Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
02 asp.net session02
1. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Objectives
In this session, you will learn to:
Describe various event-handling techniques
Explain how to detect browser types and capabilities
Explain how to access page headers
Describe how to handle page-level errors and application-level
errors
Implement advanced techniques for handling events
Implement browser-capability detection
Implement page-header manipulation
Implement page-level and application-level error handling
Ver. 1.0 Slide 1 of 19
2. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Event Handling in Web Applications
ASP.NET provides you with a flexible framework that
enables you to work with event handlers in several ways.
The various approaches that can be used to work with the
event handlers include:
Using default events
Using non-default events
Using the AutoEventWireup capabilities of a Web form to
associate events and event-handling methods
Creating centralized event-handling methods to respond to
multiple events
Ver. 1.0 Slide 2 of 19
3. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Default and Non-Default Events
ASP.NET objects usually expose an event that is
designated as the default event.
In addition to a default event, many ASP.NET objects also
expose other events, called non-default events.
Ver. 1.0 Slide 3 of 19
4. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Non-Default Event Handlers
Non-default event handlers are used to respond to the
non-default events.
Each event has a specific signature associated with it.
Ver. 1.0 Slide 4 of 19
5. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Event Wire-Ups
• Event wire-ups determine the procedures that need to be
called when objects raise events.
• The AutoEventWireUp property of the .aspx pages should
be set to true to indicate that procedures with well-defined
names and signatures are used as event handlers.
• By default, the AutoEventWireUp property of the .aspx
pages is set to true.
<%@ Page Language=“C#” AutoEventWireup=“True”%>
Ver. 1.0 Slide 5 of 19
6. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Centralized Event Handlers
Centralized event handlers run in response to multiple
events.
This helps in creating code that is easier to maintain.
Ver. 1.0 Slide 6 of 19
7. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
How to Determine Which Web Server Control Raised an Event
To determine which control caused the event, you need to
perform the following steps:
• In the event handler, declare a variable with a type that
matches the control that raised the event.
• Assign the sender argument of the event handler to the
variable, casting it to the appropriate type.
• Examine the ID property of the variable to determine which
object raised the event.
Ver. 1.0 Slide 7 of 19
8. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Browser Capability Detection
• When a Web browser makes a request for a Web page, it
sends information that describes the browser in the
Hypertext Transfer Protocol (HTTP) header.
• You can query the information sent by the browser by using
code in the ASP.NET Web page.
• Detecting the browser capability ensures that the response
the application sends to the browser is appropriate.
• Much of the information sent by the Web browser is
encapsulated as properties in the Request.Browser
object.
Ver. 1.0 Slide 8 of 19
9. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Page Header Retrieval
• The header section of the HTML script contains metadata
for the page such as title and styles used in the page.
• The metadata is useful in search engines for categorizing
the Web pages.
• The information in the page header can be used at run time
by the server-side code.
• The page header information can be changed at run time.
• ASP.NET exposes each Web page to your code as a
System.Web.UI.Page object.
• You can use the properties of the Page.Header object,
such as the Page.Header.Title property, to query and
set its values at run time.
Ver. 1.0 Slide 9 of 19
10. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
How to Pass Values Between ASP.NET Web Pages
You can pass information between pages in various ways:
Use a query string that appends the information to the URL of
the target page
Expose the data as public properties on the source page
Ver. 1.0 Slide 10 of 19
11. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
The HttpServerUtility.Transfer Method
• The HttpServerUtility.Transfer method performs
the following functions:
Halts the code running on the current Web page
Requests a different Web page to carry on the processing
Example:
Server.Transfer("Productdisplay.aspx?
productname=bike&color=blue");
Ver. 1.0 Slide 11 of 19
12. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Page-Level and Application-Level Error Handling
ASP.NET enables you to handle run time errors with:
Structured exception handling:
• It enables you to handle exceptions in your Web applications by
using Try…Catch blocks.
Page-level error handling:
• It enables you to trap all the otherwise-unhandled server-side
errors on the page.
• Page_Error event of the Page object enables you to trap all the
unhandled exceptions in a page.
Application-level error handling:
It enables you to trap all the otherwise-unhandled server-side
errors in the Web application.
There are two standard approaches you can follow when
implementing an application-level error handler:
– Create Application_Error event method in global.asax file
– Include a <customErrors> element in the Web.config file
Ver. 1.0 Slide 12 of 19
13. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Handling Application-Level Errors Using <customErrors> Element
• Using the <customErrors> elements requires you to
modify the web.config file of your web application.
• Refer to the following code snippet:
<system.web>
<customErrors
defaultRedirect="errorhandler.aspx“ mode="On">
<error statusCode="403”
redirect=“Page1.htm"/>
<error statusCode="404”
redirect=“Page2.htm" />
</customeErrors>
</system.web>
Ver. 1.0 Slide 13 of 19
14. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Demo: Programming a Web Application
Problem Statement:
You are a developer in the Adventure Works organization, a
fictitious bicycle manufacturer. You have been asked to assist
in the development of the Business-to-Consumer (B2C) Web
application and a Business-to-Employee (B2E) extranet portal.
