Scribd Logo
Upload

Welcome to Scribd!

  • 209 views

    08 ASP - Net Session11

    Uploaded by

    vijaysharma24x7
    The document discusses authentication and authorization methods for ASP.NET web applications. It describes forms authentication, which authenticates users by credentials entered on a login page that can be stored in a database. It also describes file and URL authorization, which control user access to files, folders, and URLs based on permissions. Finally, it introduces ASP.NET membership, which provides classes to manage user accounts, including creating, validating, and updating users stored in a data store to implement user authentication and authorization in ASP.NET applications.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd

    08 ASP - Net Session11

    Uploaded by

    vijaysharma24x7
    209 views26 pages
    The document discusses authentication and authorization methods for ASP.NET web applications. It describes forms authentication, which authenticates users by credentials entered on a login page that can be stored in a database. It also describes file and URL authorization, which control user access to files, folders, and URLs based on permissions. Finally, it introduces ASP.NET membership, which provides classes to manage user accounts, including creating, validating, and updating users stored in a data store to implement user authentication and authorization in ASP.NET applications.

    Original Title

    08 ASP.net Session11

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses authentication and authorization methods for ASP.NET web applications. It describes forms authentication, which authenticates users by credentials entered on a login page that can be stored in a database. It also describes file and URL authorization, which control user access to files, folders, and URLs based on permissions. Finally, it introduces ASP.NET membership, which provides classes to manage user accounts, including creating, validating, and updating users stored in a data store to implement user authentication and authorization in ASP.NET applications.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Download as pps, pdf, or txt
    209 views26 pages

    08 ASP - Net Session11

    Uploaded by

    vijaysharma24x7
    The document discusses authentication and authorization methods for ASP.NET web applications. It describes forms authentication, which authenticates users by credentials entered on a login page that can be stored in a database. It also describes file and URL authorization, which control user access to files, folders, and URLs based on permissions. Finally, it introduces ASP.NET membership, which provides classes to manage user accounts, including creating, validating, and updating users stored in a data store to implement user authentication and authorization in ASP.NET applications.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Download as pps, pdf, or txt
    of 26

    Developing Web Applications Using ASP.

    NET
    Objectives

    In this session, you will learn to:


    Describe the authentication methods for Web applications
    Describe the authorization methods for Web applications
    Describe the main components of a membership system
    Describe how to build a security administration interface
    Configure authentication and authorization for a Web
    application
    Implement a membership registration page
    Implement a login page
    Create a membership management administrative user
    interface

    Ver. 1.0 Slide 1 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications

    Authentication is the process by which users prove their


    identity.
    This usually involves entering a user name and a password.
    ASP.NET 2.0 provides three authentication mechanisms:
    Windows authentication
    Forms authentication
    Passport authentication

    Ver. 1.0 Slide 2 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications (Contd.)

    Windows Authentication:
    Application can be configured to use Microsoft Windows
    authentication.
    IIS identifies the user by comparing the credentials entered by
    the user against the user’s Windows account.
    Three possible login methods are provided:
    Basic authentication
    Digest authentication
    Windows Integrated authentication

    Ver. 1.0 Slide 3 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications (Contd.)

    Forms Authentication:
    Authentication is done on the basis of credentials entered by
    the user in the login page.
    Credentials can be stored in a Database (recommended) or in
    a Web.Config file (if number of users are less).
    By default, cookies are used to track the session of a user for
    subsequent requests.
    Query string can also be used in case cookie support is
    disabled in the client browser.
    The following example shows how to configure Forms
    Authentication in the Web.config file :
    <authentication mode="Forms">
    <forms name=“FormName" loginUrl=“/LogonPage.aspx" />
    </authentication>

    Ver. 1.0 Slide 4 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications (Contd.)

    User accounts are typically stored in a database.


