08 asp.net session11

Slide 1 of 26Ver. 1.0

Developing Web Applications Using ASP.NET

In this session, you will learn to:Describe the authentication methods for Web applications

Describe the authorization methods for Web applications

Describe the main components of a membership system

Describe how to build a security administration interface

Configure authentication and authorization for a Web application

Implement a membership registration page

Implement a login page

Create a membership management administrative user interface

Objectives



Authentication is the process by which users prove their identity.

This usually involves entering a user name and a password.

ASP.NET 2.0 provides three authentication mechanisms:Windows authentication

Forms authentication

Passport authentication

Authentication for Web Applications



Windows Authentication:Application can be configured to use Microsoft Windows authentication.

IIS identifies the user by comparing the credentials entered by the user against the user’s Windows account.

Three possible login methods are provided:Basic authentication

Digest authentication

Windows Integrated authentication

Authentication for Web Applications (Contd.)



Forms Authentication:Authentication is done on the basis of credentials entered by the user in the login page.

Credentials can be stored in a Database (recommended) or in a Web.Config file (if number of users are less).

By default, cookies are used to track the session of a user for subsequent requests.

Query string can also be used in case cookie support is disabled in the client browser.

The following example shows how to configure Forms Authentication in the Web.config file :

<authentication mode="Forms">

<forms name=“FormName" loginUrl=“/LogonPage.aspx" />

</authentication>




User accounts are typically stored in a database.

It is possible to keep a list of users in the Web.config file:<authentication mode="Forms">

<forms name=“LogonPage" loginUrl=“/LogonPage.aspx">

<credentials passwordFormat="SHA1">

<user name="Kim“ password=

"07B7F3EE06F278DB966BE960E7CBBD103DF30CA6"/>

<user name="John“ password=

"BA56E5E0366D003E98EA1C7F04ABF8FCB3753889"/>

</credentials>

</forms>

</authentication>




Passport Authentication:This is a centralized authentication service provided by Microsoft.

Microsoft .NET Passport can be used to access services such as Microsoft Hotmail and MSN Messenger.

Any site can be registered with the Passport service to use the same Passport for accessing the site.

To use Passport authentication, following steps must be completed:

1. Obtain the .NET Passport software development kit (SDK).

2. Configure Passport authentication by adding the following element in the Web.config file :

<authentication mode="Passport">

3. Implement authentication and authorization by using the functionality in the .NET Passport SDK.




Authorization is the process of determining the pages and resources that the user has access to after authentication.

Authorization can be implemented using any of the following methods:

File authorization

URL authorization

Authorization for Web Applications



File Authorization:This is an authorization system provided by Windows.

Permissions can be set on any file or folder stored on a disk formatted with the NTFS file system.

These permissions are stored in Access Control List (ACL), which is stored with the file.

The permissions stored in the ACLs can be used to control the access to the resources, pages, and folders in a Web application.

To use File authorization:1. Configure your application to use Windows authentication.

2. Assign permissions to the files and folders in the Web site.

Authorization for Web Applications (Contd.)



URL Authorization:Can be used to control access to each virtual directory within a Web site hierarchy.

Can be used with any of the authentication modules.

To establish permissions for a particular directory:Create a Web.config file within that directory.

Add an <authorization> section to the file that contains <allow> and <deny> tags for each user or role.

Two special values that can be used as wildcard identities in <authorization> section:

“*” : applies to everyone who visits the directory.

“?” : applies to anonymous users.

Authorization for Web Applications (Contd.)



The following examples shows how to configure URL Authorization in an ASP.NET application:

For a directory:<authorization>

<allow users="Kim"/>

<allow roles="Admins"/>

<deny users="John"/>

<deny users="?"/>

</authorization>

For a Single file:<location path=“SecuredFile.aspx”><system.web>

<authorization>

<allow users="Joe"/>

<deny users="*"/>

</authorization>

</system.web></location>




Microsoft ASP.NET membership gives a built-in way to validate and store user credentials.

It can be used with ASP.NET Forms authentication or with the ASP.NET login controls to create a complete system for authenticating users.

It supports facilities for:Creating new users and passwords

Storing membership information in a data store

Authenticating users

Managing passwords

Exposing a unique identification for authenticated users

Specifying a custom membership provider

Introduction to Membership



ASP.NET 2.0 includes a set of classes that enable you to implement a membership system.

You can use the Membership class to configure a membership system.

The Membership class provides a range of methods for managing the members of a Web site:

CreateUser

DeleteUser

UpdateUser

ValidateUser

FindUserByEmail

FindUserByName

Introduction to Membership (Contd.)



To use membership, the site must be configured to use it by performing the following steps:1. Specify membership options as part of your website

configuration.

2. Configure the application to use Forms authentication.

3. Define user accounts for membership.

After configuring membership for your site, you must create a login form.

Login form can be created by hand using TextBox controls or by using Login controls.

How Membership Works



Login controls are a set of Web server controls that provide the common user interface elements of a membership system.

Login controls automatically use the membership system to validate a user.

