Built-In Authentication and Authorization Providers in ASP.NET with the MVC Framework

If you’re not already doing so, you should seriously be using the the built-in Auth & Auth in ASP.NET. While the subject is fairly well covered, I continue to get several questions and comments related to creating accounts, logging in and permissions and when talking with other developers. I am shocked at how many still roll their own authentication and authorization bits – often for no better reason than not knowing how great (and FREE!) the default providers are.

The Basics of Authentication and Authorization

There are two things you will need to do on most web sites with “account” functionality: identify existing users based on provided user names and passwords (authentication) and then express privileges to control access to protected resources (authorization).

These two facilities allow us to do some creative things, like showing different content to users when they are logged in, or to restrict and redirect requests based on the logged in user’s set of privileges.

In ASP.NET, Auth & Auth are Free

The first official, for-a-customer e-commerce web site that I notched on my belt was back in 1997. I spent days creating a system to log users in, store cookies (that I do not care to discuss security about!), store user information, track log-ins and the like.  Each page that I wanted to protect with security meant checking cookies for certain keys, looking those keys up, then checking against a static set of rules for permissions.  I spent weeks fixing the broken parts.  Because most of it was wrapped up in per-page scripts, I had to essentially recreate the whole mess when the customer decided they wanted to self-administer the storefront.

Today, so much of that mess is cleaned up for us.  I want to give you the steps to set up Authentication and Authorization in your next MVC web site.

1. Open Visual Studio 2010 and create a new ASP.NET MVC 2 Web Application.

Yeup.  We’re done.

Walking Through What’s There

If you are familiar with the MVC pattern the default project is quite straightforward, but not entirely trivial.  There is no magic here, just convention and after working with the project for a few minutes you should be able to orient yourself.

The three basic concepts of MVC – Model, View and Controller – are expressed as classes and .aspx pages (as well as .ascx for partial pages and templates).  As part of the convention, each part has it’s own directory, and in the View folder we have subfolders for each controller.

The Project Components

What is relevant to us today are the items related to user accounts. You can see that there is an AccountController for us as well as the classes we need to log a user on in AccountModels.  The Account subfolder in Views gives us four pages dealing with account creation, maintenance and sign on.  Finally, the Shared subfolder in Views has a LogOnUserControl that displays different content based on the authentication status of the user.

At this point, we’re actually still missing a couple of pieces.  If you drill into your App_Data directory you would find that there is no database to hold your account data.  Thankfully, we don’t need to do much to create one; namely, we just use the site.

The Registration Process

Press F5 to start debugging the application.  When the site opens up you’ll see the default master page and index in action:

Follow the Log On link up in the top right corner of the page.  This will take you to a page with a form to log on, but also a link to the registration page. Follow that, and create an admin account.

Once you’ve created your account you can return to the App_Data directory and see that the database has been created (you may need to click the show all button in the Solution Explorer).

The show all button looks like this:

Authorization In An Attribute

This is where the easy kicks in.

To add authorization to your application you can make use of the attributes available to us in the ASP.NET MVC Framework.  It is as simple as adding one line of code to your controller.

Let’s turn our about page into something that only authenticated users can view.

Perfect! The [Authorize] attribute describes the controller action as something that only users who have been authenticated can access.  And now, when we load up our site, if we try to navigate to the About page prior to logging in you will be redirected to the login page.  To prove this, start debugging the site and add /home/about to your URL.  You’ll see this:

After logging in, you can see the About page in all its empty glory.  In fact, because your request was originally for the About page, the default AccountController pushes you through to that page once you’ve authenticated.

Some MVC Sweetness

Views in ASP.NET MVC inherit from the System.Web.Mvc.ViewPage object and therefor expose some interesting objects for us that we don’t have to work for to use.  Taking advantage of this fact allows us to shortcut to some features right in our views.

