module 8: implementing asp.net 2.0 securityread.pudn.com/downloads154/ebook/682279/8951608.pdf ·...

Contents

Overview 1

Lesson: Using Forms Authentication 2

Lesson: Using Security-Related Controls 10

Lesson: Managing Membership and Roles 19

Lab A: Implementing ASP.NET 2.0 Security 29

Module 8: Implementing ASP.NET 2.0 Security

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2004 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, FrontPage, IntelliSense, Microsoft Press, MSDN, PowerPoint, SharePoint, Verdana, Visual Basic, Visual Studio, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Module 8: Implementing ASP.NET 2.0 Security iii

Instructor Notes In this module, you will teach students how to create and use forms-based authentication in Microsoft® ASP.NET 2.0. Forms authentication restricts access to Web sites. Implemented in ASP .NET 1.x, the forms authentication features and capabilities have been significantly improved with the release of ASP .NET 2.0.

After completing this module, students will be able to:

! Use cookieless authentication forms. ! Implement ASP.NET 2.0 security controls. ! Use the membership class for authenticating users.

To teach this module, you need the following materials:

! Microsoft PowerPoint® file 3201A_08.ppt

It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, some of the features of the slides might not be displayed correctly.

To prepare for this module:

! Read all of the materials for this module. ! Read the chapter titled �ASP.NET Security� in Introducing Microsoft

ASP.NET 2.0 (Microsoft Press). ! Complete the practices and lab.

Presentation, Demonstrations, and Student Practices: 90 minutes Lab: 45 minutes

Required materials

Important

Preparation task

iv Module 8: Implementing ASP.NET 2.0 Security

How to Teach This Module Key points to remember when teaching this module:

! Try to keep students focused on the content in this module. You should try to answer questions about topics covered later on in the course by saying that the topic in question will be covered in detail in a later module. And if you know the module in which it is covered, go ahead and tell the class.

! When you are going through the slide topics, be sure to expound upon the bullet points when you feel students might need additional information. You can supplement the content on the slides with any real-world knowledge that you bring to the course and by discussing typical scenarios that you are aware of. You can also add further detail to the slides by explaining the specifics of a point. Be sure to try and add some detail to slides when appropriate and encourage students to refer to their companion book for more information.

! When performing the hands-on activities, if you make any changes to the virtual machine that you do not want to keep, you can close the virtual machine without saving. This will take the virtual machine back to the most recently saved state. To close the virtual machine without saving, perform the following steps: a. On the virtual machine, on the Action menu, click Close. b. In the Close dialog box, on the What do you want the virtual machine

to do? list, select Turn off and delete changes, and then click OK. ! To introduce this module, you could begin by explaining that in order to

create a security layer for your Web applications, students will need to implement forms-based authentication. It works like this: after a user sends a request for your Web page, the user is given a logon form on which he or she is required to specify his or her credentials. If your custom data provider validates the credentials, the user is redirected to the originally requested page.

! The focus of Module 8, �Implementing ASP.NET 2.0 Security,� is to teach students how forms-based authentication in ASP.NET 2.0 is easier and quicker to use.

! The focus for the lesson �Using Forms Authentication� is to teach students how to implement cookieless authentication by using several methods.

! The focus for the lesson �Using Security-Related Controls� is to teach students how to use the ASP.NET 2.0 new server controls that make programming security-related aspects of a Web application easier than ever.

! The focus for the lesson �Managing Membership and Roles� is to teach students how to use the new membership class in ASP.NET 2.0 to replace the repetitive task in ASP.NET 1.x that required developers to write code that validates the user credentials against a data store.

Module 8: Implementing ASP.NET 2.0 Security v

Demonstration Tips

When performing the instructor-led demonstrations in this course, you might consider showing the finished result of the demonstrations before you begin. By showing students the completed application before you begin performing the actual tasks to build it, they will have a mental picture of what you are trying to accomplish in the demonstration.

The finished solutions for each demonstration are provided in the solution folder.

For example, C:\Program Files\MicrosoftLearning\3201A\Practices\ Mod08\Solution\language\Demo1

vi Module 8: Implementing ASP.NET 2.0 Security

Lesson: Using Forms Authentication In this lesson, you will teach the students how to implement cookieless authentication in several ways.

You could begin with a bit of history about forms authentication. In ASP.NET 1.x, cookies are mandatory to leverage built-in authentication framework. To implement cookieless authentication you need to do one of two things:

! Append authentication ticket to query string or

! Store authentication ticket as extra path information and retrieve it from PATH_INFO server variable.

