From Microsoft:

Today we have made available the Microsoft ASP.NET v1.1 Member Management Component Prototype on the ASP.NET site.
You can download it at http://www.asp.net/Default.aspx?tabindex=6&tabid=41
Comments, questions, bugs should get posted on the forum at http://www.asp.net/Forums/ShowForum.aspx?tabindex=1&ForumID=186

The Microsoft ASP.NET v1.1 Membership Management Component Prototype contains classes that allow a developer to more easily authenticate users, authorize users, and store per-user property data in a user profile. The authentication feature validates and stores user credentials which a developer can use to manage user authentication on a web site. The authorization feature lets you treat groups of users as a unit by assigning users to roles such as manager, sales, member, and so on. Combined with ASP.NET's built-in authorization functionality, Windows Shared Hosting developers have end-to-end support for maintaining user-to-role mappings and authorizing users based on this information. The profile feature enables you to provide users of your Web site with a custom experience. By defining and using profile properties, you can track any custom information your application requires, including user information and user preferences.

There already two applications in beta using this component; DotNetNuke by Perpetual Motion and Community Server by Telligent Systems.

Important: The functionality provided by this component is a preliminary version of the Membership, Roles, and Profile functionality coming in ASP.NET 2.0 and will change in the final release of ASP.NET 2.0. This means that any ASP.NET v1.1 applications you develop using this component will need to be updated when you migrate to the final release of ASP.NET 2.0. This is also a non Microsoft supported component.

In my previous Microsoft.ScalableHosting post I described with some excitement the .NET 1.x Membership API found hidden inside of DotNetNuke 3.0.  My excitement is mostly about using the API outside of DNN.  There is also excitement about the possibility of DNN supporting alternate authentication stores through the provider model and the improved API.  Windows authentication is something missing from previous DNN that may work well now.  I have not yet tried it.

 

2 days ago a document describing Membership usage inside of DNN was posted.  The reading of that document prompted several thoughts which I will share here.

 

Why use Microsoft’s Membership API? 

One of the important things the API does for us is standardize how authentication is handled in ASP.NET.  With everyone cooking up their own solutions we constantly are learning a different authentication methodology and system with every application.  With standardization of the API we can now use front end tools like the Login controls in ASP.NET 2.0.  As long as developers stick with the base API’s, controls can be written against them and have high levels of assurance that they will work consistently.

 

Second, an equally important feature of Membership is the underlying provider model for implementation.  With a provider back-end developers are able to completely customize their data storage and data access as it related to Membership.  This design pattern also allows every application that uses the Membership API to share user accounts and roles when so desired.  How many times have we heard the complaints that ASP.NET Forums doesn’t use the same authentication system as DNN, Rainbow and IBS.  As these systems are updated to support the Membership API the only thing required to share authentication will be a configuration line in the web.config to point them all at the same provider.

 

DNN 3.0 Membership description falls short!

The reason for this whole post is to share my belief that DNN 3.0 falls short in its implementation of Membership or at least the description of such.  Throughout the DotNetNuke Membership document I was disturbed by the logic I discovered.  In the section DotNetNuke & Whidbey (Page 1) Shaun Walker says that DNN must avoid creating its own provider to simplify future migration.  This is absolutely backward and representative of other architecture decisions that continue to pain DNN.  DNN already has a robust solution for membership data.  Apparently there are business rule dependencies at the data level in some places (Page 7, UserRoles).  DNN is classic textbook example of an application that should create its own membership providers for use with the API.  By doing so other applications could share DNN’s user base easily and DNN would not be forced to make as many core changes.

 

On one hand I am glad to see that Satellite tables have been created in DNN to separate Membership data for DNN specific user/roles data.  On the other hand, the integration issues should have nothing to do with the underlying data storage and instead be addressed in the DNN API’s.  With a custom DNN Membership system both the Microsoft Membership API and the DNN specifics could easily be combined.  This would allow DNN to use any Membership provider while still supporting all of the DNN specifics and managing synchronization issues.  Page 9 CBO (Custom Business Objects) is exactly the right approach.  I believe the issues are being addressed, but the failure to see things from a Domain (objects, services) perspective really bothers me.  DNN thinking still tightly couples Data structures and the API’s and the 2 should be considered separately. 

