Your SlideShare is downloading. ×
ASP.NET Lecture 5
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ASP.NET Lecture 5


Published on

This lecture presents: …

This lecture presents:
Security Fundamentals
Authentication, Authorization and Roles

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Give example google conference
  • Limited to top-level web.config file
  • Type attribute is a mustIf using SQL Server Express Edition only, SQLMembershipProvider data store can create ur data store automatically. It is auto-attached and file-based.
  • Create security for a new website
  • Try security controls
  • Transcript

    • 1. ASP.NET 4.0Julie IskanderMSC. Communication and Electronics
    • 2. Lecture Outlines Security Fundamentals Membership  Authorization and Roles Profiles
    • 3. ASP.NET Security
    • 4. Secure Code Guidelines Never trust user input Never use string concatenation in creating SQL statements Never output data entered by user directly on webpage before validating and encoding it. Protect your cookies Never store sensitive data in the viewstate or in hidden fields on the page.
    • 5. ASP.NET security Authentication ◦ Discovering user identity and ensuring authenticity of identity  Form Authentication  Windows Authentication  Custom Authentication Authorization ◦ Determining the rights and restrictions assigned to an authenticated user. Impersonation ◦ Executing code on behalf of another user’s identity  role-based authorization
    • 6. Windows Authentication Requires that you set up a Windows user account for each user you want to authenticate. This is obviously a problem if you want to serve a large number of users or if you want to register users programmatically. It also doesn’t allow you to store additional information about users.
    • 7. Form Authentication A ticket-based (also called token- based) system. Based on: ◦ A login page to validate users by a user name and password. ◦ A mechanism for preserving and reestablishing the security context on each request using security cookies. The user logs in only once.
    • 8. Form Authentication and SecureCookies Encrypts its authentication information Attaches a hash code Validates the cookies at the server to verify that no changes have been made. No custom security code is needed.
    • 9. Implementing Forms Authentication and Authorization1. Configure forms authentication in the web.config file.2. Create the data store3. Configuring Membership Provider4. Configuring Roles Provider5. Configuring authorization rules
    • 10. 1. Configure formsauthentication in the web.configfile.
    • 11. 2. Creating the Data StoreIn Visual Studio command prompt:Or just aspnet_regsql to start the wizard
    • 12. 3- Configuring MembershipProvider
    • 13. 4. Configuring Role Provider
    • 14. 5- Configuring AuthorizationRules ?  Anonymous users *  All users
    • 15. Denying Access to AnonymousUsers
    • 16.  Root web.config  Directory web.config
    • 17. Authorization and Roles ASP.NET scans the list from top to bottom until it finds an applicable rule, it stops its search
    • 18. Controlling Access to SpecificRoles In <allow >/<deny > tag use role attribute instead of roles
    • 19. Controlling Access to Specificfiles
    • 20. Convert from an HTML to an aspx page
    • 21. Security Controls
    • 22. Creating Login Page
    • 23. Logging Out
    • 24. Convert from an HTML to an aspx page
    • 25. Using Membership Class The ability to create and delete users programmatically or by ASP.NET web configuration utility. The ability to reset passwords, and automatically sending password reset e-mails. The ability to automatically generate passwords for users if these users are created programmatically in the background and sending them in emails. The ability to find users as well as retrieve lists of users and details for every user., and enable tasks as assigning users to roles. A set of prebuilt controls for creating login pages and registration pages and for displaying login states and different views for authenticated and unauthenticated users.
    • 26. Using Membership Class Membership.GetAllUsers() Membership.UpdateUser(Membership User user) Membership.CreateUser(string us, string pass) More in pages 926-931 in Pro ASP.NET 4 in C#
    • 27. Getting info on Current User Page.User for the current logged in user in the current Page Can be accessed through HttpContext.Current.User in code classes
    • 28. To implement Profiles1. Create the profile tables.2. In web.config: 1. Configure the profile provider. 2. Define some profile properties.3. Use the profile properties in your web-page code.Note: authentication must be enabledfor a portion of your website.
    • 29. Profiles in the Page LifeCycle The first time you access the Profile object retrieves the complete profile data for the current user. On changing any profile data  the update is done after Unload events have fired If no changes  no extra db work
    • 30. Profile tables
    • 31. Configuring Profile Provider andProperties in web.config
    • 32. Using Profile Properties
    • 33. Profile Groups
    • 34. Profiles and Custom Datatypes
    • 35. Profiles and CustomDataTypes
    • 36. Report #5 How to add Custom Data Types (User-defined classes) to Profile?
    • 37. Lab #5 Add the following pages: ◦ Login.aspx ◦ RecoverPassword.aspx (accessed by logged in users only) ◦ ChangePassword.aspx ◦ Admin/manage.aspx  a grid with all users Create the following Roles ◦ Admin (has access to Admin folder) ◦ Customer(has access to Customer folder) Create 3 masterpages (one for each folder and one on root) Add LoginName and LoginStatus controls to all master pages
    • 38. Lab #5 In Home.aspx ◦ Add a LoginView that presents hyperlinks to all available pages according to the user group In register.aspx ◦ Add password, confirmpassword and email controls, don’t forget to validate them. ◦ When adding a new customer, create a user for each customer and add it to the customer role ◦ Add preferences and download type to profile In books.aspx
    • 39. Lab Hints Use location section in web.config
    • 40. Reading Assignment #5 Cryptography: Read from Pro ASP.NET 4 pages 1029-1059
    • 41. REFERENCES [1] Beginning ASP.NET 4 In C# 2010, Matthew Macdonald, Apress [2] Web Application Architecture Principles, Protocols And Practices, Leon Shklar And Richard Rosen, Wiley [3] Professional AS P.NE T 4 In C# And VB, Bill Evjen, Scott Hanselman And Devin Rader, Wiley [4] Pro ASP.NET In C# 2010, Fourth Edition,matthew Macdonald, Adam Freeman, And Mario Szpuszta, Apress