    It is possible to keep a list of users in the Web.config file:
    <authentication mode="Forms">
    <forms name=“LogonPage" loginUrl=“/LogonPage.aspx">
    <credentials passwordFormat="SHA1">
    <user name="Kim“ password=
    "07B7F3EE06F278DB966BE960E7CBBD103DF30CA6"/>
    <user name="John“ password=
    "BA56E5E0366D003E98EA1C7F04ABF8FCB3753889"/>
    </credentials>
    </forms>
    </authentication>

    Ver. 1.0 Slide 5 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications (Contd.)

    Passport Authentication:
    This is a centralized authentication service provided by
    Microsoft.
    Microsoft .NET Passport can be used to access services such
    as Microsoft Hotmail and MSN Messenger.
    Any site can be registered with the Passport service to use the
    same Passport for accessing the site.
    To use Passport authentication, following steps must be
    completed:
    1. Obtain the .NET Passport software development kit (SDK).
    2. Configure Passport authentication by adding the following
    element in the Web.config file :
    <authentication mode="Passport">
    3. Implement authentication and authorization by using the
    functionality in the .NET Passport SDK.

    Ver. 1.0 Slide 6 of 26


    Developing Web Applications Using ASP.NET
    Authorization for Web Applications

    Authorization is the process of determining the pages and


    resources that the user has access to after authentication.
    Authorization can be implemented using any of the following
    methods:
    File authorization
    URL authorization

    Ver. 1.0 Slide 7 of 26


    Developing Web Applications Using ASP.NET
    Authorization for Web Applications (Contd.)

    File Authorization:
    This is an authorization system provided by Windows.
    Permissions can be set on any file or folder stored on a disk
    formatted with the NTFS file system.
    These permissions are stored in Access Control List (ACL),
    which is stored with the file.
    The permissions stored in the ACLs can be used to control the
    access to the resources, pages, and folders in a Web
    application.
    To use File authorization:
    1. Configure your application to use Windows authentication.
    2. Assign permissions to the files and folders in the Web site.

    Ver. 1.0 Slide 8 of 26


    Developing Web Applications Using ASP.NET
    Authorization for Web Applications (Contd.)

    URL Authorization:
    Can be used to control access to each virtual directory within a
    Web site hierarchy.
    Can be used with any of the authentication modules.
    To establish permissions for a particular directory:
    Create a Web.config file within that directory.
    Add an <authorization> section to the file that contains <allow>
    and <deny> tags for each user or role.
    Two special values that can be used as wildcard identities in
    <authorization> section:
    “*” : applies to everyone who visits the directory.
    “?” : applies to anonymous users.

    Ver. 1.0 Slide 9 of 26


    Developing Web Applications Using ASP.NET
    Authentication for Web Applications (Contd.)

    The following examples shows how to configure URL


    Authorization in an ASP.NET application:
    For a directory:
    <authorization>
    <allow users="Kim"/>
    <allow roles="Admins"/>
    <deny users="John"/>
    <deny users="?"/>
    </authorization>
    For a Single file:
    <location path=“SecuredFile.aspx”><system.web>
    <authorization>
    <allow users="Joe"/>
    <deny users="*"/>
    </authorization>
    </system.web></location>

    Ver. 1.0 Slide 10 of 26


    Developing Web Applications Using ASP.NET
    Introduction to Membership

    Microsoft ASP.NET membership gives a built-in way to


    validate and store user credentials.
    It can be used with ASP.NET Forms authentication or with
    the ASP.NET login controls to create a complete system for
    authenticating users.
    It supports facilities for:
    Creating new users and passwords
    Storing membership information in a data store
    Authenticating users
    Managing passwords
    Exposing a unique identification for authenticated users
    Specifying a custom membership provider

    Ver. 1.0 Slide 11 of 26


    Developing Web Applications Using ASP.NET
    Introduction to Membership (Contd.)