For example, the User object on our ViewPage allows us to test for authenticated users:

Or, we can test to see if they belong to roles in the ASP.NET membership/role provider:

While this can be super handy, it’s important to consider coding practices and whether or not your logic for such elements should be in your controller or your view.  This post will not enter that conversation, but it’s important to note that a similar roles-based approach is just as easy inside your controller:

Oh Yeah, About Those Roles

The easiest way to get roles going would be to navigate to the ASP.NET Configuration site.  You can enable and define roles from there:

This built-in administration tool simplifies the process of enabling roles on your site, adding existing users to roles and/or creating roles and bringing in existing users.  It also allows you to add a role to a user as you create them.  It’s tidy and functional, but doesn’t have many bells and whistles.

This isn’t the best for a production environment as the ASP.NET Configuration site is not deployed when you publish your app.  One solution would be to use a community-based console to help administer the site post-launch such as this one.

Some Reading Homework

I recently had the privilege of working with one of the authors of this book (Stephen Walther) and I can attest to the fact that these guys know this stuff inside and out.

ASP.NET 4 Unleashedcontains a ton of great information on using and abusing the .NET Framework when working on web applications, including a section devoted to the membership framework.

Conclusion

We’ve come a long way in web development.  Tasks that used to require “rolling your own” and a day or a week of dedicated time can now be reduced to simply clicking on “New –> Project”.

The beauty in that is that way that we can fully customize those bits, integrate them with our existing auth/auth stores and more.  We can choose our view engine (classic ASP.NET, MVC or now Razor).  We can integrate jazzy Ajax features through the fully supported jQuery libraries and its good-looking sister, jQuery UI.

It’s a good time to be a web developer.

Windows Phone 7 Wishlist

I have the Samsung Focusand am quite happy with the phone.  I’ve been using it for just about a week.  The device is the device and can’t change; it’ll be what I use for the next two years or so unless WP8 comes out and I can get a hardware upgrade.

However, this is still a first-generation iteration and there is room for improvement. Here are some things that I would like to see as far as changes to the platform go:

• Give Canadians Zune Music in the Marketplace, as well as Zune Pass.
• Build a way to keep the elegance of differentiation with email account notifications (on the lock screen) but unify the inbox. I am going to prototype what I would like to see here.  I want just one email tile on my home screen.
• Copy and paste, as well as better cursor placement.
• Let Canadian customers buy music in the Zune Marketplace, and let us purchase a Zune Pass.
• I want a first-party app for Live Messenger that runs in the background and runs as quickly as email and text messenging.
• Enable uploads for video to my Live account, Facebook and YouTube.  Give me an easy way to share (like, “Post to YouTube and Share on Facebook”).  Give me the option to only do this when I’m on WiFi (but to queue it when I’m not).
• Finally, make music from Zune available for purchase to Canadian customers (and enable Zune Passes in Canada, while you’re at it!).

The first update to WP7 is rumored to be coming in the next few weeks.  I am looking forward to seeing what on my list makes the cut.

Got My Phone–Samsung Focus

It took a bit of wheeling and dealing – I had three cell phone contracts for my wife and I – but I was able to lock down this little beast of a phone this weekend.

I had a WinMo 6.5 phone with another carrier, and two flip phones with Rogers here in Canada.  I had to dump my other contract, which cost me $150, and then pay $99 to upgrade my flip phone to the snazzy little Windows Phone 7 number from Samsung.

Though I am a software developer, I am writing this review as a user and trying not to pay attention to the elements I would normally focus on as someone in the development camp.

First Impressions

I have to admit: I’ve long been been a WinMo user, so I had really low expectations going into this phone.  When I picked it up and tried it at the booth in the mall I was looking for something not to like.

I got locked into my last smart phone contract before the iPhone had any decent corporate email and calendaring support (and those who follow know my history with Apple anyways) so my choices back then were quite limited.

But I was refreshingly surprised.  The interface was speedy, swipey, flippy, crisp, and that really lured me in.  I entered into Operation Crapdump: getting rid of my old WinMo 6.5 device and jumping into the new now.

The Device Itself

This is a lightweight phone, easy to hold.  I have big man-hands, and it is on the upper-end of wide when you’re holding it to talk, but it’s no wider than an iPhone.  I’ve only had it for a couple of days, but it has not been awkward to hold, use or store in my pockets.