In ASP.NET 2.0, you insert the authentication ticket into the URL. This requires the use of an ISAPI filter and it performs the following steps:

1. Intercepts a request. 2. Extracts the ticket. 3. Rewrites the correct path to the application.

Note that the ISAPI filter exposes the authentication ticket as another request header.

The critical point of this topic is to explain the concept of forms authentication. It is important to provide information about how to use it, because students will be engaged in configuring the forms authentication engine in the next practice. So, to conclude this topic, explain that to create forms-based authentication, you are required to provide the custom logic for validating and authorizing the user, and any essential user interface.

Be sure to mention that a user�s state can be anonymous or connected.

You should say that with forms authentication, you most often store user and role data in a custom database.

If students need additional information to complete this practice, you can refer them to Table 10-1, �Attributes for Forms Authentication in ASP.NET 1.1,� in Introducing Microsoft ASP.NET 2.0.

The key point of cookieless authentication is that it does not require support from the client browser. In ASP.NET 2.0, the authentication ticket is included with the URL and the new cookieless attribute specifies whether cookies are used to store the authentication ticket and their overall behavior.

You can explain the following details as well:

! The defaultUrl attribute enables you to set the default page to navigate to after successful authentication.

! You can configure this in ASP.NET 2.0. The optional domain attribute is handy because it enables you to share authentication cookies between two computers located in the same domain.

As in the previous practice, if students need additional information to complete these procedures, you can refer them to Table 10-2, �Values for the Cookieless Attribute,� in Introducing Microsoft ASP.NET 2.0.

What Is Forms Authentication?

Practice: Configuring Forms Authentication

What Is Cookieless Authentication?

Practice: Configuring Cookieless Authentication

Module 8: Implementing ASP.NET 2.0 Security vii

Lesson: Using Security-Related Controls In this lesson, you will teach the students how to use the new ASP.NET 2.0 server controls that make programming security-related aspects of a Web application easier than ever, including the following: Login, LoginName, LoginStatus, LoginView, and PasswordRecovery.

Be sure to reiterate the fact that a Web application based on the forms authentication model always needs a login page. The key concept for this page is that the Login control is a composite control that provides common user interface elements of a login form.

As the illustration on the right of the slide shows, the login includes all required elements and the optional new user registration element.

For additional information about the properties and events of the Login control, you can refer to the following information in Introducing Microsoft ASP.NET 2.0.

! Table 10-12, �Properties of the Login Control� ! Table 10-13, �Events of the Login Control�

Begin by stating that the parent Login control is a composite control that provides common user interface elements of a login form.

If students want additional information about LoginView control properties, refer them to Table 10-15, �Properties of the LoginView Class,� in Introducing Microsoft ASP.NET 2.0.

The key point of this topic is that the PasswordRecovery control enables users of your Web applications to recover their passwords through email messages.

You should also mention that ASP.NET 2.0 has an optional anonymous user identification feature that assigns unique identity to non-authenticated users to make them appear like regularly authenticated users. You can read more about this feature in the section titled �Anonymous Identification� of Chapter 10, �ASP.NET Security,� in Introducing Microsoft ASP.NET 2.0.

What Is the Login Control?

Demonstration: How to Set Up the Login Control

What is the LoginView Control?

Practice: Using a LoginView Control

What Is the PasswordRecovery Control?

viii Module 8: Implementing ASP.NET 2.0 Security

Lesson: Managing Membership and Roles In this lesson, you will teach students how to use the new Membership class in ASP.NET 2.0 to replace the repetitive task in ASP.NET 1.x that required developers to write the code that validates the user credentials against a data store.

This lesson is directly correlated with Module 7, �Personalizing Applications with User Profiles and Themes.� Several of the concepts and skills covered in this lesson will be familiar to students and serve to build upon the topics from the previous module.

The concept to emphasize for the membership class is this: The new ASP.NET 2.0 membership and role-management application programming interface (API) has enhanced and extended forms authentication. The membership and role-management API requires a provider component that exposes data-driven methods that are not integrated with the data store.

For additional information about the properties exposed by the Membership class and an understanding of the capabilities of the class, refer to the following information in Introducing Microsoft ASP.NET 2.0.

! Table 10-5, �Properties of the Membership Class� ! Table 10-6, �Methods of the Membership Class�

Be sure to emphasize that the Membership provider is abstract and extensible because the Membership API leverages your existing data store so that all that�s left for you to do is write a custom data provider that implements the IMembershipProvider interface and the IProvider interface. These components do not require you to write a significant amount of code.

