See brief descriptions of each quote for a quick response and paragraphs for details. Also see the "References" section at the end for authoritative sources.
Summary
1. What is SimpleMembership / SimpleMembershipProvider (WebMatrix.WebData) and for what / are they responsible?
SimpleMembership (a term that encompasses both SimpleMembershipProvider and SimpleRoleProvider ) is responsible for providing a clean and fast way to implement an 80% plug and play authentication and authorization scheme with secure storage of passwords that anyone can use.
2. What is WebSecurity (WebMatrix.WebData)?
WebSecurity is a helper class for common membership tasks that works with Membership and OAuthWebSecurity . Roles are still available separately through Roles .
3. What is the Membership class (System.Web.Security)?
Membership is a static class from the original ASP.NET membership implementation that manages user settings and operations. Many user operations are still performed here, rather than being repeated in WebSecurity . They both use the same provider of your choice.
4. Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that creates MVC4?
Two tables perform different functions. The webpages_Membership scheme is managed by the framework and is used for credentials, the UserProfile scheme UserProfile controlled by us and is used for any properties that we want to save against the user.
5. What class is UsersContext?
This is a DbContext (part of the DbContext API ), which is provided as a launch using the MVC Internet application template. His only job is to contain the UserProfile class UserProfile that we can work with it (for example, through InitializeSimpleMembershipAttribute ).
6. How do they all work together to authenticate the user?
This should be obvious from the above results and below. Use: WebSecurity for common tasks; UserProfile for user properties for storage against the user, accessed through UsersContext (in the Visual Studio "MVC Internet Application" template); Membership when WebSecurity or OAuthWebSecurity does not have a method; and Roles for roles. Use the VS template controller to see usage examples.
Edit In case someone got it far
Suppose I have an existing database ...
If you have an existing database and your only reason to write a custom membership provider is to deal with your well-established way of storing passwords, you can use a workaround. This will only work if you can move away from the old password store to the SimpleMembership algorithm (which uses the Rfc2898DeriveBytes class). See the footnote for more details.
If you cannot leave, then yes, you will need to create your own provider in order to use your special password algorithm, which you can do by proceeding from SimpleMembershipProvider .
NOTE: SimpleMembershipProvider will SimpleMembershipProvider your passwords, not ENCRYPT them . If you donโt know the difference and why it is important, think twice before creating your own user-security provider
Detail
1. What is SimpleMembership / SimpleMembershipProvider
To understand how it all fits together, it helps to understand the story.
- ASP.NET introduced ASP.NET Membership System in 2005
- This system used providers to abstract implementation details from common interfaces used to manage accounts and roles, etc.
- He also gave us the basic โuser profileโ feature (stored in a single column of an xml field, which people generally avoided)
- SimpleMembership was released worldwide in 2010 as a provider that connects to the ASP.NET membership system, but also allows the use of OAuth authentication and a user profile store for each column (instead of using a single column store in the original implementation).
SimpleMembershipProvider implements ExtendedMembershipProvider to extend the original provider implementation
This is open source codeplex (mirroring on github ). As for security, you can evaluate the code yourself, clone it, modify it, etc. You must take your own view of the advantages and disadvantages of open source security , and cook it with a pinch of NIH . (Personal view: I sometimes use it, I do not use it differently)
ExtendedMembershipProvider itself adds commands like GeneratePasswordResetToken to the old apis membership provider.
2. What is WebSecurity (WebMatrix.WebData)?
WebSecurity is just a facade or helper class to provide easy access to SimpleMembershipProvider and make simple tasks easy and accessible in one place. This also helps because extending the source frame through ExtendedMembershipProvider means that some of the source classes, such as Membership , are not enough. Examples:
WebSecurity.CurrentUserName - Gets the name of the current registered userWebSecurity.CreateUserAndAccount . Create a user at the same time and set the properties of the user profile (for example, WebSecurity.CreateUserAndAccount(userName, pw, new { Email = model.Email });WebSecurity.InitializeDatabaseConnection - Quickly configure a new / existing database for use with membership, select a column of user ID and user ID with natural key, etc.ResetPassword - reset user password, GeneratePasswordResetToken and much more
These methods usually relate to the provider you use, they not only depend on SimpleMembership, but also combine objects such as your provider and Membership to provide a common point for performing membership functions.
Note that there is also OAuthWebSecurity , which is equivalent to WebSecurity for OAuth authentication.
3. What is a membership class (System.Web.Security)?
Membership - from the initial implementation; it manages user settings and performs user-related operations using the basic implementation of MembershipProvider , which ExtendedMembershipProvider now extends. This is a static class, so it is available wherever you declare a namespace, and therefore is a simple way, for example, to retrieve the current user: Membership.GetUser
There is confusion caused by WebSecurity doing some things, not others, and Membership doing some things, not others. If you look at WebSecurity as a toolkit for higher-level operations and Membership as a toolkit for doing something for the user, you'll be fine; they work together with your provider.
4. Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that creates MVC4?
webpages_Membership is a table with a fixed schema that we leave alone and allows the provider to perform basic operations with the account, mainly storing credentials.UserProfile is a table that we configure to store information against a user account, and provide it in a strongly typed format through the UserProfile class.- There is an extra table called
webpages_OAuthMembership , which does the same work as webpages_Membership , but for the OAuth login providers you want to integrate with.
The magic of this setup is that one user can have a member login on your own site, and any number of OAuth logins with different providers, such as google, facebook, and they all have a common profile stored in UserProfile
Usually, if the table starts with webpages_ , it means that there is an API to access it. The UserProfile table UserProfile represented by the UserProfile class in your UsersContext (if you are using the default MVC Internet application template). Therefore, we access this using the usual methods that we will use with any class contained in the DbContext .
UserProfile very convenient for the code: you can add columns (for example, the email address of the user), and then configure the migration to include this column in your database in the next version (if you like to use migrations). In fact, the UserProfile table UserProfile not be called like this: you can modify it using a call to WebSecurity.InitializeDatabaseConnection , [Table("UserProfile")] public class UserProfile and your own migrations.
5. What class is UsersContext?
This is from the MVC web application template introduced in Visual Studio New Project. The first thing I do is make sure that it has a common connection string with my own database context (provided that the membership tables are in the same database). You can change this and separate them later if you want.
You do not need to be separated from your own context - this is only necessary if you want to store membership information in another database now or in the future. If you get rid of it, you can simply change the links to UsersContext in your own context by setting up Database.SetInitializer .
Literature:
Using SimpleMembership with ASP.NET Web Pages - Matthew Osbourne - This is the original link to SimpleMembership, and what it is, why it is and what it does:
MSDN - Introduction to Membership - Membership is still the foundation of SimpleMembership, so it helps to understand a little about it.
EDIT Footnote: Details on how to update the password for the update
- Add a property to
UserProfile , which stores which version of the password the account is installed on (for example, 1 for legacy, 2 for SimpleMembership). - In the "Login" action, write the code so that:
- If they are in your version of the SimpleMembership password, you are logging in normally.
- If they are in the old version of the password, you:
- check it using the old method
- if this is correct, you reset using
ResetPassword , then ChangePassword to use the SimpleMembership version, this will update the field to the new password version - and finally update the password version on
UserProfile
- Update any other AccountsController methods that use the password in the same way.
- Live with a hacked workaround and link to the
webpages_Membership table, which we should not touch, since you did not need to write a new custom provider.
All transactional transactions can be performed using TransactionScope . The only unpleasant thing is the extra code in the controller and the link to webpages_Membership .