 

Sharing users between portals is now a simple matter of sharing the ApplicationName that the Membership provider uses.  To make users unique all that is needed is to use unique ApplicationName’s.  The scenarios presented in Deployment Scenarios on Pages 1-2, Data on Page 3 and Multiple Portals on Page 10 do not make much sense.  By standardizing on the API, any deployment should be supported as long as a provider is used that supports the desired scenario.  The provider is the implementation and it is the key to supporting different scenarios.  Thankfully MembershipProvider.ApplicationName can be changed on each request enabling support for multiple portals with or without shared authentication systems.  By using multiple providers it is even possible to use different authentication stores for each portal in a DNN multiple portal scenario.

 

In Development Tasks (Page 2) it is apparent to me that there is a significant misunderstanding of Membership that must be clarified.  It is true that the UI controls built on top of Membership have not been back ported.  But there is a clear separation of the API and the SQL DB & Provider.  The API and the Provider should not be confused.  They must be considered as independent components.  Sure they work together, but the API does not in any way dictate underlying provider or storage that is used.  See the sidebar on the Membership API architecture at the end of this post.

 

When I hit the Data section at the end of page 2 and beginning of page 3 hope was returned to me.  Separation of responsibility is acknowledged between DNN data and the Membership data.  This is absolutely critical in order to use providers that only give DNN access to the data through the API and not in the database.  This separation creates a new paradigm for some developers.  It requires business rules to be placed in code and not in stored procedures.  The code has full access to the data through the API, but the database has no access to it or knowledge of it unless developers violate the intended usage.  If you are used to putting rules in your database it’s time to quit it!  You are asking for trouble with Membership data if you do this.  Thankfully DNN has fully acknowledged this in the Membership area.  Now we all need to be building software with the principles of separation of responsibility from the foundation.

 

Custom Attributes on Page 4 shows more confusion about the API and Provider.  It leads me again to believe futher that a DNN provider and custom DNN system would be best.  The custom attributes of course would still have to be treated as DNN specific data, but that is acceptable and exists no matter how Membership is implemented.  (DNN developers, I am not suggesting you replace Micrsoft's Membership, merely that you wrap it to support your additonal features.)

 

As a final note I want to publicly state that even though I have been critical of DNN here I am mostly seeing a reflection of my own failures in software development.  Now I desire to improve my own practices and help others see the benefits of good architecture and patterns as well.  With DNN’s prolific exposure it deserves a careful critique so that its best practices are adopted and its worst avoided.  This critique in no way reflects my opinions of Shaun Walker or any DNN developers.  Shaun and I have met personally and I enjoyed my meeting with him.  I also have great respect for him and his work in the ASP.NET community through the DNN portal.  Some readers may also know that I work with Rainbow Portal.  I choose not to be a fanatic about software and this post is neither for nor against DNN.  Each person must choose the solution that is best for them.

 

Sidebar: UserName and RoleName are not updatable through the Membership API as indicated in the DNN document.  The SQL database that goes with the default SQLMembershipProvider does not prevent you from updating UserName or RoleName through your own tools.  All relationships within the database are done by unique id’s so changing names will not break anything.  If you desire to change these names you must simply take care to update your own systems that may reference them and also to ensure that you keep them unique per application.  (Application referring to the definition of application inside of the SQL Membership database.)  Perhaps Microsoft should expose UserId and RoleId through the API so that we can store those in our applications instead of storing username and rolename as the unique ID’s provided through the API currently. 

 

Let me suggest a Membership best practice here.  Windows authentication uniquely identifies users as DOMAIN\USERNAME.  When using the Membership API with forms authentication I suggest always using APPLICATIONNAME\USERNAME.  By doing that you will be able to uniquely reference Membership users throughout your systems and not have to worry as much about username conflicts that could occur otherwise.

 

Sidebar: A look at the Membership API architecture reveals a nice model that may fit many other areas well.  MembershipUser is a simple entity to work with.  Its functionality is limited a single are of responsibility.  It knows nothing about the data store it is persisted in or even if it is persisted.  It also knows nothing about the collections it may be contained in (Roles).  To interact with an underlying storage system the Membership API acts as a service layer between the MembershipUser entity and a persistence Provider.  The Provider layer allows for complete control of the Membership implementation as it interacts with a persistence store.  The store may be a database, flat files, memory stream, or anything a developer chooses to be the implementation of the fields and methods required by the Membership system.  Developers are given a standard API to program against without concern for the underlying database.  The database designers do not have to be concerned with the API or the Domain entities that may represent the data.

