Membership, Roles and Tasks - Why don't people use membership provider

Membership, Roles and Tasks

It is common knowledge that passwords should not be kept in a database. Too many Databases had been stolen and with them many usernames and passwords. In some countries it is against the low to save passwords in a database.

Still a huge percentage of Identity systems still store passwords. Why ?
Well, Some people just do not know that passwords should not be kept persistent.
Some are just lazy, They do not have the time to implement a system that creates a good random number (Salt) and hashes the salt concatenated to the password etc.
It uses this result to make sure that the user know the password.
for more details look at :
http://msdn.microsoft.com/msdnmag/issues/03/08/SecurityBriefs/
http://www.aspheute.com/english/20040105.asp

Once upon a time a long time ago when ASP.Net 2.0 was released the ASP.Net team decided to give us a present. A full Identity management system, and for free !!! It is called the membership system. It is amazing !!!

The membership is actually a static class that does nothing. It is like a facade. It has many static methods for managing Identities like:
membership.CreateUser or membership.ValidateUsers etc.
The membership is using another entity called the membership provider to actually do the work. It does all the hashing and much more… You can have many providers, you can write your own provider and any provider is highly customizable.
ASP.Net comes with a default provider called "AspNetSqlMembershipProvider"

The provider implements an Identity management system, and for that uses a database or more precisely some tables in a database. A tool is supplied to create this database or to add the tables to an existing database called: aspnet_regsql.exe.
The provider then must be provided with the database location. To do this we supply the connection string name that hold the necessary info (The default connection string is called "LocalSqlServer" you are more then welcome to override it's value and thus redirect the provider to work with your database.)

The membership system does not end here. If we want we can use a roles system.
Now every user can have some roles attached (Admin, Users, Student, etc…)
Another table is created, and the RoleProvider does the rest.

This beautiful membership system was introduced by the ASP.NET team but this does not mean it can be used only on web scenarios.
THE MEMBERSHIP SYSTEM CAN USED ANYWHERE !!!
(I attach a simple winforms example that demonstrate this)
WCF uses membership as a user/passwords tokens validator system – They do it for a reason. Membership is GREAT !!!

Still many companies refuse to use it… Why ?
I was told many times that the company demands not just Identity and roles but also "Task Information". This means that the database should hold not only the Identity of the user and the roles it belongs to, but also the tasks that each role is authorized to perform.

The task are not there in the membership system for a reason.
The Database is external to the application. It is autonomous. The tasks are intimate information of each application and thus should be kept there.

I will give an example from the real life:
My Name is Manu and my Identity is kept in the National Identity system (I have an Identity card) I went to study in Tel Aviv University and I got a role of a student (I have a student card) Now: When I am in the university being a member of the students group means I can get a book from the library, use the labs and park my car. In the theater being a member of the same students group means something completely different (cheap tickets - bad seats) and in the train again a completely different meaning (very small reduction).

All the systems use the same Identity and role system but every system give the role information a different value.

The membership system is designed to be an external and to hold Identity and role information only. The Tasks that any role can perform are the results of authorization process that every application should perform.

If you want to create your own membership provider I would like to recommend a great book: Professional ASP.NET 2.0 Security Membership and Role Management (Wrox, 2006)

To summarize :
Use the membership system it is great. The tasks any role are authorized to perform are your intimate info and should not exit the scope of your app.

Manu Cohen-Yashar

Posted: Dec 29 2006, 03:24 PM by Manu Cohen-Yashar | with 6 comment(s)

תגים:Security, Application security

Comments

alex.kom said:

The Membership Model is really great.

I learned a lot from here http://aspnet.4guysfromrolla.com/articles/120705-1.aspx, and from your lectures

# January 9, 2007 6:05 PM

montos said:

I want to see the winforms example, it states I am not an administrator, can you please repost it.

Many Thanks.

Montos

# April 10, 2008 5:46 PM

Eric said:

BUT, in membership and role provider, we can't manage the permission like on the windows authorization.....example, we can't allow/denys permission on roles and users

# November 17, 2008 4:05 PM