Next, we need to enable the preset sa account for access via SQL Server Authentication since it's disabled in the default setting. From the same tool, expand Security > Logins > sa. Right-click and select Properties. Switch to Status page and set Login to Enabled. This sample assumes that you have a blank password for 'sa'. If not, update the password in the JavaDayConnectionString property in the Web.Config file.

Grasshopper's JDBC driver for SQL Server (which is the same as the one provided by Microsoft) supports connections via TCP/IP only, and not Named Pipes, so we'll enable TCP/IP connectivity from the SQL Server Configuration Manager.

Using Master Pages Templates
We'll use ASP.NET 2.0 Master Pages to provide a consistent template for each page. First, create a new application from the File > New > Project > Visual C# for Java EE project template. Make sure to launch the Tomcat Application Server that comes with Grasshopper 2.0.

Add a new Master Page and modify the graphic template using all the necessary ContentPlaceHolder elements; then add them to any page of the project using the MasterPageFile attribute in the @Page directive.

Role-Based Access Control
We can GUI-configure role-based authentication features provided by Membership and the Role API using Grasshopper's Web Site Administration Tool (WSAT), which resides on a pure Java Apache Derby implementation rather than a Microsoft SQL Express database. Grasshopper 2.0 uses the same AttachFileDB mechanism and an analogous AspNetDerbyMembershipProvider defined in the Mainsoft.Web.Security namespace.

Our JDExpenses application will use two components, corresponding to two sub-folders, relevant to authentication features: ExpensesManagement, which enables speakers to input their expenses, and BalancesReport, which will be used by the accounting team to retrieve the account data. The first component will be accessible by the speaker and admin roles; the second by admin only. Compile the application and launch the Grasshopper 2.0 version of the WSAT from the Visual Studio IDE or from within the application runtime via the URL http://localhost:8090/JDExpenses/aspnetconfig/Default.aspx. Then you'll create roles and users, and associate users to roles, using the usual wizard.

In the web.config file, define appropriate allow and deny rules as follows:

   <location path="ExpensesManagement">
     <system.web>
       <authorization>
         <allow roles="admin, speaker"/>
         <deny users="*"/>
       </authorization>
     </system.web>
   </location>
   <location path="BalancesReport">
     <system.web>
       <authorization>
         <allow roles="admin"/>
         <deny users="*"/>
       </authorization>
     </system.web>
   </location>

To change the default App_Data folder used to store authentication data, the system administrator responsible for application deployment will be able to change a new context parameter in the web.xml deployment file:

<context-param>
    <param-name>DataDirectory</param-name>
    <param-value>App_Data</param-value>
</context-param>

At runtime, the application developer will be able to retrieve the value of this parameter in the program itself:

(string)AppDomain.CurrentDomain.GetData("DataDirectory")
AppDomain.CurrentDomain.SetData("DataDirectory","/usr/tmp");

Controls for Accessing JDExpenses
We take advantage of the authentication tools offered by ASP.NET 2.0 using the Login controls group of the Visual Studio 2005 Toolbox. In Default.aspx, add two HyperLink controls and connect them to the ExpensesManagement.aspx and BalancesReport.aspx pages through the NavigateUrl property. Since both pages require authentication, the user will be redirected to a page that contains the login form, which by default is Login.aspx. It's possible to change the default page from web.config, but it's unnecessary and would complicate this example.

Let's create a Login.aspx page in which we'll drag the Login control from the Toolbox and personalize its aspect using the associated Smart Tag. We normally assign a value to DestinationPageUrl and MembershipProvider, but in this case it's unnecessary. The destination page will be handled by the HyperLink that calls up Login.aspx handled by Grasshopper.

After logon, we add the classic welcome message and logout links personalized with the username, using LoginView, LoginName, and LoginStatus controls. We can achieve the same results working in the Code view of the page and inputting the simple code below:

   <asp:LoginView ID="LoginView1" runat="server">
     <LoggedInTemplate>
       Authenticated! Welcome,
     </LoggedInTemplate>
     <AnonymousTemplate>
       You're not logged. Click over "Login"
     </AnonymousTemplate>
   </asp:LoginView>