How to: Use the ASP.NET Membership Provider
The ASP.NET membership provider is a feature that enables ASP.NET developers to create Web sites that allow users to create unique user name and password combinations. With this facility, any user can establish an account with the site, and sign in for exclusive access to the site and its services. This is in contrast to Windows security, which requires users to have accounts in a Windows domain. Instead, any user that supplies his or her credentials (the user name/password combination) can use the site and its services.
For a sample application, see Membership and Role Provider. For information about using the ASP.NET role provider feature, see How to: Use the ASP.NET Role Provider with a Service.
The membership feature requires using a SQL Server database to store the user information. The feature also includes methods for prompting with a question any users who have forgotten their password.
Windows Communication Foundation (WCF) developers can take advantage of these features for security purposes. When integrated into an WCF application, users must supply a user name/password combination to the WCF client application. To transfer the data to the WCF service, use a binding that supports user name/password credentials, such as the WSHttpBinding (in configuration, the <wsHttpBinding>) and set the client credential type to UserName. On the service, WCF security authenticates the user based on the user name and password, and also assigns the role specified by the ASP.NET role.
WCF does not provide methods to populate the database with user name/password combinations or other user information.
To configure the membership provider
In the Web.config file, under the <system.web> element, create a <membership> element.
Under the <membership> element, create a <providers> element.
As a child to the <providers> element, add a <clear /> element to flush the collection of providers.
Under the <clear /> element, create an <add> element with the following attributes set to appropriate values: name, type, connectionStringName, applicationName, enablePasswordRetrieval, enablePasswordReset, requiresQuestionAndAnswer, requiresUniqueEmail, and passwordFormat. The name attribute is used later as a value in the configuration file. The following example sets it to SqlMembershipProvider.
The following example shows the configuration section.
<!-- Configure the Sql Membership Provider --> <membership defaultProvider="SqlMembershipProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="SqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SqlConn" applicationName="MembershipAndRoleProviderSample" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" /> </providers> </membership>
To configure service security to accept the user name/password combination
Add a <wsHttpBinding> to the bindings section. For more information about creating an WCF binding element, see How to: Specify a Service Binding in Configuration.
Set the mode attribute of the <security> element to Message.
Set the clientCredentialType attribute of the <message> element to UserName. This specifies that a user name/password pair will be used as the client's credential.
The following example shows the configuration code for the binding.
<system.serviceModel> <bindings> <wsHttpBinding> <!-- Set up a binding that uses UserName as the client credential type --> <binding name="MembershipBinding"> <security mode ="Message"> <message clientCredentialType ="UserName"/> </security> </binding> </wsHttpBinding> </bindings> </system.serviceModel>
To configure a service to use the membership provider
As a child to the <system.serviceModel> element, add a <behaviors> element
Add a <serviceBehaviors> to the <behaviors> element.
Add a <behavior> of <endpointBehaviors> and set the name attribute to an appropriate value.
Add a <serviceCredentials> to the <behavior> element.
Add a <userNameAuthentication> to the <serviceCredentials> element.
Set the userNamePasswordValidationMode attribute to MembershipProvider.
If the userNamePasswordValidationMode value is not set, WCF uses Windows authentication instead of the ASP.NET membership provider.
Set the membershipProviderName attribute to the name of the provider (specified when adding the provider in the first procedure in this topic). The following example shows the <serviceCredentials> fragment to this point.
The following code shows the configuration for a service that uses the ASP membership feature.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <services> <service behaviorConfiguration="MyServiceBehavior" name="Microsoft.Samples.GettingStarted.CalculatorService"> <endpoint address="http://microsoft.com/WCFservices/Calculator" binding="wsHttpBinding" bindingConfiguration="MembershipBinding" name="ASPmemberUserName" contract="Microsoft.Samples.GettingStarted.ICalculator" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="MyServiceBehavior"> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SqlMembershipProvider" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <wsHttpBinding> <binding name="MembershipBinding"> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> </wsHttpBinding> </bindings> </system.serviceModel> </configuration>