Transcript Slide 1
Security
IT533 Lectures
Security
Reasons for Security Prevent access to areas of your Web server Record and store secure relevant user data Security Configuration
file Authentication and Authorization
Security Authentication
Who are you?
Server must authenticate client Client should authenticate server Kerberos does Need a directory to store user accounts Windows: Active Directory Good for intranet and Internet usage
Security IIS Authentication
Anonymous A single Windows account is used for all visitors Basic authentication Standard, commonly supported Password sent in clear text Integrated Windows Authentication NTLM Kerberos Client certificates Mapped to Windows account
Security ASP.NET Authentication
Custom, forms-based authentication Easy to use, with cookie token tracking Enables custom login screen (no popup dialogs) Supports custom credential checks against database, exchange, etc.
Passport module provided Exposes passport profile API
Security Authorization
Now that I know who you are, here’s what you are allowed to do Grant and deny read/write/execute/etc. permission to users or groups of users IIS also provides coarse-grained control Read, write, run script, run executable, directory browsing, script access for virtual directories, directories and files
Security ASP.NET Authorization
ASP.NET supports authorization using either users or roles Roles map users into logical groups Example: “User”, “Manager”, “VP”, etc.
Provides nice developer/admin separation Developers can perform runtime role checks in code if (User.IsInRole(“Admin”) { }
Secure Books Application
This example uses a technique known as
forms authentication
to protect a page so that only users known to the website can access it.
Website visitors must log in before they are allowed to view the publications in the Books database.
The first page that a user would typically request is Login.aspx
.
Secure Books Database Application
Fig.
| Login.aspx
page of the secure books database application.
Secure Books Database Application
A first-time visitor must click the link below the Log In button to create a new user before logging in, which redirects the visitor to CreateNewUser.aspx
.
Secure Books Database Application
After creating the account, the user is automatically logged in and shown a success message.
Fig.
| Message displayed to indicate that a user account was created successfully
Secure Books Database Application
Clicking the Continue button on the confirmation page sends the user to Books.aspx
, which provides a drop-down list of authors and a table containing the book titles in the books database.
Fig.
| Books.aspx
displaying books (default is all books).
Secure Books Database Application
When the user chooses an author, a postback occurs, and the page is updated to display information about books written by the selected author.
Fig.
| Books.aspx
displaying books by Dan.
Secure Books Database Application
Clicking the
Click here to log out
sends the user back to Login.aspx
. link logs the user out, then
Fig.
| Logging in using the Login control.
Secure Books Database Application
If the user’s login attempt fails, an appropriate error message is displayed.
Fig.
| Error message displayed for an unsuccessful login attempt.
Secure Books Database Application
We use a
master page
to achieve the common header. A master page defines common GUI elements that are inherited by each page in a set of
content pages
.
Content pages inherit visual elements from master pages—this is known as
visual inheritance
.
Secure Books Database Application
Creating the Secure Books Database Application
Step 1: Creating the Website
Create a new
ASP.NET Web Site
Bug2Bug .
with a folder named Delete the IDE-generated Default.aspx
(and its corresponding code-behind file).
file
Secure Books Database Application
Step 2: Setting Up the Website’s Folders
Before building any of the pages in the website, we create folders to organize its contents.
First, create an Images folder Add the bug2bug.png
file to it.
Secure Books Database Application
Step 3.1: Configuring the Application’s Security Settings
Before we start we need to setup security DB on our SQL server by running the
aspnet_regsql
tool Make sure
LocalSqlServer
is pointing to your database server by modifying
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Conf ig\machine.config:
Secure Books Database Application
Step 3.2: Configuring the Application’s Security Settings
In this application, we want to ensure that only authenticated users are allowed to access Books.aspx
to view the information in the database.
By default, any visitor can view pages in the root directory.
ASP.NET allows you to restrict access to particular folders of a website.
Create a folder named Secure . Later, we create Books.aspx
in this folder.
Secure Books Database Application
Select
Website > ASP.NET Configuration Web Site Administration Tool
to open the in a web browser.
Secure Books Database Application
Click either the
Security
link or the
Security
in which you can set security options.
tab to open a web page
Fig.
|
Security
page of the
Web Site Administration Tool.
• In the
Users
column, click
Select authentication type.
Secure Books Database Application
On the resulting page, select the radio button next to
From the internet
to indicate that the application will use forms authentication.
Fig.
| Choosing the type of authentication used by an ASP.NET web application • Click the
Done
button to save this change.
