«

Hi,

I have a site with an admin folder that is protected with forms
authentication. I just want 1 admin user to be able to access it but to
use my own user authentication for the rest of the site.

I did have it working using an asp.net 2.0 login control and the
credential specified in the web.config but after going back to working
on the admin parts, it has suddenly started refusing the login.

I set the admin user's password to the result of
FormsAuthentication.HashPasswordForStoringInConfig File("password","sha1")
and this did work before.

I haven't done anything special with the login control.

I'm sure it's something simple but I can't see why the login fails or
what I did to break it.

Is there a 'proper' way to do this that just as simple? (Without going
into memberships etc.,)

Here's my web.config:
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="MainDomain" value="http://www.crackthelottery.com"/>
</appSettings>

<snip connection strings.../>

<system.web>

<snip assembly stuff.../>

<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="Admin/Login.aspx" protection="All" timeout="30">
<credentials passwordFormat="SHA1">
<user name="admin"
password="5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 "/>
</credentials>
</forms>
</authentication>
<anonymousIdentification enabled="true"/>
<profile defaultProvider="SqlProvider">
<providers>
<clear/>
<add name="SqlProvider"
type="System.Web.Profile.SqlProfileProvider"
connectionStringName="LocalSqlServer" applicationName="CrackTheLottery"
description="SqlProfileProvider for CrackTheLottery"/>
</providers>
<properties>
<add name="UserID" allowAnonymous="true" type="System.Int32"/>
</properties>
</profile>
<httpHandlers>
<add verb="*" path="*.zip" type="FileHandler"/>
<add verb="*" path="*.exe" type="FileHandler"/>
<add verb="*" path="*.xml" type="FileHandler"/>
<add verb="*" path="*.pdf" type="FileHandler"/>
</httpHandlers>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

I can't find anything that explains this simply and can't remember
where I originally looked all this up so thanks for the help.

the login control does not work againt the <credential> section in web.config

you can

a) handle the authenticate event of the login control and call FormsAuthentication.Authenticate
b) use the provider i wrote: http://www.leastprivilege.com/ASPNET...fig2ndTry.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi,
>
> I have a site with an admin folder that is protected with forms
> authentication. I just want 1 admin user to be able to access it but
> to use my own user authentication for the rest of the site.
>
> I did have it working using an asp.net 2.0 login control and the
> credential specified in the web.config but after going back to working
> on the admin parts, it has suddenly started refusing the login.
>
> I set the admin user's password to the result of
> FormsAuthentication.HashPasswordForStoringInConfig File("password","sha
> 1") and this did work before.
>
> I haven't done anything special with the login control.
>
> I'm sure it's something simple but I can't see why the login fails or
> what I did to break it.
>
> Is there a 'proper' way to do this that just as simple? (Without going
> into memberships etc.,)
>
> Here's my web.config:
> <configuration
> xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
> <appSettings>
> <add key="MainDomain" value="http://www.crackthelottery.com"/>
> </appSettings>
> <snip connection strings.../>
>
> <system.web>
>
> <snip assembly stuff.../>
>
> <!--
> The <authentication> section enables configuration
> of the security authentication mode used by
> ASP.NET to identify an incoming user.
> -->
> <authentication mode="Forms">
> <forms loginUrl="Admin/Login.aspx" protection="All" timeout="30">
> <credentials passwordFormat="SHA1">
> <user name="admin"
> password="5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 "/>
> </credentials>
> </forms>
> </authentication>
> <anonymousIdentification enabled="true"/>
> <profile defaultProvider="SqlProvider">
> <providers>
> <clear/>
> <add name="SqlProvider"
> type="System.Web.Profile.SqlProfileProvider"
> connectionStringName="LocalSqlServer"
> applicationName="CrackTheLottery"
> description="SqlProfileProvider for CrackTheLottery"/>
> </providers>
> <properties>
> <add name="UserID" allowAnonymous="true" type="System.Int32"/>
> </properties>
> </profile>
> <httpHandlers>
> <add verb="*" path="*.zip" type="FileHandler"/>
> <add verb="*" path="*.exe" type="FileHandler"/>
> <add verb="*" path="*.xml" type="FileHandler"/>
> <add verb="*" path="*.pdf" type="FileHandler"/>
> </httpHandlers>
> </system.web>
> <location path="Admin">
> <system.web>
> <authorization>
> <allow users="admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
> </configuration>
> I can't find anything that explains this simply and can't remember
> where I originally looked all this up so thanks for the help.
>

Strange. I'm sure it was working at one point. Must have just been the
setup I had that got it through.

Thanks for the provider though, it should so be included in the
framework for basic setups like mine.
However, I am getting errors about 'WebConfigMembershipProvider' does
not implement inherited abstract member
'System.Web.Security.MembershipProvider.GetNumberO fUsersOnline()' etc.,

Were these MembershipProvider methods not abstract in the Beta or
something? Why are there no stubs now?
Surely I don't need to override them all if I'm not going to use the
functionality?

I haven't quite got my head around forms authentication vs membership
and all the providers yet, and how much you need to change.
Like where does the AuthenticationSuccessEvent get handled?

Hi,

yeah - i omitted all the other methods - for the login control you only need
to implement ValidateUser.

it is not formsauth vs membership - membership is just an abstraction layer
to check credentials/manage user. The normal formsauth infrastructure is
still in use.

the authentication success/failure events are something i used in my code,
you don't have to do that. just remove those lines.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Strange. I'm sure it was working at one point. Must have just been the
> setup I had that got it through.
>
> Thanks for the provider though, it should so be included in the
> framework for basic setups like mine.
> However, I am getting errors about 'WebConfigMembershipProvider' does
> not implement inherited abstract member
> 'System.Web.Security.MembershipProvider.GetNumberO fUsersOnline()'
> etc.,
> Were these MembershipProvider methods not abstract in the Beta or
> something? Why are there no stubs now?
> Surely I don't need to override them all if I'm not going to use the
> functionality?
> I haven't quite got my head around forms authentication vs membership
> and all the providers yet, and how much you need to change.
> Like where does the AuthenticationSuccessEvent get handled?

Hi again,

Me again with my new groups account, not my old one like last time, if
that confused anyone.

I didn't think membership was necessarily mutually exclusive to forms
authentication it was just how they work together (ValidateUser vs
FormsAuthentication.Authenticate) that had me confused as I haven't
really used the built in forms authentication before either.

It's all working now though, thanks, but I did get stuck while I had
anything set in the Authenticate event of the login control, even if
there's nothing in the handler. Just something to check if anyone else
gets stuck.

I also notice some web.config samples in examples have a comma with
System.Web or App_Code after it in the type attribute, (???? in the
sample below) but none of them explain the significance of this as it
seems to work without it. Just a little loose thought I'd like to clean
up.

<membership defaultProvider="WebConfigMembershipProvider">
<providers>
<add name="WebConfigMembershipProvider"
type="WebConfigMembershipProvider, ????"/>
</providers>
</membership>

Actually, now I've read it properly, the article at
http://www.theserverside.net/article...rofileProvider
does explain that the bit after the comma is the assembly containing
the provider.