For additional information about the methods and properties of IMembershipProvider class, refer to the following information in Introducing Microsoft ASP.NET 2.0.

! Table 10-7, �Methods of the IMembershipProvider Interface� ! Table 10-8, �Properties of the IMembershipProvider Interface�

The last bullet point leaves off with a mention of the Web Administration Tool. You can further explain that this tool provides a visual interface for creating associations between users and roles. However, you can perform this task programmatically through the command-line by calling various role manager methods.

For additional information about the methods and properties of the Roles class and the methods of the IRoleProvider interface, refer to the following information in Introducing Microsoft ASP.NET 2.0.

! Table 10-9, �Methods of the Roles Class� ! Table 10-10, �Properties of the Roles Class� ! Table 10-11, �Methods of the IRoleProvider interface�

Note

What Is the Membership Class?

Demonstration: How to Use the Membership API in ASP.NET 2.0 Applications

What Is the Membership Provider?

Demonstration: How to Configure a Membership Provider

What Is a Membership Role?

Demonstration: How to Configure Roles Management

Module 8: Implementing ASP.NET 2.0 Security ix

Lab A: Implementing ASP.NET 2.0 Security When introducing this lab, encourage students to read the scenarios and then reflect on how that information might apply to their own organizations. They will engage in a lab-scenario discussion activity when they complete the module. This will help them keep the key business drivers in mind as they work through the practices.

Also, point the students to the figure located after the Scenario section. This illustration provides an example of the application that students will create in this lab.

Allow no more than 5�10 minutes for this activity. It should be a simple and informal discussion that offers students the opportunity to think about what they learned in the lab, and to draw comparisons to situations in their own organizations. It is easy to get off track during these types of discussions, so just remember to keep students focused on the subject of this module�ASP.NET 2.0 security.

They should focus their discussion around forms authentication, membership and roles, and security controls such as Login and LoginView and how these features might be applicable to their organizations.

Scenario reflection activity

Module 8: Implementing ASP.NET 2.0 Security 1

Overview

*****************************ILLEGAL FOR NON-TRAINER USE******************************

2 Module 8: Implementing ASP.NET 2.0 Security

Lesson: Using Forms Authentication



What Is Forms Authentication?


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Using Forms Authentication, page 222.


Practice: Configuring Forms Authentication


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Using Forms Authentication, page 222.

In this practice, you will configure Forms authentication by modifying the web.config file. You will add authentication forms, deny elements, and set their appropriate attributes.

Use the following values in this practice:

Variable Value Virtual machine GEN-STU-01

User Name Administrator

Password P@ssw0rd

! To prepare for this practice

1. If the virtual machine has been paused:

• On the GEN-STU-01 virtual machine, on the Action menu, click Resume.

2. If the virtual machine has been shut down: a. From the desktop, double-click the Microsoft Virtual PC icon,

highlight GEN-STU-01, and then click Start. b. After the GEN-STU-01 virtual machine boots, log on with a user name

of Administrator and a password of P@ssw0rd. 3. If Microsoft® Visual Studio® .NET is not open:

• On the GEN-STU-01 virtual machine, click Start, and then click Microsoft Visual Studio 2005.

Introduction

Procedure


! To open the Mod8 Practice1Web site

1. In Visual Studio 2005, on the File menu, click Open Web Site. 2. In the Open Web Site window, on File System, browse to

C:\Program Files\Microsoft Learning\3201A\Practices\Mod08\ Starter\language\Practice1, and then click Open.

This is a dual-language course that contains code samples and starter and solution files for both C# and Microsoft Visual Basic® .NET. You can choose the language in which you want to code to complete the procedures. When you see the word language (for example, StrongPassword.language), this indicates that the folder or file can be either C# or Visual Basic .NET. Choose the language you are using, and then proceed.

! To modify the web.config file

1. In Solution Explorer, double-click the web.config file. This will open the file in the Edit window.

2. Add an authentication element to the system.web section with a mode attribute set to Forms.

3. Add a forms element to the authentication element with a LoginUrl attribute set to login.aspx. Your code should look similar to the following: <authentication mode="Forms"> <forms loginUrl="login.aspx" /> </authentication>

4. Add an authorization element to the system.web section. 5. Add a deny element to the authorization element with a users attribute set

to ?. Your code should look similar to the following: <authorization> <deny users="?" /> </authorization>

6. Save the web.config file.

Note


! To review the results

1. In Solution Explorer, right-click the Welcome.aspx page, and select View in Browser.

The browser will automatically redirect you to the login page because the web.config file is configured to deny anonymous users access to the site.