The following controls are available in the Login group of the Toolbox:

CreateUserWizard

Login

LoginStatus

LoginView

PasswordRecovery

ChangePassword

How Membership Works (Contd.)



In case login form is created by hand:You need to prompt the user for a user name and password and then call the ValidateUser method to perform the validation.

You can call methods of the FormsAuthentication class after authentication to create a cookie and write it to the user’s computer.

After authentication is done, an object is created that contains information about the current user.

This object can be used to retrieve information about the user, such as user’s name, email address, date, and time of last logon.

How Membership Works (Contd.)



The membership system allows your application to accept and work with anonymous users.

Before using anonymous identification, it needs to be enabled.

A temporary ID is assigned to unauthenticated users to track their sessions.

The ID is stored in a cookie or embedded in the URL of requested pages.

If an anonymous user logs in, the anonymous identification information is discarded and the user is treated thereafter as an authenticated user.

Anonymous Users in the Membership System



Membership system can be configured in the application’s Web.config file.

The easiest way to configure and manage memberships is with the Web Site Administration tool.

Specifications of membership configuration include:Membership provider to use

Password options

Users and passwords

Membership Configuration and Management



Membership can be integrated with ASP.NET role management to provide authorization services for your site.

Roles can be used to manage the permissions for large numbers of users.

By grouping users into roles, permissions can be assigned once for many users.

Roles and Authorization:In URL authorization mode, access to a directory can be configured by using the Web.config file in each directory.

Roles can be added to the <authorization> section as: <authorization>

<allow roles="Admin"/>

<allow roles="PowerUsers" />

<deny users="?"/>

</authorization>

Web Site Security Administration Using the Roles Class



Role Management Configuration:Role management must be configured in the Web.config file in the root folder of the Web application.

To enable role management, the following item can be included in the Web.Config file:<roleManager

enabled="true"

cacheRolesInCookie="true">

</roleManager>

Web Site Security Administration Using the Roles Class (Contd.)



You can create and populate roles by:Using the ASP.NET Web Site Administration Tool

Writing code by using the Roles class

Example of creating and populating roles by using the Roles class:

Roles.CreateRole("Subscribers");

Roles.AddUsersToRole("Anatoly Sabantsev", "Subscribers");

Roles.AddUsersToRole("Bobby Moore", "Subscribers");

You can use the User object to check whether the current user is a member of a particular role:

if (! User.IsInRole("Subscribers"))btnDownloadFile.Visible = false;

Web Site Security Administration Using the Roles Class (Contd.)



Problem Statement:You are a developer in the Adventure Works organization, a fictitious bicycle manufacturer. You have been asked to assist in the development of the Business-to-Consumer (B2C) Web application and a related Business-to-Employee (B2E) extranet portal.

Decisions on the design of the application have already been made. You have been asked to carry out a number of specific tasks in order to implement various elements of this design.

Demo: Controlling Access to a Web Application



As part of the first phase of the B2C development, you have been asked to complete the prototypes for the following pages:

• MembersLogin.aspx. This page collects and checks credentials to identify the user.

• Register.aspx. This page enables users to become members of the site.

• Employees.aspx. This page shows sales figures for the Adventure Works staff, and it should be viewable only by employees.

• MemberUpdate.aspx. This page enables users to change the e-mail address and password stored for their account.

• Admin.aspx. This page enables site administrators to change the role membership on the site.

You will also ensure that several pages are secured properly.

Demo: Controlling Access to a Web Application (Contd.)



Solution:You need to perform following tasks:

1. Configuring Authentication and Authorization for a Web Applicationa. Open the Adventure Works Web site for editing in Visual Studio.

b. Implement Forms authentication for the Web application.

c. Configure authorization for anonymous users and members.

d. Configure IIS.

e. Implement Windows authentication for the Employees page.

2. Implementing a Membership Registration Pagea. Install the SQL Server provider database.

b. Configure the ASP.NET SQL Server membership provider.

c. Create the membership registration page.

d. Create the membership update page.




3. Implementing a Login Page and Adding Login Controlsa. Create the login page and add the Login control.

b. Add a PasswordRecovery Web server control to the login page.c. Add login controls to other pages.d. Test the login and membership features.

4. Creating a Membership Management Administrative User Interfacea. Configure the Web application to use the SQL Roles provider.b. Complete the Admin.aspx page.c. Secure the Administration page.




Summary

In this session, you learned that:Authentication is the process by which users prove their identity.

In Microsoft Windows authentication, IIS identifies the user by comparing the credentials entered by the user against the user’s Windows account.

In Form authentication, credentials entered by the user in the login page are checked with credentials stored in the database or Web.config file for authentication.

Passport authentication is a centralized authentication service provided by Microsoft.

Authorization is a process in which after authentication, the application determines the pages and resources that the user can access.



Summary (Contd.)

In File Authorization, access permissions can be set on any file or folder stored on a disk formatted with the NTFS file system.

In URL authorization, access to each virtual directory can be controlled within the website hierarchy.

The Membership class provides methods for creating, deleting, and updating user accounts, authenticating users, and managing passwords.

Roles can be created to reduce the administrative overhead of managing permissions for large numbers of users.

Documents

08 asp.net session11