 

using Microsoft.ScalableHosting;  // What is this namespace all about?  Read on!

With the release of DotNetNuke 3.04 in public beta comes a very interesting and powerful assembly.  A close look in the MemberRole.dll reveals that it is a fully functional port of the ASP.NET 2.0 Membership API.  So far it also looks to be a complete port.  The API includes features not even found in ASP.NET 2.0 Beta 1 such as account lockout.  This assembly contains several classes in the Microsoft.ScalableHosting namespace.  Classes inside this assembly include:

ProviderBase
Profile, Membership and Roles specific configuration classes
Profile + SqlProfileProvider
AnonymousIdentificationModule (httpModule)
Membership + SqlMembershipProvider
MembershipUser
Roles + SqlRoleProvider
RoleManagerModule (httpModule)

There are many additional classes as well.  I extracted the necessary configuration in web.config and put together a simple application to test the API.  I had no problem creating users and adding them to roles.  The API and SQL Providers worked perfectly with both Forms and Windows authentication.

Note: when using Windows authentication and adding a user to a Role a MembershipUser record is added to the database.  I am now wondering how the aspnet_Users and aspnet_UsersInRoles tables will get cleaned up when a Windows account is deleted.  This is currently necessary to create the GUID for the Windows account that is added to the aspnet_UsersInRoles table.  ASP.NET team comment please!

The license information for this assembly can be found at: DNN3\controls\MemberRole\Member Roles (Conf) (1101204) FINAL.doc.  Looks like this is some kind of Beta release of the API.

The SQL database installation script is found at: DNN3\Providers\DataProviders\SqlDataProvider\InstallRolesProfileMembership.sql  You will need to do a global replace of {databaseOwner} in the file with dbo. or other appropriate ownership for your scenario.

To use the API's in your own application you will need to do a few simple things.

1. Reference MemberRole.dll
2. Create the SQL database (or write your own custom providers)
3. Put the appropriate settings in web.config.  (sample web.config)

To create your own providers start a new class project, reference memberrole.dll, inherit the appropriate provider base class and override the abstract methods and properties (Microsoft.SecureHosting.ProfileProvider, Microsoft.SecureHosting.MembershipProvider, or Microsoft.SecureHosting.RoleProvider).  Then reference your new provider in the configuration.

You can of course leave out any configuration and providers details that you are not interested in using.  The RoleManagerModule must be added to the httpModules collection if you want to have the roles for a user added to the authentication cookie as is common practice in 1.x applications.

If you are interested in more details about the Provider Design Pattern I plan to post addtional information and providers at www.aspnetproviders.com.

Now that I have the MembershipUser and Roles I am planning to port PermissionManager to .NET 1.x as well.  Together with Membership the PermissionManager completes authentication and authorization package allowing us to abstract all aspects of security management out of applications.

How will you make use of Membership, Roles, and Profile for your current applications?

My friend Fredrik Normen is at it again.  Permission Manager continues to improve.  Perhaps we should take it even further?

The latest enhancements give us the ability to specify permissions in the config file as well as other provider defined locations. 

 What does everyone think about putting this kind of configuration in an PermissionManager.config file or something like that as an option?  I imagine the web.config might like this: 

<permissionManager enabled="true" path="PermissionManager.config" />

As you can see all the remaining details might be found in an external config.  It seems with all the provider stuff the web.config is growing to be a very large file.  Of course we would want to still be able to use the Configuration API's as much as possible.

Thoughts on configuration and web.config usage?

For Permission Manager what about defining permissions in a custom attribute class and then having a reflection provider that harvests them from the assemblies during initialization.  My thinking is that we have a synchronization issue between the permissions defined in application and those defined in the provider store.  By using attributes and reflection the definitions in the code would always be in sync.  It would not be necessary to define the permissions in any external location.

---

Today we might define a Permission to secure a method like this:

public void foo () {
// Check Permission
if (!(PermissionManager.HasPermission(“Group“, "Permission", user))) {return false};
// Permission granted
// do stuff
} 

For this to work we also must make sure that the “Group“ and “Permission“ exist in the permission definition store.  This requires us to create the definition prior to executing a .HasPermission().