2. In the User ID field, type your name. 3. Leave the Password field blank, and then click the Log In button. 4. Review the page. 5. Close the browser and any open files or projects, but leave Visual Studio

open. 6. On the GEN-STU-01 virtual machine, on the Action menu, click Pause.

Note


What Is Cookieless Authentication?


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Using Forms Authentication, pages 222�223.


Practice: Configuring Cookieless Authentication


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Using Forms Authentication, pages 222�223.

In this practice, you will configure cookieless authentication by modifying the web.config file. You will add a cookieless attribute to the forms element with an appropriate value. This will cause the authentication mechanism to use query string parameters to persist authentication information between requests.




Password P@ssw0rd



! To open the Mod8 Practice2 Web site

1. In Visual Studio, on the File menu, click Open Web Site. 2. In the Open Web Site window, on File System, browse to

C:\Program Files\Microsoft Learning\3201A\Practices\ Mod08\Starter\language\Practice2, and then click Open.

Introduction

Procedure


! To modify the web.config file

1. In Solution Explorer, double-click the web.config file. This will open the file in the Edit window.

2. Add a cookieless attribute to the forms element with a value of UseUri. 3. Save the web.config file.



2. In the User ID field, type your name. 3. Leave the Password field blank, and then click the Log In button. 4. Review the page and notice that the URL now contains an encrypted string. 5. Close the browser and any open files or projects, but leave Visual Studio



Lesson: Using Security-Related Controls



What Is the Login Control?


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Security-Related Controls, pages 240�243.


Demonstration: How to Set Up the Login Control



In this demonstration, you will see how to set up the Login control. Your instructor will create the Login control and then add the authenticate event to it.

Your instructor will use the following values in this demonstration:



Password P@ssw0rd

! To prepare for this demonstration

1. If the virtual machine has been paused:


2. If the virtual machine has been shut down: a. From the desktop, double-click the Microsoft Virtual PC icon,

highlight GEN-STU-01, and then click Start. b. After the GEN-STU-01 virtual machine boots, log on with a user name

of Administrator and a password of P@ssw0rd. 3. If Visual Studio is not open:


Introduction

Procedure


! To open the Demo project

1. In Visual Studio, on the File menu, click Open Web Site. 2. In the Open Web site window, browse to C:\Program Files\

Microsoft Learning\3201\Democode\Mod08\Starter\language\Demo1, and then click Open.

! To create the login control

1. In Solution Explorer, double-click the login.aspx file. 2. After the <h1> tag that contains the Registered Users Log In Here text,

from the Toolbox in the Security section, add a Login control. 3. In the Properties window, set the DestinationPageUrl property to

Welcome.aspx. 4. From the Object drop-down list, click Login1. 5. From the Event drop-down list, click Authenticate.

This will add the authenticate event to the control, as well as create the event handler code stub.

6. In the event handler, add the following code: C# FormsAuthentication.RedirectFromLoginPage( Login1.UserName, false);

Visual Basic .NET FormsAuthentication.RedirectFromLoginPage( _ Login1.UserName, false)

7. Save the login.aspx page.



2. In the User ID field, type your name. 3. In the Password field, type your name again, and then click the Log In

button. 4. Review the page. 5. Close the browser and any open files or projects, but leave Visual Studio



What Is the LoginView Control?




Practice: Using a LoginView Control



In this practice, you will use a LoginView Control and add the anonymous user and logged-in user templates.




Password P@ssw0rd



! To open the Mod8 Practice 3 Web site

1. In Visual Studio, on the File menu, click Open Web Site. 2. In the Open Web Site window, on File System, browse to

C:\Program Files\Microsoft Learning\3201A\Practices\Mod08\ Starter\language\Practice3, and then click Open.