The battery judgement will have to come later, as I’ve only had the phone for a few days, but it’s lasted now almost 90 hours without much charging (I charged it when I got it, then had it plugged in a couple of hours while I was pooting around in Zune).

The screen is great – big, sharp, contrasty, good colors.  My wife thinks her iPod Touch looks like a relic next to this.  When we pulled up the same photos on Facebook and held the devices side-by-each, the difference was startling.  Black is black, white is white and the colors POP off the screen.  I absolutely love how good this phone looks.

The touch experience is different than iPhone/iPod.  I haven’t used it enough to say I have a preference either way, but I don’t mind it.  It’s less ‘pressy’ than iPhone and more ‘tappy’.  You also get a little vibration from the device to confirm button presses taps.

The camera on the device takes reasonably good pics and I love having the video handy as well.  My HTC Touch Diamond took “okay” pictures, but the video the device captured wasn’t worth the boot time of the video camera on the device.  I already have a Grammy-winning prize video of my daughter off the Focus, and I’m about as un-biased as they come. ;o) 

I’ve heard that on some other brands running WP7 that the camera and screen aren’t that great, but the Focus really shines well here for a 1st generation phone.

My only complaint is more related to my previous phone, which trained me that the manufacturer logo is at the bottom of the screen.  Every time I pull the thing out of my pocket it’s upside down and I’m looking for the power button before I realize what I’m doing.

The Windows Phone 7 Platform

I have to say that I am really impressed with what I’ve seen, with a few caveats.  The minimum specs and the way the framerate is locked at 60fps will make any phone on the OS nice and snappy.  The very quick boot (though nearly irrelevant in my always-on world) is such a difference from the 1m30s + boot times I’m used to.

Back to the camera quickly…I think it was a really good choice to make some vendor-level requirements and have the device respond quickly to a held-in camera button.  If you’re not familiar with this feature, basically, whatever state your device is in (locked, phone call, playing a game) if you press and hold the camera button for about 2 seconds the camera flips on.  Again, less than 4 days in, but I’ve used this feature half a dozen times already. 

The look-and-feel of the phone is driven by the Metro UI and a custom font that is reportedly inspired by Verdana.  Everything is flippy and slick.  Things peel away in 3D and slide around nicely.  There are some great design elements here.

Pinning is great and can’t really be explained without some video.  This is the feature that lets you put important people, apps or deep links onto the home screen.

The home screen itself I’m a little mixed on.  At first it was great…there was enough there to be functional and show off push-enabled tiles and the likes, but as I pin more and more things, it’s getting a little long.  You can leave apps off the home screen and just in the apps page (a right-to-left swipe of the home screen) but with only the two options I think there is definitely room for some organizational improvements.  My hope in this regard is that they are able to maintain the truly awesome Metro interface.

Finally, the apps.  They’re coming, but there’s not a lot there yet.  I’ve picked up a few and will post on those later.  The Marketplace is easy to navigate and uses the integrated search button on the phone, but I think it’ll also need some improvements when the volume of apps goes up.

The Ecosystem

I get it now.  Xbox changed.  Messenger changed.  Zune changed.  And now, they all look the same as Windows Phone 7.  Though I hadn’t really used Zune too much prior to getting the Focus, I knew exactly what to do just by loading it up. 

It is very natural to move between these devices and applications and I think that Microsoft has done a better job at this than any other vendor.  Apple, for example, has their Apple TV, their iOS stuff and the Mac platform, and it doesn’t feel the same at all. iTunes feels nothing like the iPod touch or iPhone.  This is where the unified UI really works for Microsoft…Zune looks like it could run on the WP7 phones.  Apparently the other vendors have noticed, too, as Apple preps to overhaul Mac OS to look more like iOS.

The Zune software is slick and easy to use.  In a few minutes I had podcasts and playlists set up.  I burned several CDs and set up wireless syncing.  I also browsed through some movie rentals, was able to view my points balance and check out apps in the Marketplace.

