ASP.NET 2.0 (and better) provide excellent built-in functionality for managing users, memberships, and roles which we've used in many of our projects for securing site administration portals, intranets, and more.  However there is one major problem.

The Problem

ASP.NET does not handle folder based security properly. By default ASP.NET's httphandler only handles certain file types (a list of the file types and descriptions can be found here).  The web.config file allows you to specify specific users and roles that can access the files within a specific director; however, because of the deficiency in the httphandler file type support, non-supported file types are not protected.  For example: we used forms authentication to deny unauthenticated users access from our /Secure directory.  Thus http://www.XeroOne.com/secure/default.aspx is protected, but http://www.XeroOne.com/secure/not-secure.html is still accessible by anyone.

On Linux and Apache servers, the .htaccess file is a good solution for protecting entire directories, and it can be used in a Windows environment, but it is not a good solution in our case as it takes the user authentcation control away from ASP.NET Membership.  What we needed was a solution that allowed us to continue to use ASP.NET Membership to manage and authenticate our users, but to also protect Non-ASP.NET files for an entire directy.

The Solution

There is no catch-all solution that will work in every scenario.  What we've developed is a GOOD system that handles the most common cases, and even a few of the more uncommon.  Our solution does require that you have access to IIS 6.0 administation in order to implement.  If you're using a shared hosting environment, then our solution simply isn't for you.

In short, all we're doing is creating additional entries in IIS' httphandler.  You'll need to determine ahead of time, what file types you will need to protect, for simplicity, this example will show you how to add proction for .html, .pdf, and .doc.

Step 1: Add the IIS entries

1. Open IIS 6.0, choose your virtual director, and open the configuration properties window (right-click, choose properties). 
   
2. Click on the "Home Directory" tab and click on "Configuration".
3. Select the ".aspx" extension in the list, and click on the "Edit" button. Copy the path found in the "Executible" textbox (path to aspnet_isapi.dll).
4. Click on the "Cancel" button to clode the "Add/Edit Application Extension Mapping" window.
5. Click on the "Add" button in the "Application Configuration" window.
   
6. Paste the coppied path to aspnet_isapi.dll in the executable text area.
7. Type the extension you are adding in the extention text area. This can be any extention you want. ie: .html, .pdf, .doc, etc...
8. Choose the "Limit to" radio button and type "GET,HEAD,POST,DEBUG" in the textbox.
9. Ensure the "Script engine" checkbox is selected, and the "Check that file exists" checkbox is deselected.
10. Click on the "Ok" button to finalize the process and close the window.
11. Repeat steps 5 - 10 for each file extetion you will be adding.

Step 2: Update the application's web.config

1. Open the web.config file for your application to edit
2. Find the section of xml for <httpHandlers>
3. Within this section add the following entry for each file extention you added to IIS:
           <add verb="GET,HEAD,POST,DEBUG" path="*.html"
                    type="System.Web.UI.PageHandlerFactory"/>
4. Note: replace "*.html" with whatever extention you are adding
5. Find the section of xml for <compilation> and ensure the definiton appears as below:
           <compilation debug="false" strict="false" explicit="true">
6. Within the <buildProviders> section, add the following entry for each file extention you added in IIS:
           <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

When you are complete, your web.config sections should appear as follows:

<httpHandlers>

        <add verb="GET, HEAD, POST, DEBUG" path="*.html" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.pdf" type="System.Web.UI.PageHandlerFactory"/>

        <add verb="GET, HEAD, POST, DEBUG" path="*.doc" type="System.Web.UI.PageHandlerFactory"/>

</httpHandlers>

and

<compilation debug="false" strict="false" explicit="true">

        <buildProviders>

                <add extension=".html" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".pdf" type="System.Web.Compilation.PageBuildProvider" />

                <add extension=".doc" type="System.Web.Compilation.PageBuildProvider" />    

        </buildProviders>

</compilation>

That's it.  You're done!

This is part two in a two part series on customizing the ASP.NET CreateUserWizard control.  To read part one, click here.

So far we've gotten the control built and we're able to create a user.  That's great, but for practical uses, we need to get a little bit more information about the user.