Introduction

Procedure

! To create the LoginView control

1. In Solution Explorer, double-click the Welcome.aspx page. 2. Locate the  html comment. From the Toolbox, in the

Security section, add a LoginView control below the comment. <asp:LoginView ID="LoginView2" Runat="server"> </asp:LoginView>

! To create the anonymous user template

1. Add an <AnonymousTemplate> tag to the LoginView control. 2. Add a table with 100% width and no border that contains one row and one

cell. 3. Add the text To enjoy more features, to the table cell. 4. From the Toolbox, in the security section, drag a LoginStatus control to the

form, after the To enjoy more features text. Your code should look like the following: <AnonymousTemplate> <table width="100%" border="0"> <tr> <td> To enjoy more features, <asp:LoginStatus ID="Loginstatus1" Runat="server" /> </td> </tr> </table> </AnonymousTemplate>


! To create the logged-in user template

1. Add a <LoggedInTemplate> tag to the LoginView control after the AnonymousTemplate element.

2. Add a table with 100% width and no border that contains one row and two cells. The second cell should have an align property set to right.

3. In the first cell, from the Toolbox, in the Security section, add a LoginName control.

4. In the second cell, from the Toolbox, in the Security section, add a LoginStatus control. Your code should look similar to the following: <LoggedInTemplate> <table width="100%" border="0"> <tr> <td> <asp:LoginName ID="Loginname1" Runat="server" /> </td> <td align="right"> <asp:LoginStatus ID="Loginstatus2" Runat="server" /> </td> </tr> </table> </LoggedInTemplate>

5. Save the Welcome.aspx page.


1. Right-click the page and select View in Browser. 2. Review the page. 3. Click the Login link and then enter your name in the Username field.

Leave the Password field blank, and then click the Log In button. 4. Review the page. 5. Close the browser and any open files or projects, but leave Visual Studio



What Is the PasswordRecovery Control?




Lesson: Managing Membership and Roles



What Is the Membership Class?


See Introducing Microsoft ASP.NET 2.0, Chapter 10, �ASP.NET Security,� Managing Membership and Rules, pages 229�233.


Demonstration: How to Use the Membership API in ASP.NET 2.0 Applications



In this demonstration, you will see how to use the membership application programming interface (API) in Microsoft ASP.NET 2.0 applications.




Password P@ssw0rd




1. In Visual Studio, on the File menu, click Open Web Site. 2. In the Open Web Site window, browse to C:\Program Files\


Introduction

Procedure


! To review the Membership API code

1. In Solution Explorer, double-click the login.aspx page. 2. Review the OnLogOnUser event handler and observe the call to

Membership.ValidateUser, which handles checking the credentials entered by the user.

3. Review the OnNewUser event handler and observe the call to Membership.CreateUser, which handles creating the user in the default membership provider data store.

! To review the functionality

1. Right-click the page and select View in Browser. 2. Click the I�m a new user link. 3. Enter your name in the User ID field, any password in the Password field,

and then click Add. 4. In the User ID field, enter your name; in the Password field, enter the

password you entered in the previous step, and then click the Log In button. 5. Review the page. 6. Close the browser and any open files or projects, but leave Visual Studio



What Is the Membership Provider?




Demonstration: How to Configure a Membership Provider



In this demonstration, you will see how to configure a membership provider by modifying the web.config file.




Password P@ssw0rd






Introduction

Procedure


! To configure the membership provider

1. In Solution Explorer, double-click the web.config file. 2. In the system.web section, add a membership element with the following

attributes: Attribute Value defaultProvider NWMembership

userIsOnlineTimeWindow 15

3. In the membership section, add a providers element. 4. In the providers element, add a new provider using the add element with

the following attributes: Attribute Value name NWMembership

connectionStringName NWindConn

type System.Web.Security. SqlMembershipProvider

requiresUniqueEmail false

requiresQuestionAndAnswer false

Your code should look similar to the following: <membership defaultProvider="NWMembership" userIsOnlineTimeWindow="15"> <providers> <add name="NWMembership" connectionStringName="NWindConn" type="System.Web.Security.SqlMembershipProvider" requiresUniqueEmail="false" requiresQuestionAndAnswer="false" /> </providers> </membership>



1. In Solution Explorer, right-click the login.aspx page, and select View in Browser.

2. Click the I�m a new user link. 3. Enter your name in the User ID field, any password in the Password field,

and then click Add. 4. In the User ID field, enter your name in the Password field, enter the

password you just entered in the previous step, and then click the Log In button.

5. Review the page. 6. Close the browser and any open files or projects, but leave Visual Studio



What Is a Membership Role?




Demonstration: How to Configure Roles Management



In this demonstration, you will see how to configure roles management by adding roleManager and providers elements to the web.config file.

Your instructor will use the following values in this demonstration.