Using Windows Live ID for me worked really well as I’m an Xboxer and I use Live Messenger and Hotmail.  With Xbox live and Zune and the phone and everything synced to the cloud, I’m really liking the experience so far but have yet to push it to its edges.

Things I don’t Like

“Hello?  Microsoft?  Yeah, this is Canada calling.  Please give us the Zune Music Marketplace.  And Zune Pass. Please.”  And I’m very serious about this.

That’s right, fellow Canucks, no music store. Lamers to the max extreme. 

Again, one thing I’m kind of torn on is messaging all in one place.  I would also like to see a unified inbox, though I do like the way I am able to differentiate between email accounts on the home screen.

Conclusion

This phone and platform is a different experience.  It doesn’t behave like an Android or an iPhone.  If you go into something expecting it to work like something else you know – as though the other one was better simply by definition of its creation – you will never be impressed with other items in the same commercial space.  You will also be labeled a fan boy.

I am pleasantly surprised by this device.  I am happy to be a (relatively) early-adopter but I am looking forward to the updates and some of the features down the road.  My hope is that Microsoft rolls out features and updates early and often and continues to accept consumer feedback.

I suspect that any non-smartphone user would be excited about this phone, as well as any of the early iPhone users.  My iPhone friends and non-smartphone users are all really impressed with the phone (especially the screen).

If it is time to upgrade, you may wish to wait until later in the year, but if you pick up the Focus right now I don’t think you’d be disappointed.  If you use Hotmail, Live and have an Xbox, you’ll be geekin’ out.

Visual Studio 2010 Wishlist – Better Collapsing Region Support

Here it all is, in one picture: everything that could be better with Visual Studio 2010’s collapsing helpers.

1) XML Comment Block Collapsing

Visual Studio has had great support for XML commenting for some time, specifically with the trip slash to quickly document existing functions.  Which is why this sucks so bad.

Summary?  Seriously?  I don’t need to know what the first tag is in my comment block.  The IDE already knows to treat these blocks differently (it allows you to collapse them), so why not show me something useful?  Even the first 40 chars followed by a … would be great.  Keep it on a line, that’s why I collapsed it, but let me see what it’s about.

End of rant.

2) and 4) Contiguous Comment Lines

Here I have a series of comments one after each.  I’d like to be able to collapse them.

3) and 5) Language Constructs

This should be a no-brainer.  Ifs, for eaches, trys, fors…they should all be collapsible.

Further, how about supporting SHIFT + CTRL + ‘+’ and ‘-’ to handle this one.  What’s that? You’re in a for each?  No worries, let me collapse that for you quickly while you figure out context, then you can easily expand back out!

That would be sweet.

6) Arbitrary Selection

When I margin-select, or multi-line select any block of code, I would like to see a collapse marker appear in the margin.

But it’s all good…

The truth is that I am so completely fortunate to have the means to work on a big fat 24” monitor and I am not challenged with space. 

Just about, but not quite.

I can still use CTRL+Mouse Wheel to zoom in/out and I do have 3 screens in front of me (one 1900x1200 and two 1280x1024) for real estate.  When things get really tight, vertically, I can always resort to using auto-hide on my error list.  Pshshh!  I don’t have any errors anyways!

I can work through the lack of support for these collapsing features, but I don’t envy the fellah who’s got to work on a smaller screen.  In spite of the level of awesomeness in Visual Studio 2010, I love how many good things must be coming down the road.

Unravelling the Data – Ill-Formatted Data

 

Read the background to this post.

When Bad Data Is Required

Fixing the data in the legacy system was not something that could be done in place.  What I would refer to as ‘bad’ data was in some cases the glue that held reports together and made things like billing work.

This was one of the first things I had to resolve.  My original approach was that I was going to try to “self-heal” the data through a combination of regular expressions, string replacements and templated hints and helpers.  With the sheer number of discrepancies, this approach was DOA, and manual intervention was required.

A Side Order of Data Fixin’

I took a snapshot of the database and added additional columns to the tables where combined data was present.  To understand ‘combined data’ a little background will help.

At various points in the application lifecycle the management had decided that they weren’t going to use the fields for their original purpose and started using them for a new one.  In other scenarios, they decided to use the fields in one context for some customers and in a different context for other customers. 