Decisions on the design of the application have already been
taken. You have been asked to carry out a number of specific
tasks in order to implement various elements of this design.
Ver. 1.0 Slide 14 of 19
15. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Demo: Programming a Web Application (Contd.)
As part of the first phase of the B2C development, you have
been asked to complete prototypes for the following pages:
• Feedback.aspx. You will create a centralized event handler for the
Click event of two Button objects.
• Contact.aspx. You will create an event handler for the non-default
Command event of Button objects.
• Diagnostics.aspx. You will retrieve properties of the Browser object
and display them on the Web page. You will also access the
Page.Header object.
• TrailReport.aspx. You will implement a page-level error handler
that deals with all run-time errors that can occur on this Web page.
You will also modify the Web.config file to enable application-
level error handling by redirecting all otherwise-unhandled
exceptions to the customErrors.aspx page.
Ver. 1.0 Slide 15 of 19
16. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Demo: Programming a Web Application (Contd.)
Solution:
To solve this problem, you need to perform the following tasks:
1. Implement Non-Default Event Handlers
– Open the Adventure Works Web site.
– Create a centralized event handler for two Button controls.
– Specify the feedback_Click method as the Click event handler for
the feedback buttons.
– Create an event handler for the Command event of Button controls.
– Specify the SortGroup_Command method as the Command event
handler for the Button controls.
– Test the Web site functionality.
Ver. 1.0 Slide 16 of 19
17. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Demo: Programming a Web Application (Contd.)
1. Detect Browser Capabilities and Set Page Header Properties
a. Review the Diagnostics.aspx page.
b. Detect browser properties.
c. Display browser properties.
d. Modify the page title.
e. Test the Web site functionality.
2. Handle Page-Level Exceptions
a. Handle page-level exceptions.
b. Handle exceptions at the application level.
c. Test exception handling.
Ver. 1.0 Slide 17 of 19
18. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Summary
In this session, you learned that:
• ASP.NET objects usually expose an event that is designated
as the default event.
• In addition to the default event, ASP.NET objects expose other
additional events known as non-default events.
• When you want to write code that responds to a non-default
event, you need to define an event handler for it.
• Event wire-ups are the mechanism that ASP.NET uses to
determine which procedures to call when objects raise events.
• By default, the AutoEventWireUp attribute for .aspx pages is
set to true.
• When a Web browser makes a request for a Web page, it
sends information that describes the browser in the Hypertext
Transfer Protocol (HTTP) header.
Ver. 1.0 Slide 18 of 19
19. Installing Windows XPApplications Using ASP.NET
Developing Web Professional Using Attended Installation
Summary (Contd.)
Centralized event handlers run in response to multiple events.
ASP.NET provides a robust and flexible error-handling
framework. It enables you to handle run-time errors with:
Structured exception handling
Page-level error handlers
Application-level error handlers
Ver. 1.0 Slide 19 of 19
Editor's Notes
Begin the session by sharing the objectives with the students. Tell the students that at the end of this session, they will be able to use the event handling capabilities of ASP.NET 2.0. Tell the students that at the end of the session, they will be able to create a common event handler for various controls of the same type, which would help them in making their code simpler. Further, they will be able to detect the capability of various browsers. Next, they would be able to handle run time errors by using various error handling techniques.
In this section, initiate a discussion on the default events. A default event is the event, which is most commonly associated with that control. Tell the students that when they click a Button control on the .aspx page, the code for the event handler of the Click event is displayed in the code window. This is because the Click event is the default event of the Button control.
In this section, explain that apart from the default event, ASP.NET objects also have various non-default events. For example, Command event is the non-default event of a button control. To create an event handler for a non-default event of a control, you can perform the following steps: 1. Select the control from the Design view and press F4 to display the Properties window. 2. In the Properties window, click the Events button. This displays a list of events for the control. 3. Locate the event for which you want to create the handler. 4. In the event name box, type the name of an event handler or d ouble-click the event name box to create a handler. This creates a new event handler with the name you typed or with the generated name.
In this section, explain the event wire-up mechanism in ASP.NET. Explain that if the handlers for the events are created explicitly, then the automatic binding of the page events is controlled by the page property, AutoEventWireup.Tell the students that if they want to include explicit binding for page events, then the AutoEventWireup property should be set to false. This would ensure that the method is not inadvertently called twice. Explain that AutoEventWireup property can be set to false by adding the attribute AutoEventWireup=false in the @ Page directive.
