Transcript Slide 1

Security
IT533 Lectures
Security
 Reasons for Security
 Prevent access to areas of your Web server
 Record and store secure relevant user data
 Security Configuration
 <security> tag in web.config file
 Authentication and Authorization
Security
Authentication
 Who are you?
 Server must authenticate client
 Client should authenticate server
 Kerberos does
 Need a directory to store user accounts
 Windows: Active Directory
 Good for intranet and Internet usage
Security
IIS Authentication
 Anonymous
 A single Windows account is used for all visitors
 Basic authentication
 Standard, commonly supported
 Password sent in clear text
 Integrated Windows Authentication
 NTLM
 Kerberos
 Client certificates
 Mapped to Windows account
Security
ASP.NET Authentication
 Custom, forms-based authentication
 Easy to use, with cookie token tracking
 Enables custom login screen (no popup dialogs)
 Supports custom credential checks against database,
exchange, etc.
 Passport module provided
 Exposes passport profile API
Security
Authorization
 Now that I know who you are, here’s what you are allowed
to do
 Grant and deny read/write/execute/etc. permission to
users or groups of users
 IIS also provides coarse-grained control
 Read, write, run script, run executable, directory browsing, script
access for virtual directories, directories and files
Security
ASP.NET Authorization
 ASP.NET supports authorization using either users or
roles
 Roles map users into logical groups
 Example: “User”, “Manager”, “VP”, etc.
 Provides nice developer/admin separation
 Developers can perform runtime role checks in code
 if (User.IsInRole(“Admin”) { }
Secure Books Application
 This example uses a technique known as forms
authentication to protect a page so that only users known
to the website can access it.
 Website visitors must log in before they are allowed to
view the publications in the Books database.
 The first page that a user would typically request is
Login.aspx.
Secure Books Database Application
Fig. | Login.aspx page of the secure books database application.
Secure Books Database Application
 A first-time visitor must click the link below the Log In button to
create a new user before logging in, which redirects the visitor to
CreateNewUser.aspx.
Secure Books Database Application
 After creating the account, the user is automatically logged in and
shown a success message.
Fig. | Message displayed to indicate that a user account was
created successfully
Secure Books Database Application
 Clicking the Continue
button on the confirmation
page sends the user to
Books.aspx, which
provides a drop-down list of
authors and a table
containing the book titles in
the books database.
Fig. | Books.aspx displaying books (default is all books).
Secure Books Database Application
 When the user chooses an author, a postback occurs, and the page is
updated to display information about books written by the selected author.
Fig. | Books.aspx displaying books by Dan.
Secure Books Database Application
 Clicking the Click here to log out link logs the user out, then
sends the user back to Login.aspx.
Fig. | Logging in using the Login control.
Secure Books Database Application
 If the user’s login attempt fails, an appropriate error message is displayed.
Fig. | Error message displayed for an unsuccessful login attempt.
Secure Books Database Application
 We use a master page to achieve the common
header. A master page defines common GUI
elements that are inherited by each page in a set of
content pages.
 Content pages inherit visual elements from master
pages—this is known as visual inheritance.
Secure Books Database Application
Creating the Secure Books Database Application
Step 1: Creating the Website
 Create a new ASP.NET Web Site with a folder named
Bug2Bug.
 Delete the IDE-generated Default.aspx file
(and its corresponding code-behind file).
Secure Books Database Application
Step 2: Setting Up the Website’s Folders
 Before building any of the pages in the website,
we create folders to organize its contents.
 First, create an Images folder
 Add the bug2bug.png file to it.
Secure Books Database Application
Step 3.1: Configuring the Application’s Security Settings
 Before we start we need to setup security DB on our SQL
server by running the aspnet_regsql tool
 Make sure LocalSqlServer is pointing to your database
server by modifying
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Conf
ig\machine.config:
<add name="LocalSqlServer" connectionString=
"data source=.;Integrated Security=SSPI;
AttachDBFilename=|DataDirectory|aspnetdb.mdf;
User Instance=true”
providerName="System.Data.SqlClient"/>
Secure Books Database Application
Step 3.2: Configuring the Application’s Security Settings
 In this application, we want to ensure that only
authenticated users are allowed to access Books.aspx
to view the information in the database.
 By default, any visitor can view pages in the root
directory.
 ASP.NET allows you to restrict access to particular folders
of a website.
 Create a folder named Secure. Later, we create
Books.aspx in this folder.
Secure Books Database Application
 Select Website > ASP.NET Configuration to open the
Web Site Administration Tool in a web browser.
Secure Books Database Application
 Click either the Security link or the Security tab to open a web page
in which you can set security options.
