it533 lectures security. reasons for security prevent access to areas of your web server record and...
TRANSCRIPT
IT533 Lectures
Security
SecurityReasons for Security
Prevent access to areas of your Web serverRecord and store secure relevant user data
Security Configuration<security> tag in web.config file
Authentication and Authorization
SecurityAuthentication
Who are you?Server must authenticate clientClient should authenticate server
Kerberos doesNeed a directory to store user accounts
Windows: Active DirectoryGood for intranet and Internet usage
SecurityIIS Authentication
AnonymousA single Windows account is used for all visitors
Basic authenticationStandard, commonly supportedPassword sent in clear text
Integrated Windows AuthenticationNTLMKerberos
Client certificatesMapped to Windows account
SecurityASP.NET Authentication
Custom, forms-based authenticationEasy to use, with cookie token trackingEnables custom login screen (no popup dialogs)Supports custom credential checks against database,
exchange, etc.
Passport module providedExposes passport profile API
SecurityAuthorization
Now that I know who you are, here’s what you are allowed to do
Grant and deny read/write/execute/etc. permission to users or groups of users
IIS also provides coarse-grained controlRead, write, run script, run executable, directory browsing, script
access for virtual directories, directories and files
SecurityASP.NET Authorization
ASP.NET supports authorization using either users or roles
Roles map users into logical groups Example: “User”, “Manager”, “VP”, etc.Provides nice developer/admin separation
Developers can perform runtime role checks in codeif (User.IsInRole(“Admin”) { }
Secure Books Application This example uses a technique known as forms authentication to protect a page so that only users known
to the website can access it. Website visitors must log in before they are allowed to view the publications in the Books database. The first page that a user would typically request is Login.aspx.
Secure Books Database Application
Fig. | Login.aspx page of the secure books database application.
Secure Books Database Application A first-time visitor must click the link below the Log In button to
create a new user before logging in, which redirects the visitor to CreateNewUser.aspx.
Secure Books Database Application
Fig. | Message displayed to indicate that a user account wascreated successfully
After creating the account, the user is automatically logged in and shown a success message.
Secure Books Database Application
Fig. | Books.aspx displaying books (default is all books).
Clicking the Continue button on the confirmation page sends the user to Books.aspx, which provides a drop-down list of authors and a table containing the book titles in the books database.
Secure Books Database Application
Fig. | Books.aspx displaying books by Dan.
When the user chooses an author, a postback occurs, and the page is updated to display information about books written by the selected author.
Secure Books Database Application
Fig. | Logging in using the Login control.
Clicking the Click here to log out link logs the user out, thensends the user back to Login.aspx.
Secure Books Database Application
Fig. | Error message displayed for an unsuccessful login attempt.
If the user’s login attempt fails, an appropriate error message is displayed.
Secure Books Database Application We use a master page to achieve the common
header. A master page defines common GUI elements that are inherited by each page in a set of content pages.
Content pages inherit visual elements from master pages—this is known as visual inheritance.
Secure Books Database Application Creating the Secure Books Database ApplicationStep 1: Creating the Website Create a new ASP.NET Web Site with a folder named Bug2Bug. Delete the IDE-generated Default.aspx file
(and its corresponding code-behind file).
Secure Books Database Application Step 2: Setting Up the Website’s FoldersBefore building any of the pages in the website,
we create folders to organize its contents.First, create an Images folder
Add the bug2bug.png file to it.
Secure Books Database Application Step 3.1: Configuring the Application’s Security SettingsBefore we start we need to setup security DB on our SQL
server by running the aspnet_regsql toolMake sure LocalSqlServer is pointing to your database
server by modifying C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config:<add name="LocalSqlServer" connectionString="data source=.;Integrated Security=SSPI; AttachDBFilename=|DataDirectory|aspnetdb.mdf; User Instance=true” providerName="System.Data.SqlClient"/>
Secure Books Database Application Step 3.2: Configuring the Application’s Security SettingsIn this application, we want to ensure that only
authenticated users are allowed to access Books.aspx to view the information in the database.
By default, any visitor can view pages in the root directory.
ASP.NET allows you to restrict access to particular folders of a website.
Create a folder named Secure. Later, we create Books.aspx in this folder.
Secure Books Database Application Select Website > ASP.NET Configuration to open the
Web Site Administration Tool in a web browser.
Secure Books Database Application Click either the Security link or the Security tab to open a web page
in which you can set security options.