Depending on the customer and how long it took employees to shake old habits, these fields were used in differing ways over extended periods of time.  Furthermore, even if there was a clear drawing point, none of the records in the database have a last modified date or any kind of audit log that reveals when a customer record is modified (in a meaningful way).

Thus, my side order approach faced another problem: there was no clear cut of the data and the existing applications needed to keep running.  A snapshot of data today wouldn’t help in the transition 6 months down the road.

The Birth of the Transition Platform

The solution was to create an ASP.NET MVC application, hosted only on the intranet, that used much of my original approaches to identifying bad data, but left the “healing” to an end user.

Where possible, I used jQuery to look up context-based fixes through controller actions and mashed-up some save functionality by POSTing to the legacy ASP pages of the original application.  Where it wasn’t possible (where functionality would be affected by changes to data) I created proxy tables to house the ‘corrected’ version of the data and wrote some monitors to periodically check to make sure that data was up-to-date.

I grouped functionality of the fixes into distinct controllers.  For instance, anything related to a billing address was in the BillingAddressController with actions to support the corrections required for errors related to that piece. The models focused on model-view versions of the “bad data” and I used repositories to not only connect to the legacy system, but also to maintain a worklog of outstanding and completed tasks.

This worked great, as I was also able to say, at any given point, where we were at percentage-wise for correcting any set of data.

This process continues on today, and time is devoted to cleaning data each week.  All three of the legacy systems continue to get (mis)used, though accuracy has been greatly improved.  As users became aware of expected formats they also became more conscience of how they were entering the data into the older software.

This first win made the next steps more plausible.

Next up: Data that Could be Auto-Corrected

Where are we Taking this Thing?

In a way, I have been a linguist and advocate of literacy for most of my life, but perhaps not as you would expect. 

I started copying programs from books and magazines when I was 4 years old.  I started writing my own code when I was about 7.  As I gained a greater knowledge of computer programming my concern also grew about how others would learn.  As technology has advanced and the topics in computer science become "solved", the underlaying complexities have also grown and I worry that we are raising a generation that will not be equipped to deal with the emerging languages.

In fifth grade I wrote a text-based choose your own adventure game on the Commodore 64 and brought my creation to school.  My classmates could put their own names in and play along, choosing their way through my somewhat limited and unoriginal stories. I stood back in the computer lab and watched as they played; they were facinated!  I remember my teacher, Mr. Pugh, came over and said, "You know, James, most of them won't understand what you've done."

When we wanted to see graphics on the screen as a kid, I set array values mapped to registers in the video memory that would turn a pixel on and off on the screen.  We programmed the hardware. We “mapped bits” and created “bit maps”.

Today, with a single line of code, we can bring a myriad of pixels to life with vibrant color and movement and full-screen HD video streaming across a network we don't even own.  What you tell the computer to do is no longer what the computer is doing: it's doing much, much more and it doesn't require of you a greater understanding.

Here's an excerpt from Douglas Rushkoff's new book, Program or be Programmed:

When human beings acquired language, we learned not just how to listen but how to speak. When we gained literacy, we learned not just how to read but how to write. And as we move into an increasingly digital reality, we must learn not just how to use programs but how to make them.

In the emerging, highly programmed landscape ahead, you will either create the software or you will be the software. It’s really that simple: Program, or be programmed. Choose the former, and you gain access to the control panel of civilization. Choose the latter, and it could be the last real choice you get to make.

I don't necessarily buy into the doomsday duality scenario of zombies and computer programmers, but there is some truth in there and I wonder what it holds as outcomes for humanity and culture.

Unravelling the Data – Understanding the Starting Point

So, we’re now into October and the year is passing quickly.  The major function of my employment – helping the organization flip to a new operations platform – is nearing completion.  As well, I have just wrapped up an 11 week series of articles with a publisher that I am very excited to share (but have to wait a little still!).  The articles explain my rarity here on my blog, but I am glad to have some time to invest in this again…especially with the release of the MVC 3 framework!

