Using Oracle Providers for ASP.NET

Purpose

This tutorial demonstrates Oracle Providers for ASP.NET usage and how tightly the providers integrate with existing ASP.NET management tools, controls, and services.

Time to Complete

Approximately 30 minutes.

Introduction

Oracle Providers for ASP.NET integrate directly with Microsoft ASP.NET controls and services to provide state management capabilities for web sites. State management is critical for managing persistent data, such as user information, user roles, and session information.

This tutorial builds upon the "Building ASP.NET Web Applications with Oracle Developer Tools for Visual Studio" tutorial. In that tutorial, you created a data grid retrieving employee information. In this tutorial, you now want to secure this employee data to ensure only authorized users can view the data. To accomplish this task, you will create an ASP.NET web user using the Oracle Membership Provider and test the web site's authentication with the provider with valid and invalid credentials.

Prerequisites

Before starting this tutorial, you should:

1. Install Microsoft Visual Studio 2013 or later.

2. Install Oracle Database 12c or later.

3. Install Oracle Data Access Components (ODAC) with Oracle Developer Tools for Visual Studio version 12.1.0.1.2 or later from OTN.

4. Complete the "Building ASP.NET Web Applications With Oracle Developer Tools for Visual Studio" OBE.

5. Perform Database Server Setup to establish a schema where the ASP.NET provider data is stored. Click here for instructions on how to setup.

In this section, you will create a login page which will be used for user authentication.

1. Reopen the website you created in "Building ASP.NET Web Applications With Oracle Developer Tools for Visual Studio".

2. Right-click on the solution (e.g. WebSite4) and select Add > New Folder.

   

   Rename the folder to Data.

   

3. Move the Default.aspx file to the Data folder that you created.

   

   The file was successfully moved.

   

4. Expand Account in the Solution Explorer and open Login.aspx.

   

5. In the Login.aspx tabbed page, click the Design tab.

   

   Highlight the text in the MainContent subsection in the lower half of the design form.

   

   Delete all the text by clicking the Delete key.

   Note: The default login page created with the project does not use the standard login control. The steps below will show how to use the standard login control.

   

6. From the View menu, select Toolbox.

   

7. Scroll down. In the toolbox, expand Login. Drag the Login control to the Design area.

   

   The design area gets the Login control as shown in the screenshot below.

   

8. Right-click on the Login control in the Design mode of the Login.aspx page and select Properties.

   

   In the Properties tab, select DestinationPageUrl under the Behaviour section. Click the button that appears when the DestinationPageUrl is selected.

   

   Select Data in the Project folders section and then select Default.aspx in the Contents of folder section. Click OK.

   

   Notice that the DestionationPageUrl now has the path to the Default.aspx file.

   

9. Open the Solution Explorer and select the Login.aspx.cs file.

   

   In the Login.aspx.cs file, select from the starting of the procedure protected void Page_Load(object sender, EventArgs e) to the closing of protected void LogIn(object sender, EventArgs e) and press the Delete key. This step deletes the original template code. Save the project.

   

In this section, you will use the ASP.NET Web Site Administration Tool to direct the web site to use the Oracle ASP.NET providers and create a new web user specific to this web site to demonstrate authentication features. Perform the following steps:

1. Select View > Solution Explorer.

   

   Under the root website node, double click on Web.config.

   

2. In the Web.config file, select all the tags from the <membership> tag to the </roleManager> closing tag and press the Delete key. Save the project.

   

   Note: These default web.config entries have disabled ASP.NET providers. By deleting these entries, we can now enable and configure Oracle's ASP.NET providers.

3. Microsoft has removed the ASP.NET Web Configuration Manager from Visual Studio 2013. The following instructions will show you how to run the manager using the Command Prompt.

   Note: These instructions only work for sites running on the .NET Framework 4.0 and above.

   Open the Command Prompt. (not as Administrator)

   

   Navigate to the folder where IISExpress is installed on your machine. You may use this command to navigate to the default folder:

   cd C:/Program Files/IIS Express

   

   In the command line, launch the IISExpress site with the following prompt:

   iisexpress.exe /path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles /vpath:"/ASP.NETWebAdminFiles" /port:8082 /clr:4.0 /ntlm

   Note: The port being used here is 8082. You could use another free port. The path specified here is the default ASP.NET Website Admin Tool path.

   

   After you have entered the above prompt, IIS Express should launch. Do not stop IIS Express until you complete the lab.

