Chapter 19


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chapter 19

  1. 1. • Authentication and Authorization• Forms Authentication • Web.config Settings • Authorization Rules • Controlling access to specific directories • Controlling access to specific files • Controlling access to specific users • Persistent Cookies• Windows Authentication • Web.config Settings • A windows authentication test
  2. 2. Authentication: This is the process of determining auser’s identity and forcing users to prove they are whothey claim to be. Usually, this involves enteringcredentials (typically a user name and password) intosome sort of login page or window. These credentialsare then authenticated against the Windows useraccounts on a computer, a list of users in a file, or aback-end database.Authorization: Once a user is authenticated,authorization is the process of determining whetherthat user has sufficient permissions to perform a givenaction (such as viewing a page or retrievinginformation from a database).
  3. 3. Forms authentication: ASP.NET is in charge ofauthenticating users, tracking them, and authorizingevery. Forms authentication is the best and most flexibleway to run a subscription site or e-commerce store.Windows authentication: With Windows authentication,the web server forces every user to log in as a Windowsuser. This system requires that all users have Windowsuser accounts on the server. This scenario is poorlysuited for a public web application but is often ideal withan intranet or company-specific site designed to provideresources for a limited set of users.
  4. 4. To implement forms-based security, you need to followthree steps:1. Set the authentication mode to forms authenticationin the web.config file. (If you prefer a graphical tool,you can use the WAT during development or IISManager after deployment.)2. Restrict anonymous users from a specific page ordirectory in your application.3. Create the login page.
  5. 5. <configuration><system.web><authentication mode="Forms"><forms name="MyAppCookie"loginUrl="~/Login.aspx"protection="All"timeout="30" path="/" /></authentication>...</system.web></configuration>
  6. 6. <configuration><system.web>….<authentication mode="Forms"><forms loginUrl="~/Login.aspx" /></authentication><authorization><deny users="?" /><allow users="*" /></authorization>...</system.web></configuration>
  7. 7. Leave the default <authorization> settings in thenormal parent directory, and add a web.config file thatspecifies stricter settings in the secured directory.This web.config simply needs to deny anonymous users(all other settings and configuration sections can beomitted).<!-- This web.config file is in a subfolder. --><configuration><system.web><authorization><deny users="?" /></authorization></system.web></configuration>
  8. 8. <configuration><system.web><authentication mode="Forms"><forms loginUrl="~/Login.aspx" /></authentication><authorization><allow users="*" /></authorization></system.web><location path="AnotherSecuredPage.aspx"><system.web><authorization><deny users="?" /></authorization></system.web></location></configuration>
  9. 9. The <allow> and <deny> rules don’t need to use theasterisk or question mark wildcards. Instead, they canspecifically identify a user name or a list of comma-separated user names.<authorization><deny users="?" /><deny users="matthew,sarah" /><deny users="john" /><allow users="*" /></authorization>
  10. 10. ASP.NET provides a special FormsAuthentication classin the System.Web.Security namespace, which providesstatic methods that help manage the processpublic partial class Login : System.Web.UI.Page{protected void cmdLogin_Click(Object sender, EventArgs e){if (txtPassword.Text.ToLower() == "secret"){FormsAuthentication.RedirectFromLoginPage(txtName.Text, false);}else{lblStatus.Text = "Try again.";}}}
  11. 11. Once the user is logged in, you can retrieve the identitythrough the built-in User property, as shown here:protected void Page_Load(Object sender, EventArgs e){lblMessage.Text = "You have reached the secured page, ";lblMessage.Text += User.Identity.Name + ".";}You can access the User object in your code because it’s aproperty of the current Page object. It has one property andone method :1. The Identity property lets you retrieve the name of the logged-in user and the type of authentication that was used.2. • The IsInRole() method lets you determine whether a user is a member of a given role
  12. 12. A persistent authentication cookie remains on theuser’s hard drive and keeps the user signed in forhours, days, or weeks—even if the user closes andreopens the browser.If you want to allow the user to create a persistentcookie, you should make it optional, because the usermay want to access your site from a public or sharedcomputer. Generally, sites that use this techniqueinclude a check box with text such as Keep MeLogged In.
  13. 13. With Windows authentication, the web server takes care of theauthentication process. When you use Windows authentication,you force users to log into IIS before they’re allowed to accesssecure content in your website.The user login information can be transmitted in several waysbut the end result is that the user is authenticated using a localWindows account.To implement Windows-based security with known users, youneed to follow three steps:1. Set the authentication mode to Windows authentication in theweb.config file.2. Disable anonymous access for a directory by using anauthorization rule.3. Configure the Windows user accounts on your web server (ifthey aren’t already present).
  14. 14. <configuration><system.web><authentication mode="Windows" /><authorization><deny users="?" /><allow roles=".SalesAdministrator,.SalesStaff" /><deny users=".matthew" /></authorization>...</system.web></configuration>
  15. 15. protected void Page_Load(Object sender, EventArgs e){if (User.IsInRole(@"MyDomainNameSalesAdministrators")){}else{Response.Redirect("Default.aspx");}if (User.IsInRole(@"BUILTINAdministrators")){// (Code goes here.)}}