Password P@ssw0rd






Introduction

Procedure


! To configure role management

1. In Solution Explorer, double-click the web.config file. 2. Add a roleManager element to the system.web section with the following

attributes: Attribute Value enabled true

defaultProvider NWMembership

3. Add a providers element. 4. Add an add element with the following attributes:

Attribute Value name NWMembership

type System.Web.Security.SqlRoleProvider



! To prepare the site database for role information

1. On the Website menu, click ASP.NET Configuration. 2. In the ASP.Net Web Site Administration Tool, click the Security tab. 3. Click the Create roles link. 4. In the Create New Role textbox, type Admin, and then click the Add Role

button. 5. In the Create New Role textbox, type User, and then click the Add Role

button.


1. In Solution Explorer, right-click the login.aspx page, and select View in Browser.

2. Click the I�m a new user link. 3. Enter your name in the User ID field, any password in the Password field,

select either Admin or User from the Role option button, and then click Add.

4. In the User ID field, enter your name in the Password field, enter the password you entered in the previous step, and then click the Log In button.

5. Review the page. 6. Close the browser and any open files or projects, but leave Visual Studio



Lab A: Implementing ASP.NET 2.0 Security


After completing this lab, you will be able to:

! Create a Login Web form, which implements membership and roles and uses the Login control.

! Configure the intranet Web site to use Forms authentication and allow only authenticated users access to the site.

! Configure the corporate intranet site to support membership and roles.

This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations.

You must have either viewed all of the instructor-led demonstrations and completed all of the practices in this module, or have equivalent knowledge and experience.

If you would like supporting information to perform the lab exercises you can:

! Review the instructor-led demonstrations and practices in this module for detailed steps of the tasks required in this lab.

! Use Dynamic Help for detailed information on the controls, code, and objects.

! Refer to the related content in Chapter 10, �ASP.NET Security� in Introducing Microsoft ASP.NET 2.0 (Microsoft Press).

! Open the solution files located on both the virtual machine and your Student compact disc at C:\Program Files\Microsoft Learning\3201A\Labfiles\ Mod08\language\Solution.

Objectives

Note

Prerequisites

For more information


Problem:

During your weekly status meeting with the IT department, the following issues were raised concerning the Adventure Works intranet site:

! The senior network administrator points out that recent domain usage statistics reveal that a fairly significant number of employees at Adventure Works are not using computers that are part of the Adventures Works domain.

! The manager of the help desk then says that this would certainly explain the recent complaints lodged by a number of users who have had trouble accessing new capabilities of the Adventure Works site, such as personalization features.

Cause:

The discussion continues and soon the reason for this access issue is revealed.

! A number of Adventure Works employees have recently started to travel for business.

! It appears they were issued new laptop computers that are not joined to the domain.

! The obvious remedy would be to simply add each of these computers to the domain. However, you see an opportunity to implement some of the new ASP.NET security capabilities, so you present a more robust solution to the IT department.

Solution:

You explain that Adventure Works could take this opportunity to implement Forms-based authentication, instead of using the current Microsoft Windows® authentication. This would effectively alleviate all future domain access issues because security would now be based on the Web application itself rather than the Windows-based security layers.

To prepare for your meeting with the Web development team tomorrow, you formulate a strategy for implementing Forms authentication in the Adventure Works portal. Your draft includes the following strategic components:

! To begin with, you will need to create an Adventure Works login page to enable Forms authentication.

! Then you will need to configure Forms authentication to work properly. ! Finally, you must connect the Microsoft SQL Server� membership to the

Adventure Works Web site database.

Scenario


The following figure provides a sample of the application that you will create during the lab exercises.

Estimated time to complete this lab: 45 minutes


Lab Setup To complete this lab, you must use the following values, and then verify that the GEN-STU-01 virtual machine is running and that Visual Studio is open.



Password P@ssw0rd

1. If the GEN-STU-01 virtual machine is not running: a. On the desktop, double-click the Microsoft Virtual PC icon, highlight

GEN-STU-01, and then click Start. b. After the GEN-STU-01 virtual machine starts, log on with a user name

of Administrator and a password of P@ssw0rd. 2. If Visual Studio is not open:



Exercise 1 Creating a Login Page

In this exercise, you will create a login page for users to access and display information, as well as enable the ability to add new users to the portal.

You sit down with your Web development team to explain the issues that were raised during the IT department status meeting. You go over the problem and the proposed solution:

! Problem: Users are unable to access several features of the Adventure Works Web site.

! Solution: Implement Forms authentication to bypass Windows-based security and eliminate the access issues.