   Now, open any browser and type this URL:

   http://localhost:8082/asp.netwebadminfiles/default.aspx?applicationPhysicalPath=C:\Users\oracle\Documents\Visual%20Studio%202013\WebSites\WebSite4&applicationUrl=/

   Note: You will use a slightly different URL if you have a different port enabled (e.g. 8082) and a different physical path to where you saved the "Building ASP.NET Web Applications With Oracle Developer Tools for Visual Studio" OBE project (e.g. C:\Users\oracle\Documents\Visual%20Studio%202013\WebSites\WebSite4).

   Note: If you are prompted for an username and password, enter your Microsoft Windows login credentials and click OK.

   

4. The ASP.NET Web Site Administration Tool appears in a browser window. Select the Provider tab.

   

5. On the Provider page, select the second link: Select a different provider for each feature (advanced).

   

6. When the Provider page reappears, change the Membership Provider to OracleMembershipProvider and Role Provider to OracleRoleProvider and select the Security tab.

   

7. Under Users section in the Security tab, click Select authentication type.

   By default, the ASP.NET site uses Windows authentication to identify users. You are building a web site that will identify users by their site-specific logins and passwords. Therefore, the site must be configured to expect to use logins and passwords.

   

8. Select From the internet and click Done.

   

9. Select Create user.

   

10. In the Create User section, enter your name and a password that contains at least 7 characters, including one non-alphanumeric character. Enter your email, and a security question and answer, then click Create User.

    

11. The user account was created. Click the Security tab.

    

    Note: If you click Continue, you will be allowed to enter another user.

12. Now there is one existing user. Under Access Rules, select Manage access rules.

    

13. Select Add new access rule.

    

14. Select the Data directory as the Default.aspx file is stored in the Data directory. That page's information is what we wish to secure. Select Anonymous users and Deny, then click OK.

    By default, anonymous access to the web site is enabled. The above settings secure the web site by disabling anonymous access to the Default.aspx page. Now, only authenticated users can view the employee data.

    

    The access rule was created successfully. The web site will now deny anonymous users access to the site.

15. Now the user that was created needs to be granted access to the web site directory. Click Add new access rule.

    

16. Click Search for users.

    

17. Select the user you created (e.g. ashwin) and click OK.

    

18. Make sure that the Data directory is selected and click Allow. Click OK.

    

19. The user you created (e.g. ashwin) was granted access. Click Done.

    

20. Close the browser.

Now that you have created a web user specific to this web site, the web site will allow this user access to the employee data and deny access to all other users, including anonymous users. In this section, you will attempt to access the employee data as an unauthorized user, as an authorized user with an incorrect password, and finally as an authorized user with the correct password. Only in the last scenario will the web site grant access to the employee data. Perform the following steps:

Note: Five or more consecutive invalid passwords entered for an ASP.NET provider user within a ten minute period will lock the account to prevent unauthorized users from gaining access through password guessing. Oracle Membership Provider sets these security measures through the following properties, which you can modify in the machine.config file or web.config files: MaxInvalidPasswordAttempts (default: 5 attempts) and PasswordAttemptWindow (default: 10 minutes). If the account is locked, then you can unlock the user by calling the UnlockUser method.

1. Switch to Visual Studio. A message box will pop up stating that web.config has changed. Select "Yes" to accept the changes.

   

2. Examine the Web.config in the editor. Note that several entries for Oracle providers have been added.

   Note: If you want to configure the Oracle providers differently for each web site, (for example, changing password length requirements for the membership provider) you could do so by modifying the machine.config.

   

3. Select Debug > Start Without Debugging.

   

4. The Login web page appears.

   

5. Enter some other username and password which is different than the user you created earlier in the ASP.NET Web Site Administration Tool. Then click Log In.

   

6. Notice that you receive an error indicating that the user you entered is not valid. The web site correctly denies access to the user.

   

7. Enter the user name you entered in the ASP.NET Web Site Administration Tool but with an incorrect password for that web site user. Click Log In.

   As the screen shot indicates, the user is denied access, demonstrating that the control could not verify this user's credentials with those stored by the Oracle Membership Provider.

   

8. Enter the correct username and password for the web site user. Click Log In. The employee data appears. This demonstrates that only authorized users can access the data. Thus, Oracle Providers for ASP.NET provided web site security in a very simple manner.

   

   You have now built a data-driven ASP.NET web application. It performs authentication and retrieves employee data from the database.

9. Stop the IISExpress by pressing Q.

   

In this tutorial, you have learned how to:

• Create a login page using the standard login control
• Enable Oracle Providers for ASP.NET and create a web user
• Test web site authentication

Resources

• Visit the Oracle Technology Network Portal to learn the latest developments in Oracle .NET.
• To learn more about Oracle .NET with Visual Studio refer to additional OBEs in the Oracle Learning Library.

Credits

• Lead Curriculum Developer: Ashwin Agarwal
• Other Contributors: Alex Keh, Christian Shay