Fig. | Security page of the Web Site Administration Tool.
• In the Users column, click Select authentication type.
Secure Books Database Application
 On the resulting page, select the radio button next to
From the internet to indicate that the application will use forms
authentication.
Fig. | Choosing the type of authentication used by an ASP.NET web application
• Click the Done button to save this change.
Secure Books Database Application
 The Users column on the main page of the Web Site Administration
Tool now provides links to create and manage users.
Fig. | Main page of the Web Site Administration Tool after enabling forms
• While it is possible to create users through the Web Site
Administration Tool, we do not do so here.
Secure Books Database Application
 Click the Create access rules link in the Access Rules column
of the Web Site Administration Tool to view the Add New
Access Rule page.
Fig. | Add New Access Rule page used to configure directory access.
Secure Books Database Application
 This page is used to create an access rule—a rule that
grants or denies access to a particular directory for a
specific user or group of users.
 Click the Secure directory in the left column. Select
Anonymous users in the middle column and
Deny in the right column, and click OK.
 This rule indicates that anonymous users should be
denied access to any pages in the Secure directory.
 By default, anonymous users who attempt to load a page
in the Secure directory are redirected to the
Login.aspx page.
Secure Books Database Application
Step 4: Examining the Autogenerated web.config Files
 In an ASP.NET application, a page’s configuration settings are
determined by the current directory’s web.config file.
 The web.config file in the root directory contains an
authentication element specifying that the site uses
forms authentication.
 The second web.config file, in the Secure folder, contains
an authorization element that indicates who is authorized
to access this folder over the web.
Secure Books Database Application
 The deny element inside the authorization
element specifies the users to whom we wish to deny
access.
 When the users attribute’s value is set to "?",
all anonymous users are denied access to the folder.
Secure Books Database Application
Step 5: Creating a Master Page
 The master page defines the elements we want to appear
on each page. A master page is like a base class in a visual
inheritance hierarchy.
 The master page contains placeholders for custom
content created in each content page.
 To create a master page, right click the location of the
website in the Solution Explorer and select Add
New Item….
Secure Books Database Application
 Select Master Page and specify Bug2Bug.master
as the file name.
 Master pages have the file-name extension .master
and, like Web Forms, can optionally use a code-behind
file to define additional functionality.
 Leave the box labeled Place code in a separate
file unchecked and click Add to create the page.
Secure Books Database Application
 The IDE opens the master page in Source mode when the file is
first created.
Fig. | Master page in Source mode.
• The markup for a master page is almost identical to that
of a Web Form.
Secure Books Database Application
 A master page contains a Master directive, which
specifies that this file defines a master page using the
indicated Language for any code.
 Code that would usually be placed in a code-behind file
can be placed in a script element.
 Next, set the title of the page to Bug2Bug.
 The master page contains two ContentPlaceHolder
controls for content that will be defined by a content
page.
Secure Books Database Application
 At this point, you can edit the master page in Design mode as if it
were an ASPX file.
Fig. | Master page in Design mode.
• The ContentPlaceHolder control appears as a rectangle
with a purple outline indicating the control’s type and ID.
• Using the Properties window, change the ID of this control
to bodyContent.
Secure Books Database Application
 Place the cursor to the left of ContentPlaceHolder and
select Table > Insert Table.
 In the Insert Table dialog, set Rows to 2 and
Columns to 1. In the Layout section, specify a Cell
padding of 0 and a Cell spacing of 0.
 Set both the width and height of the table to 100 percent.
Make sure that the Size value in the Borders section is 0.
Secure Books Database Application
 Click OK to create a table that fills the page and contains
two rows.
 Change the valign property of the bottom table cell to
top and drag the ContentPlaceHolder into this
cell.
 Set the Height of the top table cell to 130. Add an
Image control named headerImage with its
ImageUrl property set to the bug2bug.png file.
Secure Books Database Application
Step 6: Creating a Content Page
 Right click the master page in the Solution Explorer and
select Add Content Page. Rename the Default.aspx
to CreateNewUser.aspx, then open it in Source mode.
Fig. | Content page CreateNewUser.aspx in Source mode.
Secure Books Database Application
 The Page directive indicates the MasterPageFile
that is used as a starting point for this new page’s design.
 The Title property specifies the title that will be
displayed in the web browser’s title bar when the content
page is loaded.
 This value, which we set to Create a New User,
replaces the value (i.e., Bug2Bug) set in the title
element of the master page.
 Because CreateNewUser.aspx specifies
Bug2Bug.master as the page’s MasterPageFile,
it implicitly contains the contents of the master page.
Secure Books Database Application
 The content page contains Content controls, in which
we will place page-specific content that will replace the
master page’s ContentPlaceHolders.
