Using Forms Authentication for All Types of Content
One of my all time favorite IIS7 demos is using Forms authentication for all types of content.
Forms authentication is not new. Back when I built web apps, we used to hand craft login forms, user databases, and all of the script and SQL code in between to custom authenticate users to the web application. Forms authentication has come a long way with IIS7 and ASP.NET.
One of the reasons it is so fun to use, is that it demonstrates several of the overarching goals we set out to deliver with IIS7, including:
- integrated pipeline. with this demo you are using the existing asp.net forms authentication module for non-asp.net content. cool dude
- unifed config system. in this demo you are storing IIS and ASP.NET configuration settings in the same web.config file
- unifed administration tool. in this demo you are using a single admin tool (IIS Manager) to configure forms authentication and manage users and roles. No more Windows user accounts required (unless you want them) and no more file system ACLs, thanks to URLAuthorization!
- an overall simplified security management experience.
I was hoping to write-up the demo steps myself, and beat everyone to the punch (I've done the demo so many times I could do it in my sleep) but Thomas and Mike beat me to it. They published a fantastic article on how to do this, including sample XML Membership provider code, so you don't have to worry about installing SQL. Read the article today!