Fig. | Security page of the Web Site Administration Tool.
• In the Users column, click Select authentication type.
Secure Books Database Application On the resulting page, select the radio button next to
From the internet to indicate that the application will use forms authentication.
Fig. | Choosing the type of authentication used by an ASP.NET web application • Click the Done button to save this change.
Secure Books Database Application The Users column on the main page of the Web Site Administration
Tool now provides links to create and manage users.
Fig. | Main page of the Web Site Administration Tool after enabling forms
• While it is possible to create users through the Web SiteAdministration Tool, we do not do so here.
Secure Books Database Application Click the Create access rules link in the Access Rules column
of the Web Site Administration Tool to view the Add New Access Rule page.
Fig. | Add New Access Rule page used to configure directory access.
Secure Books Database Application This page is used to create an access rule—a rule that
grants or denies access to a particular directory for a specific user or group of users.
Click the Secure directory in the left column. Select Anonymous users in the middle column and Deny in the right column, and click OK.
This rule indicates that anonymous users should be denied access to any pages in the Secure directory.
By default, anonymous users who attempt to load a page in the Secure directory are redirected to the Login.aspx page.
Secure Books Database Application Step 4: Examining the Autogenerated web.config FilesIn an ASP.NET application, a page’s configuration settings are
determined by the current directory’s web.config file.The web.config file in the root directory contains an authentication element specifying that the site usesforms authentication.
The second web.config file, in the Secure folder, contains an authorization element that indicates who is authorized to access this folder over the web.
Secure Books Database Application The deny element inside the authorization
element specifies the users to whom we wish to deny access.
When the users attribute’s value is set to "?",all anonymous users are denied access to the folder.
Secure Books Database Application Step 5: Creating a Master PageThe master page defines the elements we want to
appear on each page. A master page is like a base class in a visual inheritance hierarchy.
The master page contains placeholders for custom content created in each content page.
To create a master page, right click the location of the website in the Solution Explorer and select Add New Item….
Secure Books Database Application Select Master Page and specify Bug2Bug.master
as the file name.Master pages have the file-name extension .master
and, like Web Forms, can optionally use a code-behind file to define additional functionality.
Leave the box labeled Place code in a separate file unchecked and click Add to create the page.
Secure Books Database Application The IDE opens the master page in Source mode when the file is
first created.
Fig. | Master page in Source mode.
• The markup for a master page is almost identical to thatof a Web Form.
Secure Books Database Application A master page contains a Master directive, which
specifies that this file defines a master page using the indicated Language for any code.
Code that would usually be placed in a code-behind file can be placed in a script element.
Next, set the title of the page to Bug2Bug.The master page contains two ContentPlaceHolder
controls for content that will be defined by a content page.
Secure Books Database Application At this point, you can edit the master page in Design mode as if it
were an ASPX file.
Fig. | Master page in Design mode.
• The ContentPlaceHolder control appears as a rectanglewith a purple outline indicating the control’s type and ID.
• Using the Properties window, change the ID of this controlto bodyContent.
Secure Books Database Application Place the cursor to the left of ContentPlaceHolder and
select Table > Insert Table.In the Insert Table dialog, set Rows to 2 and
Columns to 1. In the Layout section, specify a Cell padding of 0 and a Cell spacing of 0.
Set both the width and height of the table to 100 percent. Make sure that the Size value in the Borders section is 0.
Secure Books Database Application Click OK to create a table that fills the page and contains
two rows.Change the valign property of the bottom table cell to top and drag the ContentPlaceHolder into this cell.
Set the Height of the top table cell to 130. Add an Image control named headerImage with its ImageUrl property set to the bug2bug.png file.
Secure Books Database Application Step 6: Creating a Content PageRight click the master page in the Solution Explorer and
select Add Content Page. Rename the Default.aspx to CreateNewUser.aspx, then open it in Source mode.
Fig. | Content page CreateNewUser.aspx in Source mode.
Secure Books Database Application The Page directive indicates the MasterPageFile
that is used as a starting point for this new page’s design.The Title property specifies the title that will be
displayed in the web browser’s title bar when the content page is loaded.
This value, which we set to Create a New User, replaces the value (i.e., Bug2Bug) set in the title element of the master page.
Because CreateNewUser.aspx specifies Bug2Bug.master as the page’s MasterPageFile,it implicitly contains the contents of the master page.