 The ContentPlaceHolderID property of the
Content control identifies which
ContentPlaceHolder the control should replace.
Secure Books Database Application
 The relationship between a content page and its master page is
more evident in Design mode.
Fig. | Content page CreateNewUser.aspx in Design mode.
• The gray-shaded region contains the contents of the master
page Bug2Bug.master as they will appear in
CreateNewUser.aspx.
Secure Books Database Application
Step 7: Adding a CreateUserWizard Control to a
Content Page
 CreateNewUser.aspx is the page in our website that
allows first-time visitors to create user accounts.
 To provide this functionality, we use a
CreateUserWizard control.
 Place the cursor inside the Content control in Design
mode and double click CreateUserWizard in the
Toolbox to add it to the page.
Secure Books Database Application
 Open the CreateUserWizard Tasks smart-tag
menu and click Auto Format. Select the
Professional color scheme.
 When the user clicks the Create User button, ASP.NET
verifies that all the form’s requirements were fulfilled and
attempts to create the user account.
 If an error occurs, the CreateUserWizard displays a
message below the form.
 If the account is created successfully, the form is replaced
by a confirmation message and a button that allows the
user to continue.
a)
b)
Outline
CreateNewUser
.aspx
(3 of 3)
c)
Fig. | CreateNewUser.aspx page that provides a user
registration form. (Part 3 of 3.)
Secure Books Database Application
Step 8: Creating a Login Page
 Add another content page named Login.aspx and set its
title to Login.
 In Design mode, drag a Login control to the page’s
Content control.
 Open the Auto Format dialog from the Login Tasks
smart-tag menu and set the control’s color scheme to
Professional.
 Set the Login control’s CreateUserUrl property to
CreateNewUser.aspx by clicking the ellipsis to the right
of this property in the Properties window.
Secure Books Database Application
 Then set the CreateUserText property to Click
here to create a new user.
 Finally, change the value of the Login control’s
DisplayRememberMe property to False to require
sure that users log in each time they visit the site.
Secure Books Database Application
 The Login control encapsulates the details of logging a
user into a web application.
 If the user successfully authenticates, the browser is
redirected to the page specified by the Login control’s
DestinationPageUrl property.
 If the user’s identity cannot be confirmed, the Login
control displays an error message, and the user can
attempt to log in again.
Outline
• Figure presents the completed Login.aspx page.
1
2
3
<%-- Figure 22.59: Login.aspx --%>
<%-- Content page using a Login control that authenticates users. --%>
<%@ Page Language="C#" MasterPageFile="~/Bug2Bug.master" Title="Login" %>
4
5
<script runat="server">
Create a Login
control with a
6 </script>
number of properties,
7
including the ones
we set using the
8 <asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
Properties
9 </asp:Content>
window.
10 <asp:Content ID="Content2" ContentPlaceHolderID="bodyContent"
11
12
Runat="Server">
<asp:Login ID="Login1" runat="server" BackColor="#F7F6F3"
13
14
BorderColor="#E6E2D8" BorderPadding="4" BorderStyle="Solid"
BorderWidth="1px" CreateUserText="Click here to create a new user"
15
CreateUserUrl="~/CreateNewUser.aspx" DisplayRememberMe="False"
16
17
Font-Names="Verdana" Font-Size="0.8em" ForeColor="#333333"
DestinationPageUrl="~/Secure/Books.aspx">
18
19
<TextBoxStyle Font-Size="0.8em" />
<LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
Fig. | Login.aspx content page using a Login control. (Part 1 of 2.)
Outline
20
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
21
Font-Size="0.8em" ForeColor="#284775" />
22
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
23
<TitleTextStyle BackColor="#5D7B9D" Font-Bold="True"
24
Font-Size="0.9em" ForeColor="White" />
25
</asp:Login>
26 </asp:Content>
a)
Login.aspx
(2 of 2)
b)
Create a Login
control with a
number of
properties, including
the ones we set
using the
Properties
window.
Fig. | Login.aspx content page using a Login control. (Part 2 of 2.)
Secure Books Database Application
 As in CreateNewUser.aspx, the Page directive indicates




that this content page inherits content from
Bug2Bug.master.
All of the functionality related to actually logging the user in or
displaying error messages is completely hidden from you.
When a user enters login information, ASP.NET authenticates
the user and sends an encrypted cookie with information
about the authenticated user.
Encrypted data is data translated into a code that only the
sender and receiver can understand—thereby keeping it
private.
The encrypted cookie contains a string username and a
bool value that specifies whether this cookie should persist
beyond the current session.