In this section, initiate a discussion on centralized event handlers. Tell the students that centralized event handlers eliminates the need for declaring separate event handlers for different ASP.NET objects. You can create one centralized event handler that can perform appropriate redirection during runtime. You can explain the same with the help of an example given in the Student Guide.
In this section, explain the steps for determining the which control caused the event. Explain the same with the help of example given in the resource toolkit.
In this section, discuss the various information held by the HTTP header of the browser. Next, discuss the advantage of detecting the browser capabilities. Explain the same with the help of the examples given in the Student Guide. Next, discuss about the Request.Browser object. Tell the students that the Request.Browser object enables you to retrieve various information about the browser such as browser type and version. Explain the same with the help of the code snippet given in the resource toolkit.
In this section, discuss how the page header information can be used and manipulated during run time. Discuss how to alter the page title with the help of the code snippet given in the resource toolkit.
In this section, explain how the information can be passed between the ASP.NET web pages by discussing the points given in the slide. Refer to the toolkit for the same. Tell the students that if the target page is an ASP.NET web page, then the value of the query string can be read by using the QueryString property of the HttpRequest object. In addition to the points discussed in the slide, you can also pass information between the pages with the help of the session state. In this case, session state is used to store information, which is then accessible to all the ASP.NET pages of the current web application. However, the disadvantage associated with this approach is that the information is stored until the session expires and take s the server memory. This leads to an additional overhead.
In this section, initiate a discussion on the HttpServerUtility.Transfer method by referring to the Resource Toolkit. While displaying a different web page, ASP.NET does not verify whether the current user is authorized to view the web page delivered by the HttpServerUtility.Transfer method or not. This problem can be solved by using the HttpResponse.Redirect method. Unlike the HttpServerUtility.Transfer method, the HttpResponse.Redirect method forces reauthorization and checks whether the user is authorized to view that web page or not. Next, discuss about the Server.Transfer method. Explain that the Server.Transfer method enables you to pass values between ASP.NET Web pages. For more details, you can refer to the Resource Toolkit.
In this section, discuss about various error handling mechanisms provided by ASP.NET. Reiterate the concept of a Try…Catch block. Next, tell the students that ASP.NET automatically binds application events to event-handler methods in the Global.asax file. The naming convention used for the handler is Application _event . There can be various application-level event handlers in the Global.asax file such as Application_BeginRequest and Application_Error . Explain that to create application-level event handler, you need to perform the following steps: Create a Global.asax file in the root of the site, if your Web site does not already have one. Create an event-handler method whose name follows the pattern Application_event. For example, to handle an application Error event, create a handler named Application_Error that takes an Object parameter and an EventArgs parameter. Refer to the following code snippet: void Application_Error(Object sender, EventArgs e) {}
In this section, explain the process of handling application level errors by using the <customErrors> element. Explain the same with the help of the code snippet given in the slide. Explain the students that the mode can be set to On, Off or RemoteOnly. Next, explain that when an error occurs, you can redirect to a different web page depending upon the type of the error. To determine which type of error has occurred, you can use the statusCode property of the error element. If an error of that particular statuCode occurs, the web application is redirected to a different web page. Refer to code snippet given in the slide. If an error of statusCode 403 occurs, the web application is redirected to NoAccess.htm page. Similarly, if an error of the status code 404 occurs, then the web application is redirected to FileNotFound.htm page. In this case, it is not possible to trap all the types of errors that may occur in a web application. In such a case, you can redirect the application to a default page by assigning its URL to the defaultRedirect property.
In this slide and the next slide, discuss the problem statement with the students.
Explain to the students how to determine the Web server control that raised an event. Explain the same with the help of the code given in the Resource Toolkit. Next, explain to the students that they can also bind an event to a handler by editing the HTML source code for the ASP.NET page. Explain the same with the help of the code snippet given in the Resource Toolkit. Next, explain the students that they can determine which button was clicked at run time with the help of the Button.Command event. Explain the same in detail by referring to the Resource Toolkit. Explain to the students that they can create a common event handler for the Click event or Command event of a Button control. Both of these approaches can be used to accomplish the same task. The difference between these two approaches lies in the syntax being used. When you declare an event handler for the Click event of a Button control, then this requires you to declare a protected method with two arguments, one of Object type and another of EventArgs type. However, when you declare an event handler for the Command event, the second argument is of CommandEventArgs type. The data type of the first argument is same as that of the event handler of the Click event.
Tell the students that they can change the Page.Header.Title property. Explain the same with the help of the code snippet given in the Resource Toolkit. Next, tell the students that Page_Error is the event handler for the Page.Error event. Next, initiate a discussion on the application-level error handling strategies. Explain how Web.config file for the application can be modified to configure application-level error handling by referring to the Resource Toolkit. Tell the students that they can use the Application_Error event handler in the global.asax file of the Web application. Tell the students that if the Web.config file has customErrors set to Off, then the Application_Error event handler in Global.asax will process all unhandled errors.