    ASP.NET 2.0 includes a set of classes that enable you to


    implement a membership system.
    You can use the Membership class to configure a
    membership system.
    The Membership class provides a range of methods for
    managing the members of a Web site:
    CreateUser
    DeleteUser
    UpdateUser
    ValidateUser
    FindUserByEmail
    FindUserByName

    Ver. 1.0 Slide 12 of 26


    Developing Web Applications Using ASP.NET
    How Membership Works

    To use membership, the site must be configured to use it by


    performing the following steps:
    1. Specify membership options as part of your website
    configuration.
    2. Configure the application to use Forms authentication.
    3. Define user accounts for membership.
    After configuring membership for your site, you must create
    a login form.
    Login form can be created by hand using TextBox controls
    or by using Login controls.

    Ver. 1.0 Slide 13 of 26


    Developing Web Applications Using ASP.NET
    How Membership Works (Contd.)

    Login controls are a set of Web server controls that provide


    the common user interface elements of a membership
    system.
    Login controls automatically use the membership system to
    validate a user.
    The following controls are available in the Login group of
    the Toolbox:
    CreateUserWizard
    Login
    LoginStatus
    LoginView
    PasswordRecovery
    ChangePassword

    Ver. 1.0 Slide 14 of 26


    Developing Web Applications Using ASP.NET
    How Membership Works (Contd.)

    In case login form is created by hand:


    You need to prompt the user for a user name and password
    and then call the ValidateUser method to perform the
    validation.
    You can call methods of the FormsAuthentication class
    after authentication to create a cookie and write it to the user’s
    computer.
    After authentication is done, an object is created that
    contains information about the current user.
    This object can be used to retrieve information about the
    user, such as user’s name, email address, date, and time of
    last logon.

    Ver. 1.0 Slide 15 of 26


    Developing Web Applications Using ASP.NET
    Anonymous Users in the Membership System

    The membership system allows your application to accept


    and work with anonymous users.
    Before using anonymous identification, it needs to be
    enabled.
    A temporary ID is assigned to unauthenticated users to
    track their sessions.
    The ID is stored in a cookie or embedded in the URL of
    requested pages.
    If an anonymous user logs in, the anonymous identification
    information is discarded and the user is treated thereafter
    as an authenticated user.

    Ver. 1.0 Slide 16 of 26


    Developing Web Applications Using ASP.NET
    Membership Configuration and Management

    Membership system can be configured in the application’s


    Web.config file.
    The easiest way to configure and manage memberships is
    with the Web Site Administration tool.
    Specifications of membership configuration include:
    Membership provider to use
    Password options
    Users and passwords

    Ver. 1.0 Slide 17 of 26


    Developing Web Applications Using ASP.NET
    Web Site Security Administration Using the Roles Class

    Membership can be integrated with ASP.NET role


    management to provide authorization services for your site.
    Roles can be used to manage the permissions for large
    numbers of users.
    By grouping users into roles, permissions can be assigned
    once for many users.
    Roles and Authorization:
    In URL authorization mode, access to a directory can be
    configured by using the Web.config file in each directory.
    Roles can be added to the <authorization> section as:
    <authorization>
    <allow roles="Admin"/>
    <allow roles="PowerUsers" />
    <deny users="?"/>
    </authorization>

    Ver. 1.0 Slide 18 of 26


    Developing Web Applications Using ASP.NET
    Web Site Security Administration Using the Roles Class
    (Contd.)

    Role Management Configuration:


    Role management must be configured in the Web.config file in
    the root folder of the Web application.
    To enable role management, the following item can be
    included in the Web.Config file:
    <roleManager
    enabled="true"
    cacheRolesInCookie="true">
    </roleManager>

    Ver. 1.0 Slide 19 of 26


    Developing Web Applications Using ASP.NET
    Web Site Security Administration Using the Roles Class
    (Contd.)