• The first task for you and the Web development team is to build an Adventure Works login page to enable Forms authentication.

• After examining available options, the team decides to use the ASP.NET 2.0 built-in security Web controls to create this login page.

• This will essentially override any Windows-based security measures.

! To open the starter Web site

1. In Visual Studio, from the File menu, click Open Web Site. 2. Browse to C:\Program Files\Microsoft Learning\3201A\LabFiles\

Mod08\Ex1\Starter\language\AdWorksWebSite, and then click Open.

! To create the login page

1. From the File menu, click New File. 2. In the Visual Studio installed templates dialog box, verify that Web Form

is selected. 3. In the Name field, type login.aspx 4. In the Language selection, choose your development language. 5. Click Add. 6. Modify the page title to Adventure Works - Login.

! To create the Login control

1. From the Toolbox, in the Core section, add a Panel control to the page. 2. In the Properties window, set or verify the following properties:

Attribute Value ID pnlLogin

Visible True

3. From the Toolbox, in the Security section, drag a Login control into the pnlLogin Panel control.

Scenario


4. In the Properties window, set the following properties: Attribute Value ID AdvWorksLogin

DestinationPageUrl Default.aspx

DisplayRememberMe True

FailureText Unable to log in.

5. From the ToolBox, in the Core section, drag a Button into the pnlLogin panel control below the Login control.

6. In the Properties window, set the following properties: Attribute Value ID btnNewUser

Text New User

7. Create an event handler for the Click event of the btnNewUser button control.

8. In the event handler for the btnNewUser button, set the Visible property of the pnlLogin control to false, and set the Visible property of the pnlNewUser control to true. Your code should look similar to the following: C# pnlLogin.Visible = false; pnlNewUser.Visible = true;

Visual Basic .NET pnlLogin.Visible = False pnlNewUser.Visible = True

9. Create an event handler for the Authenticate event of the Login control. 10. In the event handler for the Login control, create a Boolean variable that

stores the results of a call to the FormsAuthentication.Authenticate method with the Login control�s UserName and Password properties as parameters.


11. Test the Boolean. If true, then call the FormsAuthentication.RedirectFromLoginPage method with the Login control�s UserName property, and set the createPersistentCookies parameter to false. Your code should look similar to the following: C# void AdvWorksLogin_Authenticate(object sender, AuthenticateEventArgs e) { bool authenticated = Membership.ValidateUser (AdvWorksLogin.UserName, AdvWorksLogin.Password); if (authenticated) FormsAuthentication.RedirectFromLoginPage (AdvWorksLogin.UserName, false); }

Visual Basic .NET Sub AdvWorksLogin_Authenticate(ByVal Sender As Object, _ ByVal E As AuthenticateEventArgs) Dim authenticated = Membership.ValidateUser _ (AdvWorksLogin.UserName, AdvWorksLogin.Password) If authenticated Then FormsAuthentication.RedirectFromLoginPage _ (AdvWorksLogin.UserName, False) End If End Sub

! To create the new user form

1. From the Toolbox, drag another Panel control below the pnlLogin panel control.

2. In the Properties window, set the following properties: Attribute Value ID pnlNewUser

Visible False

3. From the Toolbox, in the Core section, drag a Label control into the pnlNewUser panel control, followed by a <br> tag.

4. In the Properties window, set the following properties: Attribute Value ID lblUsername

Text User name:

5. From the Toolbox, in the Core section, drag a TextBox control into pnlNewUser panel control, and set the ID attribute to txtUsername, followed by a <br> tag.


6. From the Toolbox, in the Core section, drag a Label control into the pnlNewUser panel control, followed by a <br> tag.

7. In the Properties window, set the following properties: Attribute Value ID lblPassword

Text Password:

8. From the Toolbox, in the Core section, drag a TextBox control into the pnlNewUser panel control, followed by a <br> tag.