Secure Books Database Application The content page contains Content controls, in which
we will place page-specific content that will replace the master page’s ContentPlaceHolders.
The ContentPlaceHolderID property of the Content control identifies which ContentPlaceHolder the control should replace.
Secure Books Database Application The relationship between a content page and its master page is
more evident in Design mode.
Fig. | Content page CreateNewUser.aspx in Design mode.
• The gray-shaded region contains the contents of the masterpage Bug2Bug.master as they will appear in CreateNewUser.aspx.
Secure Books Database Application Step 7: Adding a CreateUserWizard Control to aContent Page CreateNewUser.aspx is the page in our website that allows first-time visitors to create user accounts. To provide this functionality, we use a CreateUserWizard control. Place the cursor inside the Content control in Design mode and double click CreateUserWizard in the Toolbox to add it to the page.
Secure Books Database Application Open the CreateUserWizard Tasks smart-tag
menu and click Auto Format. Select the Professional color scheme.
When the user clicks the Create User button, ASP.NET verifies that all the form’s requirements were fulfilled and attempts to create the user account.
If an error occurs, the CreateUserWizard displays a message below the form.
If the account is created successfully, the form is replaced by a confirmation message and a button that allows the user to continue.
Outlinea) b)
c)
CreateNewUser.aspx
(3 of 3)
Fig. | CreateNewUser.aspx page that provides a userregistration form. (Part 3 of 3.)
Secure Books Database Application Step 8: Creating a Login PageAdd another content page named Login.aspx and set its
title to Login.In Design mode, drag a Login control to the page’s Content control.
Open the Auto Format dialog from the Login Tasks smart-tag menu and set the control’s color scheme to Professional.
Set the Login control’s CreateUserUrl property to CreateNewUser.aspx by clicking the ellipsis to the right of this property in the Properties window.
Secure Books Database Application Then set the CreateUserText property to Click here to create a new user.
Finally, change the value of the Login control’s DisplayRememberMe property to False to require sure that users log in each time they visit the site.
Secure Books Database Application The Login control encapsulates the details of logging a
user into a web application.If the user successfully authenticates, the browser is
redirected to the page specified by the Login control’s DestinationPageUrl property.
If the user’s identity cannot be confirmed, the Login control displays an error message, and the user can attempt to log in again.
1 <%-- Figure 22.59: Login.aspx --%>
2 <%-- Content page using a Login control that authenticates users. --%>
3 <%@ Page Language="C#" MasterPageFile="~/Bug2Bug.master" Title="Login" %>
4
5 <script runat="server">
6 </script>
7
8 <asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
9 </asp:Content>
10 <asp:Content ID="Content2" ContentPlaceHolderID="bodyContent"
11 Runat="Server">
12 <asp:Login ID="Login1" runat="server" BackColor="#F7F6F3"
13 BorderColor="#E6E2D8" BorderPadding="4" BorderStyle="Solid"
14 BorderWidth="1px" CreateUserText="Click here to create a new user"
15 CreateUserUrl="~/CreateNewUser.aspx" DisplayRememberMe="False"
16 Font-Names="Verdana" Font-Size="0.8em" ForeColor="#333333"
17 DestinationPageUrl="~/Secure/Books.aspx">
18 <TextBoxStyle Font-Size="0.8em" />
19 <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
Outline
Create a Login control with a number of properties, including the ones we set using the Properties window.
Fig. | Login.aspx content page using a Login control. (Part 1 of 2.)
• Figure presents the completed Login.aspx page.
20 BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
21 Font-Size="0.8em" ForeColor="#284775" />
22 <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
23 <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True"
24 Font-Size="0.9em" ForeColor="White" />
25 </asp:Login>
26 </asp:Content>
Outline
a) b)
Login.aspx
(2 of 2)
Fig. | Login.aspx content page using a Login control. (Part 2 of 2.)
Create a Login control with a number of properties, including the ones we set using the Properties window.
Secure Books Database Application As in CreateNewUser.aspx, the Page directive indicates
that this content page inherits content from Bug2Bug.master.
All of the functionality related to actually logging the user in or displaying error messages is completely hidden from you.
When a user enters login information, ASP.NET authenticates the user and sends an encrypted cookie with information about the authenticated user.
Encrypted data is data translated into a code that only the sender and receiver can understand—thereby keeping it private.
The encrypted cookie contains a string username and a bool value that specifies whether this cookie should persist beyond the current session.