Secure Books Database Application
The
Users Tool
column on the main page of the
Web Site Administration
now provides links to create and manage users.
Fig.
| Main page of the
Web Site Administration Tool
after enabling forms • While it is possible to create users through the
Web Site
Administration Tool, we do not do so here.
Secure Books Database Application
Click the
Create access rules
of the
Web Site Administration Tool Access Rule
page.
link in the
Access Rules
to view the column
Add New Fig.
|
Add New Access Rule
page used to configure directory access.
Secure Books Database Application
This page is used to create an
access rule
—a rule that grants or denies access to a particular directory for a specific user or group of users.
Click the Secure directory in the left column. Select
Anonymous users
in the middle column and
Deny
in the right column, and click
OK
.
This rule indicates that
anonymous users
should be denied access to any pages in the Secure directory.
By default, anonymous users who attempt to load a page in the Secure directory are redirected to the Login.aspx
page.
Secure Books Database Application
Step 4: Examining the Autogenerated
web.config
Files
In an ASP.NET application, a page’s configuration settings are determined by the current directory’s web.config
file.
The web.config
file in the root directory contains an authentication element specifying that the site uses forms authentication.
The second web.config
an authorization file, in the Secure folder, contains element that indicates who is authorized to access this folder over the web.
Secure Books Database Application
The deny element inside the authorization element specifies the users to whom we wish to deny access.
When the users attribute’s value is set to "?" , all anonymous users are denied access to the folder.
Secure Books Database Application
Step 5: Creating a Master Page
The master page defines the elements we want to appear on each page. A master page is like a base class in a visual inheritance hierarchy.
The master page contains placeholders for custom content created in each content page.
To create a master page, right click the location of the website in the
Solution Explorer
and select
Add New Item
… .
Secure Books Database Application
Select
Master Page
and specify Bug2Bug.master
as the file name.
Master pages have the file-name extension .master
and, like Web Forms, can optionally use a code-behind file to define additional functionality.
Leave the box labeled
Place code in a separate file
unchecked and click
Add
to create the page.
Secure Books Database Application The IDE opens the master page in
Source
first created.
mode when the file is
Fig. |
Master page in
Source
mode.
• The markup for a master page is almost identical to that of a Web Form.
Secure Books Database Application
A master page contains a Master directive, which specifies that this file defines a master page using the indicated Language for any code.
Code that would usually be placed in a code-behind file can be placed in a script element.
Next, set the title of the page to Bug2Bug .
The master page contains two ContentPlaceHolder controls for content that will be defined by a content page.
Secure Books Database Application
At this point, you can edit the master page in
Design
were an ASPX file. mode as if it
Fig. |
Master page in
Design
mode. • The ContentPlaceHolder control appears as a rectangle with a purple outline indicating the control ’ s type and ID .
• Using the
Properties
window, change the ID of this control to bodyContent .
Secure Books Database Application
Place the cursor to the left of ContentPlaceHolder select
Table > Insert Table
.
In the
Insert Table Columns padding
to 1 . In the
Layout
of 0 dialog, set
Rows
section, specify a
Cell
and a
Cell spacing
of to 2 0 .
and and Set both the width and height of the table to 100 Make sure that the
Size
value in the
Borders
percent. section is 0 .
Secure Books Database Application
Click
OK
two rows.
to create a table that fills the page and contains Change the valign top and drag the property of the bottom table cell to ContentPlaceHolder into this cell.
Set the Height Image of the top table cell to control named headerImage 130 . Add an with its ImageUrl property set to the bug2bug.png
file.
Secure Books Database Application
Step 6: Creating a Content Page
Right click the master page in the
Solution Explorer
and select
Add Content Page
. Rename the Default.aspx
to CreateNewUser.aspx
, then open it in
Source
mode.
Fig. |
Content page CreateNewUser.aspx
in
Source
mode.
Secure Books Database Application
The Page directive indicates the MasterPageFile that is used as a starting point for this new page ’ s design.
The Title property specifies the title that will be displayed in the web browser ’ s title bar when the content page is loaded.
This value, which we set to Create a New User , replaces the value (i.e., Bug2Bug ) set in the title element of the master page.
Because CreateNewUser.aspx
Bug2Bug.master
specifies as the page ’ s MasterPageFile , it implicitly contains the contents of the master page.
Secure Books Database Application
The content page contains Content controls, in which we will place page-specific content that will replace the master page ’ s ContentPlaceHolder s.
