32.7. ASP.NET Web Site Administration

Although running your web application with default behavior will work in most situations, sometimes you'll need to manage the application settings beyond simply setting the properties of components and page items. The Web Site Administration Tool provides you with a web-based configuration application that enables you to define various security-related settings, such as users and roles, as well as application-wide settings that can come in handy, such as a default error page, and global SMTP mail settings that are used by various components, such as the PasswordRecovery control.

To start the Administration Tool, use the Project ASP.NET Configuration menu command for Web Application projects, or Website ASP.NET Configuration for Web Site projects. When the tool is launched, Visual Studio 2008 will instantiate a temporary web server on a unique port and open a web browser to the Administration Tool home page for the application you're currently administering.

You can determine whether the web server is active by looking in the notification area of your taskbar and finding the development server icon connected to the port that Visual Studio 2008 allocated when it was started up. You can stop an active web server by right-clicking its icon in the notification area and selecting Show Details. When the server information is displayed (see Figure 32-41), click the "Stop" button to stop the specific instance of the development web server.

Figure 32.41. Figure 32-41

Note that stopping an active web server won't affect any other development servers that are currently running.

When the Administration Tool is displayed in your web browser, it will show the application name, accompanied by the name of the current Windows-based authenticated user. There are three main sections to the tool: security for the creation and maintenance of users, roles, and authentication; application configuration to control application-specific key-value pairs, SMTP settings, and debug configurations; and provider configuration to control the way the user administration data is stored for the site.

32.7.1. Security

The security section of the tool provides you with a summary of the users and roles defined in the site, and the authentication mode. You can change individual settings from this summary page by clicking their associated links, or use the Security Setup Wizard to step through each section of the security settings in turn.

The authentication mode is controlled by the access method page (shown in the wizard in Figure 32-42). If you choose "From the internet," the tool sets the authentication mode to Forms, while the "From a local area network" option results in an authentication mode of Windows.

The most useful part of this tool is the ability it gives you to add and edit roles. In the wizard you'll first need to enable role management by checking the Enable Roles for this Web Site option. Once roles are active you can define them either through the wizard or from the summary page. Each role is defined by a single string value, and it's up to you to control how that role will be used in your web application (with the exception of access rules, which we'll discuss in a moment).

The next step in the wizard is to create user accounts. The information on this page is a replication of the CreateUserAccount component, and enables you to create an initial user who can serve as administrator for your web site.

Figure 32.42. Figure 32-42

The access rules page (shown in Figure 32-43) enables you to restrict access to certain parts of your site to a specific role or user, or to grant access only when any user is logged in. As Figure 32-43 shows, by default there is a single rule (which is actually implicitly defined and inherited from the server) that defines full access to the entire site for all users.

Web site processing will look at the rules in the order in which they are defined, stopping at the first rule that applies to the particular context. For example, if you define first a rule that allows access to the Admin folder for anyone belonging to the Administrator's role, and then define a subsequent rule that denies access to the same folder for all users, it will effectively block access to the Admin folder for all users who do not belong to the Administrator's role.

Once you've got users, roles, and rules defined in your site, you can then start applying the access by clicking the Manage Users link from the summary security page. This will present you with a list of all users defined in the system. Click the Edit User or Edit Roles link to specify the roles to which each user belongs.

This information can be used to customize the content in your web pages with the LoginView component discussed earlier in this chapter.

Figure 32.43. Figure 32-43

32.7.2. Application Settings

The application section of the Web Site Administration Tool enables you to define and edit application-specific settings in the form of key-value pairs, as well as to configure SMTP e-mail settings, including the default SMTP mail server and senders e-mail address.

You can also specify what level of debugging you want to perform on the application, and customize the tracing information being kept as you run the application.

32.7.3. ASP.NET Configuration in IIS

If you have already deployed an ASP.NET application to a production server, you can edit the configuration settings directly within Internet Information Services (IIS), located in the Administrative Tools section of the Control Panel. When ASP.NET is installed on a machine, you'll find that each web site (including virtual directories) will have a set of configuration tools in IIS under the property pages, as shown in Figure 32-44.

Figure 32.44. Figure 32-44

The tools included in IIS enable you to manage all the settings you saw earlier, including the creation and management of users, roles, application settings, and SMTP settings. You are also given access to more powerful administration tools that enable you to configure advanced settings such as the .NET compilation behavior, .NET trust level, and session state configuration. These tools enable you to maintain a web application running on any IIS server without needing to resort to editing the web.config configuration file.