Secure Books Database Application Step 9: Creating a Content Page That Only Authenticated Users Can Access To create Books.aspx, right click the Secure folder in the Solution Explorer and select Add New Item....Select Web Form and specify the file name Books.aspx. Change the Page directive’s Title property to Book Information.
Secure Books Database Application Step 10: Customizing the Secure PageOpen Books.aspx in Design mode. In the Content
control, type Welcome followed by a comma and a space.
Drag a LoginName control from the Toolbox onto the page. When this page executes on the server, the control will be replaced by the current username.
In Source mode, type an exclamation point (!) directly after the LoginName control (with no spaces in between).
Secure Books Database Application A LoginStatus control renders on a web page in one
of two waysIf the user is not authenticated, the control displays a
hyperlink with the text Login.If the user is authenticated, the control displays a hyperlink
with the text Logout.
Secure Books Database Application Add a LoginStatus control to the page by dragging it
from the Toolbox onto the page.The LoginStatus Tasks smart-tag menu allows you
switch between the control’s Views.Select the Logged In view to see the Logout link.Modify the control’s LogoutText property to Click here to log out.
Set the LogoutAction property to RedirectToLoginPage.
Secure Books Database Application Step 11: Connecting the CreateUserWizard and Login Controls to the Secure Page Open CreateNewUser.aspx in Design mode and set the CreateUserWizard control’s ContinueDestinationPageUrl property to Books.aspx. Open Login.aspx and select Books.aspx as the DestinationPageUrl of the Login control. Run the web application.
Secure Books Database Application Step 12: Creating a SQL DataSource on the Books Database
Secure Books Database Application Step 13: Adding a DropDownList Containing Authors’ First and Last Names Open Books.aspx in Design mode, then add the text Author: and a DropDownList named authorsDropDownList in the page’s Content control.
Add a SqlDataSource object below the DropDownList named authorsSqlDataSource. In the DropDownList Tasks smart-tag menu, click Choose Data Source... to start the Data Source Configuration Wizard.
Secure Books Database Application Select authorssqlDataSource from the Select a
data source drop-down list in the first screen of the wizard.
Set Name as the data field to display and AuthorID as the data field to use as the value.
Click OK to bind the DropDownList to the specified data.The last step in configuring the DropDownList on Books.aspx is to set the control’s AutoPostBack property to True.
This property indicates that a postback occurs each time the user selects an item. This causes the page’s GridView to display new data.
Secure Books Database Application Step 14: Creating a GridView to Display the Selected Author’s Books Add a GridView named booksGridView below the other controls in the page’s Content control. To bind the GridView to data from the Books database, create a SqlDataSource named booksSqlDataSource beneath the GridView. Select booksSqlDataSource from the Choose Data Source drop-down list in the GridView Tasks smart-tag menu.
Secure Books Database Application To add more Columns to the GridView, select Edit Columns...
from the GridView Tasks smart-tag menu to initiate the Fields dialog.
59
Secure Books Database Application Uncheck the Auto-generate fields box to
indicate that you’ll manually define the fields to display.Create BoundFields with HeaderTexts ISBN, Title, Edition Number, and Copyright.
For each BoundField except for Edition Number, the SortExpression and DataField properties should match the HeaderText.
For Edition Number, the SortExpression and DataField should be EditionNumber—the nameof the field in the database.
The SortExpression specifies the data field tosort by when the user chooses to sort by the column.
60
Secure Books Database Application Now that the GridView is tied to a data source, we
modify several of the control’s properties to adjust its appearance and behavior.
Set the GridView’s CellPadding property to 5, set the BackColor of the AlternatingRowStyle to LightYellow, and set the BackColor of the HeaderStyle to LightGreen.
Change the Width of the control to 600px to ensure that long data values don’t wrap to multiple lines.
61
Secure Books Database Application In the GridView Tasks smart-tag menu, check Enable
Sorting.This changes the column headings in the GridView into links
that allow users to sort the GridView using the sort expressions specified by each column.
Finally, in the GridView Tasks smart-tag menu, check Enable Paging. This causes the GridView to split across multiple pages.
The user can click the numbered links at the bottom of the GridView control to display a different page of data.
GridView’s PageSize property determines the number of entries per page. Set the PageSize property to 4 using the Properties window.
62
Secure Books Database Application Figure displays the completed Books.aspx file in Design
mode.
Fig. | Completed Books.aspx in Design mode.