool userIsOnline)
· MembershipUser GetUser(string userName)
· MembershipUser GetUser(string userName, bool userIsOnline)
Here is how we can use it.
If you want to get a user and you don't know his username, or a user forgot his username for example you can use GetUserNameByEmail() method. Once we get the username we can get the user by using one of the methods mentioned above to retrieve the other credential information about this user.
Membership User Class
This class represents a user stored in the membership system. And it provides us with some very beneficial methods including the follows:
· String GetPassword()
· String GetPassword(string answer)
· bool ChangePassword(string oldPassword, string newPassword)
· bool ResetPassword()
Not only these methods but you will find also some other new methods that makes handling user operations more easy task to do.
With the same mechanism you can update the user's data and delete a user using static methods in Membership class like UpdateUser(), DeleteUser().
ASP.NET 2.0 Web Application Administration Tool
ASP.NET Web Application Administration tool, which is a new tool shipped with Visual Studio .NET 2005 and enables developers and web administrators to change configuration values in web.config through an easy GUI tool and following simple wizards.
Now we are going to examine ASP.NET Web Application Administration tool to see how we can provide authentication and role authorization in ASP.NET 2.0.
Open a new ASP.NET Web Site in Visual Studio .NET 2005; File Menu >> New >> Web Site
To open the Web Application Administration tool go to Website menu >> ASP.NET Configuration.
A new web page will open and it will look similar to figure 4.
You can notice that we have 4 tabs Security which is the Security, Profile, Application, and Provider.
Security enables you to set up and edit users, roles, and access permissions for your site.
Site is using windows authentication for user management.
Profile enables you to manage a set of profile properties, whose values are stored separately for each visitor to your site.
Application enables you to manage your application's configuration settings.
Provider enables you to specify where and how to store administration data used by your Web site.
And now we click on profile to select the suitable data provider for our membership implementation.
When we choose provider tab we notice two options the first one is to select a single data provider for all the site features including membership, roles, profiling … etc. While the second one is to select a different data provider for each feature, so we click on the second option to have a detailed idea.
Now select your membership provider, role provider, and profile provider. We will go on through the rest of the article using AspNetAccessProvider.
If you want to add your own data provider you just click on Add New Data Provider link for each feature.
Now after selecting the AspNetAccessProvider we go to security tab to manage our users and roles security. See Figure 5.
We will find three panels, one for users, while the second one for the roles and the third one for Access Rules.
We first change the user authentication type to forms authentication, and this is done simply by clicking on "Select authentication type" link and you will get two options, go ahead and select the first one which is 'From the Internet', and don't forget to click 'Done' button.
Now you will notice that the user panel is changed and it tells you that the existing users count is 0 and it gives you the option to add users or manage their information.
Let's start adding two users to continue working with the article, user1 and user2.
Now we can move on to the roles panel to enable roles. Once we enable roles a new link will be seen that enables us to create user roles, so let's create two roles, Administrator, and Customer.
Then we should go and manage users. Clicking on a user will redirect you to a page where you can select which roles this user belongs to. And finally we can move on to Access Rules panel where we can create access rules.
Access rules are simply identifying which roles are allowed to access which website resources. So here you can assign permissions to web site resources to control access security and this is a part of the personalization process.
Now we have finished configuring the web application to identify users and added two users with two different security roles, and we managed access rules for the user roles, and guess what without writing a single line of code.
We passed the Web Application Administration tool fast because I want to go deep in more details for developers that like to customize every feature for their needs.
Security Server Controls
Now we will have an overview about the new offered server controls that are designed to help developers manage security and membership features throughout their applications.
These controls include login control, password recovery control; create user wizard control … and so on.
Login Control
As you noticed through out the article that ASP.NET team tends to make developers write the minimum number of code lines, Now I am going to show you how to make a whole login page without even writing a single line of code using the new login server control.
OK, let's start creating a new login page, and go to the toolbox and drag a new login control. Ops I am sorry guys it didn't take long to finish the login page. It is already finished now, start running your page.
When the user enters his username and password and clicks on login button, the control automatically calls ValidateUser() method from the Membership class and if the credentials are correct it calls FormsAuthentication.RedirectFromLogIn() to redirect the user to the page that he intended to see before logging in. other wise it refreshes the page asking for the username and password again.
Login control is fully customizable control through a punch of properties that we can set. We can change the text of the login button, and the username text, with its alignment; similarly the password text … and we can also change the style of the control. ASP.NET 2.0 provides us with some pre-designed styles that can change the look of the controls. See figure 6.
Login Status Control
We all need to inform the visitor of his status whether he is logged in or logged out, and giving him the ability to login if he is logged out and vice verse. This is exactly what login status control does. It checks the user and tells him if he is logged in and it shows him a logout link, otherwise it shows a long link.
Again let's try to use the login status in the same page. Start adding a new control by dragging it from the tool box. Well, again all required implementation of the functionality is just done for us.
It will automatically check the status of the user if he is anonymous user or not, and it will choose its proper status.
Login status control also is a very customizable control, you can change the text of the login, and logout links using properties like LoginText, and LogoutText, and of course you can change the URLs that these links direct to.
Similarly you will find other very simple to use controls and without writing any code to your application.
Setting up Role Manager
Role manager is similar to Membership that it replies on data providers to store data. The Role manager's primary responsibility is to enable developers to create roles and links between users and their roles.
There are two different way to enable Role Manager. First method is using the Website Application Administration tool, and we already showed out how to enable roles, and add roles using the tool.
The second method is doing this manually without this tool. Does this mean that we are going to write lots of code? The answer is no ASP.NET team promised us we won't need to write lots of code lines to do traditional functionalities any more.
In order to enable Role Manager we need to configure this in web.config file, figure 7 is showing a sample of a web.config file that enables Role Manager.
Now that we knew how to configure a Role Manager in our web applications let's move on and creates some roles programmatically without the use of any tools or wizards.
Similarly to static methods in Membership class there is a method called CreateRole() which is defined as static method in Roles class.
All we have to do to create a role is just pass its name as a parameter to CreateRole() method.
Roles.CreateRule("Role Name");
Notice that if the role already exists, an exception will be thrown.
Now that we created roles, we need to assign users to roles. So we can assign one user to one role, or many users to one role, or one user to many roles, or many users to many roles.
Unsurprisingly there are 4 methods in Roles class that exactly do this.
· AddUserToRole(string userName, string roleName)
· AddUsersToRole(string[] userNames, string roleName)
· AddUserToRoles(string userName, string[] roleNames)
· AddUsersToRoles(string[] userNames, string[] roleNames)
OK this is cool, but how about checking if the user is in specific role? In ASP.NET 1.1 User.IsInRole(string userName) method was used to do this functionality now with the infrastructure of Roles features we find a method called Roles.IsUserInRole(string userName), which returns true if the user in this role.
This function has an overloaded version to check the user for specific role.
Roles.IsUserInRole(string userName, string roleName)
Similarly you can remove users from roles, and even delete roles and updates its information with similar static functions in Roles class.
Conclusion
ASP.NET 2.0 provides a number of new technologies that make it a snap to implement customizable Web applications, while requiring little or no code to implement it. One of these features is Membership framework and its automatic integration with other features and classes in the framework.