The ContentPlaceHolderID property of the Content control identifies which ContentPlaceHolder the control should replace.
Secure Books Database Application
The relationship between a content page and its master page is more evident in
Design
mode.
Fig. |
Content page CreateNewUser.aspx
in
Design
mode. • The gray-shaded region contains the contents of the master page Bug2Bug.master
as they will appear in CreateNewUser.aspx
.
Secure Books Database Application
Step 7: Adding a
CreateUserWizard
Content Page Control to a
CreateNewUser.aspx
is the page in our website that allows first-time visitors to create user accounts.
To provide this functionality, we use a CreateUserWizard control.
Place the cursor inside the Content control in
Design
mode and double click CreateUserWizard
Toolbox
to add it to the page. in the
Secure Books Database Application
Open the
CreateUserWizard Tasks
menu and click
Auto Format
. Select the smart-tag
Professional
color scheme.
When the user clicks the
Create User
button, ASP.NET verifies that all the form ’ s requirements were fulfilled and attempts to create the user account.
If an error occurs, the CreateUserWizard displays a message below the form. If the account is created successfully, the form is replaced by a confirmation message and a button that allows the user to continue.
a) b) c)
Fig.
| CreateNewUser.aspx
page that provides a user registration form. (Part 3 of 3.) Outline CreateNewUser .aspx (3 of 3)
Secure Books Database Application
Step 8: Creating a Login Page
Add another content page named Login.aspx
title to Login .
In
Design
Content mode, drag a control.
Login and set its control to the page ’ s Open the
Auto Format
dialog from the
Login Tasks
smart-tag menu and set the control ’ s color scheme to
Professional
.
Set the Login control ’ s CreateUserUrl property to CreateNewUser.aspx
by clicking the ellipsis to the right of this property in the
Properties
window.
Secure Books Database Application
Then set the CreateUserText here to create a new user .
property to Click Finally, change the value of the Login DisplayRememberMe property to control False ’ s to require sure that users log in each time they visit the site.
Secure Books Database Application
The Login control encapsulates the details of logging a user into a web application.
If the user successfully authenticates, the browser is redirected to the page specified by the Login control ’ s DestinationPageUrl property.
If the user ’ s identity cannot be confirmed, the Login control displays an error message, and the user can attempt to log in again.
Outline • Figure presents the completed Login.aspx
page.
1 2 3
<%-- Figure 22.59: Login.aspx --%> <%-- Content page using a Login control that authenticates users. --%> <%@ Page Language = "C#" MasterPageFile
4 5 6
= "~/Bug2Bug.master" Title = "Login" %> Create a Login
11
Runat = "Server" >
12
13 BorderColor = "#E6E2D8" BorderPadding = "4" BorderStyle = "Solid" 14 BorderWidth = "1px" CreateUserText = "Click here to create a new user" 15 CreateUserUrl = "~/CreateNewUser.aspx" DisplayRememberMe = "False" 16 Font-Names = "Verdana" Font-Size = "0.8em" ForeColor = "#333333" 17 DestinationPageUrl = "~/Secure/Books.aspx" > 18 19 Fig. | Login.aspx content page using a Login control. (Part 1 of 2.) Outline 20 BorderStyle = "Solid" BorderWidth = "1px" Font-Names = "Verdana" 21 Font-Size = "0.8em" ForeColor = "#284775" /> 22 23 24 Font-Size = "0.9em" ForeColor = "White" /> 25
26
a) b) Login.aspx (2 of 2) Create a Login control with a number of properties, including the ones we set using the
Properties
window.
Fig.
| Login.aspx
content page using a Login control. (Part 2 of 2.)
Secure Books Database Application
As in CreateNewUser.aspx
, the Page that this content page inherits content from Bug2Bug.master
.
directive indicates All of the functionality related to actually logging the user in or displaying error messages is completely hidden from you.
When a user enters login information, ASP.NET authenticates the user and sends an
encrypted
cookie with information about the authenticated user.
Encrypted data is data translated into a code that only the sender and receiver can understand — thereby keeping it private.
The encrypted cookie contains a string bool username and a value that specifies whether this cookie should persist beyond the current session.
Secure Books Database Application
Step 9: Creating a Content Page That Only Authenticated Users Can Access
To create Books.aspx
, right click the Secure
Solution Explorer
folder in the and select
Add New Item....
Select
Web Form
and specify the file name Books.aspx
.