9. In the Properties window, set the following properties: Attribute Value ID txtPassword

TextMode Password

10. From the Toolbox, in the Core section, drag a Button control into the pnlNewUser panel control and set the following properties: Attribute Value ID btnAddUser

Text Add

11. Create an event handler for the btnAddUser click event. 12. In the btnAddUser click event handler, call the Membership.CreateUser

method, and pass the values of txtUsername and txtPassword. 13. Set the Login control�s UserName property to the Text property value of

the txtUsername text box. 14. Set the Visible property of the pnlLogin control to true, and set the Visible

property of the pnlNewUser control to false. Your code should look similar to the following: C# Membership.CreateUser(txtUsername.Text, txtPassword.Text); pnlLogin.Visible = true; pnlNewUser.Visible = false;

Visual Basic .NET Membership.CreateUser(txtUsername.Text, txtPassword.Text) pnlLogin.Visible = True pnlNewUser.Visible = False

! To view the login.aspx page

1. Save the login.aspx page. 2. Right-click anywhere on the login.aspx page, and click View in Browser. 3. Review the results. 4. Close the browser and any open files or projects, but leave Visual Studio

open.


Exercise 2 Configuring Forms Authentication

In this exercise, you will configure Forms authentication for the entire Adventure Works portal.

The next task for your Web development team is to configure Forms authentication to work correctly. To do this, you will need to:

! Modify the web.config configuration file for the Adventure Works intranet portal site. Specifically, you must:

• Change the authentication attribute from Windows to Forms.

• Add the authorization element to deny all anonymous users.

• Configure the membership provider.


1. In Visual Studio, on the File menu, click Open Web Site. 2. Browse to C:\Program Files\Microsoft Learning\3201A\LabFiles\

Mod08\Ex2\Starter\language\AdvWorksWebSite, and then click Open.

! To enable Forms authentication

1. In Solution Explorer, double-click the web.config file. 2. Locate the authentication element, and change the mode attribute from

Windows to Forms. 3. Add a forms element to the authentication element and set the following

attributes: Attribute Value loginUrl login.aspx

defaultUrl default.aspx


! To view the results

1. In Solution Explorer, right-click the default.aspx page, and click View in Browser.

2. Review the results. 3. Close the browser. 4. On the File menu, click Close Project and leave Visual Studio open for the

next exercise.

Scenario


Exercise 3 Configuring Membership

In this exercise, you will configure the corporate intranet site to support membership and roles.

The final task for you and your Web development team is to integrate the SQL Server membership to the Adventure Works Web site database.

This will provide a mechanism for authenticating and authorizing all the users of the Adventure Works portal site.


1. In Visual Studio, on the File menu, click Open Web Site. 2. Browse to C:\Program Files\Microsoft Learning\3201A\LabFiles\Mod08\

Ex3\Starter\language\AdvWorksWebSite, and then click Open.

! To configure the membership provider

1. In Solution Explorer, double-click the web.config file. 2. Add a membership element to the system.web section and set the

following attributes: Attribute Value defaultProvider NWMembership

userIsOnlineTimeWindow 15

3. Add a providers element to the membership element.

Scenario


4. Add an add element to the providers element and set the following attributes: Attribute Value name NWMembership


type System.Web.Security. SqlMembershipProvider

requiresUniqueEmail false

requiresQuestionAndAnswer false

Your code should look similar to the following: <membership defaultProvider="NWMembership" userIsOnlineTimeWindow="15"> <providers> <add name="NWMembership" connectionStringName="NWindConn" type="System.Web.Security.SqlMembershipProvider" requiresUniqueEmail="false" requiresQuestionAndAnswer="false"/> </providers> </membership>


! To view the page

1. In Solution Explorer, right-click the default.aspx page, and click View in Browser.

2. Click the I am a new user button. 3. In the User Name field, type your name. 4. In the Password field, enter a password you will remember, and then click

Add. 5. Review the results. 6. Close the browser and any open files or projects, but leave Visual Studio



You have completed the exercises in this lab; now please take a moment to go back and read the scenarios again. Reflect on the business pains outlined in the scenarios, and how you solved those pains by completing the exercises.

Consider the questions below. You can write down your thoughts in the lines provided, and then discuss your answers as a class.

Are any of the scenarios described in this lab similar to business needs or pains in your own organization? If so, how could the ASP.NET 2.0 features and capabilities outlined in the exercises help your organization manage those needs or pains?

Answers will vary, but the students should focus the discussion on how they intend to create unique Web experiences for each user in their organization. Specifically, students should talk about the implementation of user profiles by using the ASP.NET 2.0 Personalization API. They should spend a few moments discussing how they might apply ASP.NET 2.0 themes to modify the layout of their organizations� Web sites. Students might also answer this question by stating that their organizations do not have any plans to personalize corporate Web sites. Ask them to list any business reasons driving that decision. ________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

Scenario reflection activity

module 8: implementing asp.net 2.0 securityread.pudn.com/downloads154/ebook/682279/8951608.pdf ·...

Documents