---

With attributes we could perhaps do this instead:

 // Check Permission automatically for current user? and define permission declaratively
[Permission(Group="Name", Permission="Name", Description="Description")]
public void foo () {
// do stuff
} 

Now with reflection we can harvest the necessary permission definitions right out of the assembly.  Any assembly that has a dependency on Permission Manager self describes the permissions it uses and checks attributes.  I still need to understand the details and possibilities around this, but it seems there must be a way to use attributes to define the permission and secure fields, methods, and classes.  The Conditional(”DEBUG”) attribute seems similar in concept.  Permission Manager defines a condition based on runtime security instead of compile time.  Those who have worked with attributes more please comment as to the feasibility here for both definition of permissions and runtime authorization checks.

Recently Microsoft announced a security vulnerability in ASP.NET and offered a couple of ways to protect against it.  The first solution is to modify code in your applications global.asax.xx code file.  No problem if you don't mind updating every ASP.NET application already in production.  The second option is to install the ValidatePath httpModule that covers all ASP.NET applications on a server.  Obviously option 2 is going to be best for situations where you have server access and multiple applications running, but there are cases where this will cause a problem.  Reporting Services is one application that does not play well with the ValidatePath module.  If you read my post about Reporting Services and Custom Assemblies you would not be surprised.  The good news is that now Microsoft has a KB article describing the problem and the steps to correct it.  So, until we get the next ASPNET_ISAPI.dll with the patch imbedded you might want to become familiar with KB887787

Here is the error message you get with Reporting Services and the ValidatePath module until you apply the fix to reporting services.

Server Error in '/ReportServer' Application.

A few months back I was talking with some other developers on the v.Next project about how we could abstract security out of our code.  The desire was to have methods and code blocks that could be wrapped with security checks, but without hard coding user or role names.  The current IBuySpy and Rainbow Portal for example have code in them like this if (User.IsInRole("Editor")) {do stuff}.  That works fine for a simple application, but what happens when you want to allow Admins and Editors?  In today's model you end up modifying the code and re-compiling and deploying.  I have seen a lot of code that strings together a bunch of OR statements when additional Roles need to be supported for a given security check.  It can get very ugly.

The solution is to have the authorization and permissions abstracted from the application so that when Users and Roles change you can easily change the security inside the application without changing code.  Enter Permission Manager (PM).  PM is the coolest piece of code I have seen for Whidbey so far.  I really can't believe something this good is already available and Whidbey just hit Beta 1.  It could be that I was already talking about building something like this that makes it cool, but for me it is how nicely it fits the ASP.NET 2.0 experience.  The code looks like it is native to ASP.NET.  It seems to follow the style of Microsoft's built-in classes very nicely.  It plugs in beautifully to the provider model allowing you to use it with your own custom provider for managing the permission sets for an application.

PM works by allowing the developer to create an abstracted permission object that implements IAccessObject.  This is simple to implement with basic name and ID properties.  The object then is used with the PermissionManager to create named permissions.  The sample has a news object that is used to create various permissions.  These permissions are completely separate from Users and Roles until you map them together.  For example, within the news permission set we may want a print and copy permission.  Using the PermissionManager static methods we make simple calls like: PermissionManager.CreatePermission(news.SourceGroup, "Copy", "Copy a document"); to create the Copy Permission.  When we want to map a real Role to the Copy permission of the news object we simply execute a method like this: PermissionManager.SetPermissionForRole("Copypeople", news, "Copy");.  This maps the Role of Copypeople to the permission of Copy on the news object.  news really is just an object for grouping of permissions.  Each application could have its own set or several sets.  Through the provider model permission sets could also be shared across applications by pointing them at the same data source.  This abstraction model allows us as developers to have as many application permissions as we want without needing matching security roles for each one of them.

This abstraction of Permissions is something that applications like Rainbow portal did with a lot of database mapping.  The problem has been that some Roles are hard coded and there is not a consistent provider based system for managing permissions.  I plan to give this concept a thorough workout as I start working with Whidbey.  It could also be ported to ASP.NET 1.x if you had a Users and Roles store that you could tie it in with.

One of the features of .NET 2.0 that I am excited about is the provider design pattern (This site is active but empty.  I plan to document as much as I can about providers on it as a way to help the community).  I decided that today I would begin looking at what it will take to use this in the applications we build at Idaho Commerce and Labor.  We plan to take advantage of this model as a way to share users, sessions, navigation and more across applications.  We need to investigate the security issues related to this of course.