What I Actually Do

My current work – at it’s core – is a data conversion project, but don’t let the simplicity of that synopsis fool you. 

The reality is, when it comes to inventory, billing, service and customer management, that when you flip the company’s software the data conversion is the easy part. 

Often, it’s the process changes that can cripple the adoption of a new platform, especially when you’re moving from custom developed software and moving to an off-the-shelf product.  Change can be very hard for some users.

I have the good (ha!) fortune here of working through both data and process transformations.

The Transition Platform

Being the only developer on the project – and in the organization – I do have the pleasure of being able to pick whatever tools I want to work and the backing of a company that pays for those tools for me.

If you’ve ever hit my blog you know that I am a huge fan of the .NET Framework and the ecosystem that you get to be a part of when you develop software within it.  The tools have come so far in the last decade that you would not even believe that the same company made them.

Great progress has been made – albeit at times slower than other vendors in certain areas.  But with Visual Studio 2010 (which I switched to halfway through the project) and the MVC Framework I was literally laughing at how trivial some of the tasks were rendered.

The vertical nature of a development environment and a deployment environment that are designed to work together make things even that much more straightforward.

It is important to note that my development over the last year was not the end to the means.  What I produced was simply a staging platform that would facilitate a nearly-live transition to the target billing and customer management system.  My job, done right, would leave no end-user software in use.

Onto The Problem with the Data

Not all data is a nightmare.  A well-normalized database with referential integrity, proper field-level validation and the like will go a long way to helping you establish a plan of action when trying to make the conversion happen.  Distinct stored procedures coupled with single-purpose, highly-reusable code make for easily comprehended intention.

Sadly, I was not working with any of these.  The reality is that I was faced with the following problems opportunities that I had to develop for:

• There are over 650,000 records in 400 tables. This is not a problem in and of itself, and it’s not even a large amount of data compared to projects I’ve worked on with 10’s of millions of rows.  It likely wouldn’t be a problem for anyone, unless they had to go through it line by line…
• I had to go through it line by line.  Sort of.  There were several key problems with the data that required careful analysis to get through like dual-purpose fields, fields that were re-purposed after 4 years of use, null values where keys are expected, orphaned records. 
• The data conversion couldn’t happen – or begin to happen – until some of the critical issues were resolved.  This meant developing solutions that could identify potentially bad data and providing a way for a user to resolve it.  It also meant waiting for human resources that had the time to do so.
• The legacy software drove the business processes, then the software was shaped around the business processes that were derived from the software.  This feedback loop lead to non-standard practices and processes that don’t match up with software in the industry (but have otherwise served the company well).
• Key constraints weren’t enforced, and there were no indexes.  Key names were not consistent.  There were no relationships defined.  Some “relationships” were inferred by breaking apart data and building “keys” on the fly by combining text from different parts of different records (inventory was tied to a customer only by combining data from the customer, the installation work order and properties of the installer, for example).
• The application was developed in classic ASP and the logic for dealing with the data was stored across hundreds of individual files.  Understanding a seemingly simple procedure was undoubtedly wrapped up in hundreds of lines of script, sometimes in as many as a dozen different files.

Mashing Up Data

The items listed above were all significant challenges in-and-of themselves, but  the reality is that these are just a sample of the problems opportunities, from just one system.  I had three to work with, and all were joined by a single, ASP script-generated key.  If you just threw up in your mouth a little bit, I forgive you.  I did the same when I saw that, too.

Worse, the key was stored as editable text in all three systems.  Because of a lack of role- and row-level security, someone working their second day at the company could change the key, switch keys between users.  It was a little scary.

And I can’t imagine a manager in the world who likes to hear, “Hey, I’m going to just take three unrelated sets of data, mash them up and let you run your business on it, mmmkay?”  Obviously a better approach was needed.

Now, Here’s How I Got Through

It took over a year, but I am now close enough to the finish line that I could throw a chicken over it.  In post-mortem fashion, I’ll talk about each of the challenges I had to work through, and how I tackled them over the next few posts.

Stay tuned for: Ill-Formatted Data