    You can create and populate roles by:


    Using the ASP.NET Web Site Administration Tool
    Writing code by using the Roles class
    Example of creating and populating roles by using the
    Roles class:
    Roles.CreateRole("Subscribers");
    Roles.AddUsersToRole("Anatoly Sabantsev",
    "Subscribers");
    Roles.AddUsersToRole("Bobby Moore",
    "Subscribers");
    You can use the User object to check whether the current
    user is a member of a particular role:
    if (! User.IsInRole("Subscribers"))
    btnDownloadFile.Visible = false;

    Ver. 1.0 Slide 20 of 26


    Developing Web Applications Using ASP.NET
    Demo: Controlling Access to a Web Application

    Problem Statement:
    You are a developer in the Adventure Works organization, a
    fictitious bicycle manufacturer. You have been asked to assist
    in the development of the Business-to-Consumer (B2C) Web
    application and a related Business-to-Employee (B2E) extranet
    portal.
    Decisions on the design of the application have already been
    made. You have been asked to carry out a number of specific
    tasks in order to implement various elements of this design.

    Ver. 1.0 Slide 21 of 26


    Developing Web Applications Using ASP.NET
    Demo: Controlling Access to a Web Application
    (Contd.)

    As part of the first phase of the B2C development, you have


    been asked to complete the prototypes for the following pages:
    • MembersLogin.aspx. This page collects and checks credentials to
    identify the user.
    • Register.aspx. This page enables users to become members of
    the site.
    • Employees.aspx. This page shows sales figures for the
    Adventure Works staff, and it should be viewable only by
    employees.
    • MemberUpdate.aspx. This page enables users to change the e-
    mail address and password stored for their account.
    • Admin.aspx. This page enables site administrators to change the
    role membership on the site.
    You will also ensure that several pages are secured properly.

    Ver. 1.0 Slide 22 of 26


    Developing Web Applications Using ASP.NET
    Demo: Controlling Access to a Web Application (Contd.)

    Solution:
    You need to perform following tasks:
    1. Configuring Authentication and Authorization for a Web Application
    a. Open the Adventure Works Web site for editing in Visual Studio.
    b. Implement Forms authentication for the Web application.
    c. Configure authorization for anonymous users and members.
    d. Configure IIS.
    e. Implement Windows authentication for the Employees page.
    2. Implementing a Membership Registration Page
    a. Install the SQL Server provider database.
    b. Configure the ASP.NET SQL Server membership provider.
    c. Create the membership registration page.
    d. Create the membership update page.

    Ver. 1.0 Slide 23 of 26


    Developing Web Applications Using ASP.NET
    Demo: Controlling Access to a Web Application (Contd.)

    3. Implementing a Login Page and Adding Login Controls


    a. Create the login page and add the Login control.
    b. Add a PasswordRecovery Web server control to the login page.
    c. Add login controls to other pages.
    d. Test the login and membership features.
    3. Creating a Membership Management Administrative User Interface
    a. Configure the Web application to use the SQL Roles provider.
    b. Complete the Admin.aspx page.
    c. Secure the Administration page.

    Ver. 1.0 Slide 24 of 26


    Developing Web Applications Using ASP.NET
    Summary

    In this session, you learned that:


    Authentication is the process by which users prove their
    identity.
    In Microsoft Windows authentication, IIS identifies the user by
    comparing the credentials entered by the user against the
    user’s Windows account.
    In Form authentication, credentials entered by the user in the
    login page are checked with credentials stored in the database
    or Web.config file for authentication.
    Passport authentication is a centralized authentication service
    provided by Microsoft.
    Authorization is a process in which after authentication, the
    application determines the pages and resources that the user
    can access.

    Ver. 1.0 Slide 25 of 26


    Developing Web Applications Using ASP.NET
    Summary (Contd.)

    In File Authorization, access permissions can be set on any file


    or folder stored on a disk formatted with the NTFS file system.
    In URL authorization, access to each virtual directory can be
    controlled within the website hierarchy.
    The Membership class provides methods for creating, deleting,
    and updating user accounts, authenticating users, and
    managing passwords.
    Roles can be created to reduce the administrative overhead of
    managing permissions for large numbers of users.

    Ver. 1.0 Slide 26 of 26

    You might also like