Secure Books Database Application
Step 9: Creating a Content Page That Only Authenticated
Users Can Access
 To create Books.aspx, right click the Secure folder in the
Solution Explorer and select Add New
Item....Select Web Form and specify the file name
Books.aspx.
 Change the Page directive’s Title property to Book
Information.
Secure Books Database Application
Step 10: Customizing the Secure Page
 Open Books.aspx in Design mode. In the Content
control, type Welcome followed by a comma and a
space.
 Drag a LoginName control from the Toolbox onto the
page. When this page executes on the server, the control
will be replaced by the current username.
 In Source mode, type an exclamation point (!) directly
after the LoginName control (with no spaces in
between).
Secure Books Database Application
 A LoginStatus control renders on a web page in one
of two ways
 If the user is not authenticated, the control displays a
hyperlink with the text Login.
 If the user is authenticated, the control displays a hyperlink
with the text Logout.
Secure Books Database Application
 Add a LoginStatus control to the page by dragging it
from the Toolbox onto the page.
 The LoginStatus Tasks smart-tag menu allows you
switch between the control’s Views.
 Select the Logged In view to see the Logout link.
 Modify the control’s LogoutText property to
Click here to log out.
 Set the LogoutAction property to
RedirectToLoginPage.
Secure Books Database Application
Step 11: Connecting the CreateUserWizard and
Login Controls to the Secure Page
Open CreateNewUser.aspx in Design mode and
set the CreateUserWizard control’s
ContinueDestinationPageUrl property to
Books.aspx.
 Open Login.aspx and select Books.aspx as the
DestinationPageUrl of the Login control.
 Run the web application.

Secure Books Database Application
Step 12: Creating a SQL DataSource on the Books
Database
Secure Books Database Application
Step 13: Adding a DropDownList Containing
Authors’ First and Last Names
Open Books.aspx in Design mode, then add the text
Author: and a DropDownList named
authorsDropDownList in the page’s Content
control.
 Add a SqlDataSource object below the
DropDownList named authorsSqlDataSource.
 In the DropDownList Tasks smart-tag menu, click
Choose Data Source... to start the Data
Source Configuration Wizard.

Secure Books Database Application
 Select authorssqlDataSource from the Select a
data source drop-down list in the first screen of the
wizard.
 Set Name as the data field to display and AuthorID as the
data field to use as the value.
 Click OK to bind the DropDownList to the specified data.
 The last step in configuring the DropDownList on
Books.aspx is to set the control’s AutoPostBack
property to True.
 This property indicates that a postback occurs each time the
user selects an item. This causes the page’s GridView to
display new data.
Secure Books Database Application
Step 14: Creating a GridView to Display the Selected
Author’s Books
 Add a GridView named booksGridView below the other
controls in the page’s Content control.
 To bind the GridView to data from the Books database,
create a SqlDataSource named
booksSqlDataSource beneath the GridView.
 Select booksSqlDataSource from the Choose Data
Source drop-down list in the GridView Tasks smart-tag
menu.
Secure Books Database Application
 To add more Columns to the GridView, select Edit Columns...
from the GridView Tasks smart-tag menu to initiate the
Fields dialog.
Secure Books Database Application
 Uncheck the Auto-generate fields box to
indicate that you’ll manually define the fields to display.
 Create BoundFields with HeaderTexts ISBN, Title,
Edition Number, and Copyright.
 For each BoundField except for Edition Number, the
SortExpression and DataField properties should
match the HeaderText.
 For Edition Number, the SortExpression and
DataField should be EditionNumber—the name
of the field in the database.
 The SortExpression specifies the data field to
sort by when the user chooses to sort by the column.
59
Secure Books Database Application
 Now that the GridView is tied to a data source, we
modify several of the control’s properties to adjust its
appearance and behavior.
 Set the GridView’s CellPadding property to 5, set
the BackColor of the AlternatingRowStyle to
LightYellow, and set the BackColor of the
HeaderStyle to LightGreen.
 Change the Width of the control to 600px to ensure
that long data values don’t wrap to multiple lines.
60
Secure Books Database Application
 In the GridView Tasks smart-tag menu, check Enable
Sorting.
 This changes the column headings in the GridView into links
that allow users to sort the GridView using the sort
expressions specified by each column.
 Finally, in the GridView Tasks smart-tag menu, check
Enable Paging. This causes the GridView to split across
multiple pages.
 The user can click the numbered links at the bottom of the
GridView control to display a different page of data.
 GridView’s PageSize property determines the number of
entries per page. Set the PageSize property to 4 using the
Properties window.
61
Secure Books Database Application
 Figure displays the completed Books.aspx file in Design
mode.
Fig. | Completed Books.aspx in Design mode.
62