Change the Page Information .
directive ’ s Title property to Book
Secure Books Database Application
Step 10: Customizing the Secure Page
Open Books.aspx
in
Design
control, type Welcome mode. In the Content followed by a comma and a space.
Drag a LoginName control from the
Toolbox
onto the page. When this page executes on the server, the control will be replaced by the current username.
In
Source
mode, type an exclamation point ( !
) directly after the LoginName control (with no spaces in between).
Secure Books Database Application
A LoginStatus of two ways control renders on a web page in one If the user is not authenticated, the control displays a hyperlink with the text Login .
If the user is authenticated, the control displays a hyperlink with the text Logout .
Secure Books Database Application
Add a LoginStatus from the
Toolbox
control to the page by dragging it onto the page.
The
LoginStatus Tasks
smart-tag menu allows you switch between the control ’ s
Views
.
Select the
Logged In
view to see the Logout link.
Modify the control ’ s LogoutText Click here to log out .
property to Set the LogoutAction property to RedirectToLoginPage .
Secure Books Database Application
Step 11: Connecting the
CreateUserWizard Login
Controls to the Secure Page
and
Open CreateNewUser.aspx
set the CreateUserWizard in
Design
control ’ s ContinueDestinationPageUrl mode and property to Books.aspx
.
Open Login.aspx
and select Books.aspx
DestinationPageUrl of the Login as the control.
Run the web application.
Secure Books Database Application
Step 12: Creating a SQL DataSource on the
Books
Database
Secure Books Database Application
Step 13: Adding a
DropDownList
Authors ’ First and Last Names
Containing
Open Books.aspx
in
Design
mode, then add the text Author: and a DropDownList authorsDropDownList named in the page ’ s Content control.
Add a Sql DataSource DropDownList object below the named authorsSqlDataSource .
In the
DropDownList Tasks Choose Data Source...
smart-tag menu, click to start the
Source Configuration Wizard
.
Data
Secure Books Database Application
Select authorssqlDataSource
data source
from the
Select a
drop-down list in the first screen of the wizard.
Set Name as the data field to display and AuthorID data field to use as the value.
Click
OK
to bind the DropDownList as the to the specified data.
The last step in configuring the DropDownList Books.aspx
is to set the control ’ s on AutoPostBack property to True .
This property indicates that a postback occurs each time the user selects an item. This causes the page ’ s GridView to display new data.
Secure Books Database Application
Step 14: Creating a
GridView
Author ’ s Books to Display the Selected
Add a GridView named booksGridView controls in the page ’ s Content control.
below the other To bind the GridView to data from the Books create a SqlDataSource named booksSqlDataSource database, beneath the GridView .
Select booksSqlDataSource
Source
from the
Choose Data
drop-down list in the
GridView Tasks
smart-tag menu.
Secure Books Database Application
To add more Columns to the GridView, select
Edit Columns...
from the
GridView Tasks
smart-tag menu to initiate the
Fields
dialog.
Secure Books Database Application
Uncheck the
Auto-generate fields
box to indicate that you ’ ll manually define the fields to display.
Create BoundField s with HeaderText s ISBN , Title , Edition Number , and Copyright .
For each BoundField SortExpression except for and Edition Number DataField , the properties should match the HeaderText .
For Edition Number , the SortExpression DataField and should be EditionNumber — the name of the field in the database.
The SortExpression specifies the data field to sort by when the user chooses to sort by the column. 59
Secure Books Database Application
Now that the GridView is tied to a data source, we modify several of the control ’ s properties to adjust its appearance and behavior.
Set the GridView ’ s CellPadding the BackColor of the property to 5 AlternatingRowStyle , set to LightYellow , and set the BackColor HeaderStyle to LightGreen .
of the Change the Width of the control to 600px to ensure that long data values don ’ t wrap to multiple lines.
60
Secure Books Database Application
In the
GridView Tasks Sorting
.
smart-tag menu, check
Enable
This changes the column headings in the GridView that allow users to sort the GridView using the sort into links expressions specified by each column.
Finally, in the
GridView Tasks
smart-tag menu, check
Enable Paging
. This causes the GridView to split across multiple pages.
The user can click the numbered links at the bottom of the GridView control to display a different page of data.
GridView ’ s
Properties
PageSize entries per page. Set the window. property determines the number of PageSize property to 4 using the 61
Secure Books Database Application
Figure displays the completed Books.aspx
mode. file in
Design Fig. |
Completed Books.aspx
in
Design
mode. 62