We're going to customize the <asp:CreateUserWizard/> control, using ASP.NET Profile provider and gather the users' name and address.  Let's look at the code:

[REMAINDER OF THIS POST WILL BE PUBLISHED SOON] 

UPDATE (6/22/2009): We appologize for the delay in updating this post

After re-evaluating the customizations we needed to perform in order to get the <asp:CreateUserWizard/> control to perform as we required, we have decided to abandon the use of this control for this project altogehter. 

We recognize the extream usefulness of this control in most scenarios, however, our requirements for the control are not currently supported by this control.  In the future we may choose to  post an additional tutorial for customizing the wizard steps involved for this control, and we will link this tutorial with part one.  For now this tutorial is closed. 

Sorry for the inconvenience.

The <asp:CreateUserWizard /> control is another ASP.NET 2.0 feature that allows a web developer to quickly build a user registration form.

There are several ways to customize this control.  The default settings are shown here.  This article will cover how to customize both the opperation and the style of this control. 

 First, let's look at the code used to build this, and the web.config settings:

<asp:CreateUserWizard id="CreateUserWizard1" runat="server">
    <wizardSteps>
        <asp:CreateUserWizardStep id="CreateUserWizardStep1" runat="server">
        </asp:CreateUserWizardStep>
        <asp:CompleteWizardStep id="CompleteWizardStep1" runat="server">
        </asp:CompleteWizardStep>
    </wizardSteps>
</asp:CreateUserWizard> 

<membership defaultProvider="AspNetSqlMembershipProvider">
    <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider"
       connectionStringName="connectionString"
       enablePasswordRetrieval="true"
       enablePasswordReset="true"
       requiresQuestionAndAnswer="true"
       applicationName="XeroOne"
       requiresUniqueEmail="true"
       passwordFormat="Hashed"
       maxInvalidPasswordAttempts="5"
       minRequiredPasswordLength="6"
       minRequiredNonalphanumericCharacters="0"
       passwordAttemptWindow="10"
       passwordStrengthRegularExpression=""
       type="System.Web.Security.SqlMembershipProvider"/>
  </providers>
</membership>

If you're not planning on allowing the user's to reset their own passwords, or to use an "I forgot" function, then you won't need to ask for a security question and answer.  These fields are easily removed by changing the web.config settings.

enablePasswordRetrieval="false"
enablePasswordReset="false"
requiresQuestionAndAnswer="false"

You can also force the users to create a strong password by requiring a specific number of symbols in the password (minRequiredNonalphanumericCharacters), or optionally use a regular expression (passwordStrengthRegularExpression) to specify the user must enter at least one uppercase letter, one number, and one symbol.

Next, let's make this control blend in a little better with our site's theme, and change some of the messages.

<asp:CreateUserWizard id="CreateUserWizard1" runat="server"
         invalidPasswordErrorMessage="Password must be at least 6 characters.">
     <titleTextStyle CssClass="wizardTitle" />
     <labelStyle CssClass="wizardLabel" />
     <continueButtonStyle CssClass="wizardButton" />
     <createUserButtonStyle CssClass="wizardButton" />
     <wizardSteps>
         <asp:CreateUserWizardStep id="CreateUserWizardStep1" runat="server" 
              title="Create a new user account"> 
         </asp:CreateUserWizardStep>
         <asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server">
         </asp:CompleteWizardStep>
    </wizardSteps>
</asp:CreateUserWizard> 

I'm not forcing my users to register a strong password, so telling them they have to enter 0 alphanumeric characters seemed pointless. Use the InvalidPasswordErrorMessage property to change the message displayed to the user when their password doesn't meet your criteria. I also changed the title that instructs the user what they are doing usng the CreateUserWizardStep's Title property.

I'm also using my style sheet to define how to display the title, the label that is next to each textbox, and the create user and continue buttons.  You haven't seen the continue button yet because it is the second step in the create user process.  The options are limitless with CSS, but in this example, I changed the text color, made the title bold, left aligned the label text, and added a background image to my button.

There are plenty of other options that allow you to change the text, messages, and styles of the rest of the control, but these are the ones I find myself changing most often.

Part 2 of this tutorial will go over creating additional fields and using the ASP.NET Profile provider.  

Read Part 2: Customizing the ASP.NET CreateUserWizard Control >