So far I have discovered that the SQL providers can be installed with a utility called aspnet_regsql.exe in the %windir%\Microsoft.NET\Framework\v2.0.40607 folder.  I called my database Credentials since I was planning on working with Membership.  Now that is is created I see that it installs all of the SQL providers.

The tables I understand: Membership, Personalization, Profile, Roles, Site Counters, Users, UsersInRoles

There are other tables in the database as well that I assume are for some management and other purposes.  These include Applications, Paths, and WebEvent_Events.

What I do not see here is Sessions and Navigation.  I imagine that like .NET 1.x SQL Session state is a separate script to run.  More on that when I get to exploring the Session State provider.  As far as providers for navigation, I imagine that will be something custom I get to build.

I am now curious to see how this default SQL provider and its database will work when I point multiple applications at at.  What can and can't be shared.  Then I have to ask what should and should not be shared?

First of all, I must say that sitting on the end of a 3MB cable Internet connection is fabulous.  I was able to download all of the VS 2005 Beta Cd's, 2005 MSDN library and the Express product betas in a few hours.  I wanted to start playing with them before the DVD's are mailed out (could be 2 weeks) so I went ahead and grabbed them from MSDN.

The Express products can be downloaded by anyone and I initially downloaded them from the public site.  I was disappointed during the installations when I had only a setup and it had to go retrieve the full product with another download.  I must have missed that note somewhere.  With VB.NET and C# the download was not bad since they are under 30 meg, but with VWD (Visual Web Developer) the download was something like 186 meg.  If you have MSDN you might want to skip this by just grabbing the full ISO images.  Again, very nice to have a fast connection to the net!

I decided to put the 3 Express products I might use (VB, C#, VWD) as well as SQL Express all on a single VPC image.  That will allow me to play with them but not have to manage too many extra playgrounds.  The installation for all 4 products was smooth and I am looking forward to giving them each a test drive soon.

VS 2005 Beta 1 surprised me with its install.  I first tried it using the Windows XP Virtual CD-ROM tool, but I got an error on the first CD ISO image.  I am not sure why, but after making real CD's to install from everything went great.  I do not remember how long the install of VS 2003 took on my laptop, but I do believe 2005 Beta 1 was significantly faster.  I am installing on a VPC using a firewire drive for the image, but I would think that to be slower than the native OS and built-in IDE drive.  I will be curious to see what others think of the install time.  I am at about 2.5 hours right now and just got the reboot message.  This still isn't a coffee break install, but none of the VS.NET products have been.  The best part with VPC is that I can use the Undo feature and also share this image with co-workers saving them the install and setup time.  I wonder how long it will be before VPC images become the norm for beta products and all software testing?

For beta 1 so far I am very pleased!  Now it's time to start coding and see where the dev teams are still working on the feature set ........

 

Reflections on the truths found in film

Today is the official start of Tech Ed and its already my third day in San Diego.  Steve Ballmer just finished pumping everyone up.  Well, at least I assume as much.  I decided to catch a little breakfast and relax a little.  Looking forward to Don Box for my first session of the day. 

So last night was an enjoyable dinner at Sallys with with friends.  We skipped the busy party scene and instead started the evening off with Scott Hanselman and a BOF on Code Generation.  I thought it might get ugly in there with all the different ideas flying around.  Scott did a fabulous job of playing host.  From there it was off the drop the bags and catch some dinner.  I had the pleasure of enjoying the evening with a new friend from London, a couple new Microsoft faces I have not met before, and Bill Vaughn.  Richard, Kelly and Bliz were there as well.

What will the excitement be about today?  I guess I will just have to wait and see.  So far the best part has been meeting new people and having some good conversation.

An awesome Cassini enhancement is now available.

Hey C# team, its your turn to up the ante!

Caught the MCT party last night

Learning more about what ineta can do for user groups

Tomorrow I leave for a week of high velocity geekin'

I must be suffering burnout to have created this list.

Finally I have found a stupidly simple certificate process for digitally signing my email.

Exposing more secrets of the reporting services installation in an enterprise environment.

How I got my global exception logging code to run alongside SQL reporting services.

E-Mail is Broken. Innovate, or Take a Walk. Recent articles in InfoWorld are a breath of fresh air in a time of too much, too fast.