ASP.NET Lecture 5


Published on

This lecture presents:
Security Fundamentals
Authentication, Authorization and Roles

Published in: Technology
  • Be the first to comment

ASP.NET Lecture 5

  1. 1. ASP.NET 4.0Julie IskanderMSC. Communication and Electronics
  2. 2. Lecture Outlines Security Fundamentals Membership  Authorization and Roles Profiles
  3. 3. ASP.NET Security
  4. 4. Secure Code Guidelines Never trust user input Never use string concatenation in creating SQL statements Never output data entered by user directly on webpage before validating and encoding it. Protect your cookies Never store sensitive data in the viewstate or in hidden fields on the page.
  5. 5. ASP.NET security Authentication ◦ Discovering user identity and ensuring authenticity of identity  Form Authentication  Windows Authentication  Custom Authentication Authorization ◦ Determining the rights and restrictions assigned to an authenticated user. Impersonation ◦ Executing code on behalf of another user’s identity  role-based authorization
  6. 6. Windows Authentication Requires that you set up a Windows user account for each user you want to authenticate. This is obviously a problem if you want to serve a large number of users or if you want to register users programmatically. It also doesn’t allow you to store additional information about users.
  7. 7. Form Authentication A ticket-based (also called token- based) system. Based on: ◦ A login page to validate users by a user name and password. ◦ A mechanism for preserving and reestablishing the security context on each request using security cookies. The user logs in only once.
  8. 8. Form Authentication and SecureCookies Encrypts its authentication information Attaches a hash code Validates the cookies at the server to verify that no changes have been made. No custom security code is needed.
  9. 9. Implementing Forms Authentication and Authorization1. Configure forms authentication in the web.config file.2. Create the data store3. Configuring Membership Provider4. Configuring Roles Provider5. Configuring authorization rules
  10. 10. 1. Configure formsauthentication in the web.configfile.
  11. 11. 2. Creating the Data StoreIn Visual Studio command prompt:Or just aspnet_regsql to start the wizard
  12. 12. 3- Configuring MembershipProvider
  13. 13. 4. Configuring Role Provider
  14. 14. 5- Configuring AuthorizationRules ?  Anonymous users *  All users
  15. 15. Denying Access to AnonymousUsers
  16. 16.  Root web.config  Directory web.config
  17. 17. Authorization and Roles ASP.NET scans the list from top to bottom until it finds an applicable rule, it stops its search
  18. 18. Controlling Access to SpecificRoles In <allow >/<deny > tag use role attribute instead of roles
  19. 19. Controlling Access to Specificfiles
  20. 20. Convert from an HTML to an aspx page
  21. 21. Security Controls
  22. 22. Creating Login Page
  23. 23. Logging Out
  24. 24. Convert from an HTML to an aspx page
  25. 25. Using Membership Class The ability to create and delete users programmatically or by ASP.NET web configuration utility. The ability to reset passwords, and automatically sending password reset e-mails. The ability to automatically generate passwords for users if these users are created programmatically in the background and sending them in emails. The ability to find users as well as retrieve lists of users and details for every user., and enable tasks as assigning users to roles. A set of prebuilt controls for creating login pages and registration pages and for displaying login states and different views for authenticated and unauthenticated users.
  26. 26. Using Membership Class Membership.GetAllUsers() Membership.UpdateUser(Membership User user) Membership.CreateUser(string us, string pass) More in pages 926-931 in Pro ASP.NET 4 in C#
  27. 27. Getting info on Current User Page.User for the current logged in user in the current Page Can be accessed through HttpContext.Current.User in code classes
  28. 28. To implement Profiles1. Create the profile tables.2. In web.config: 1. Configure the profile provider. 2. Define some profile properties.3. Use the profile properties in your web-page code.Note: authentication must be enabledfor a portion of your website.
  29. 29. Profiles in the Page LifeCycle The first time you access the Profile object retrieves the complete profile data for the current user. On changing any profile data  the update is done after Unload events have fired If no changes  no extra db work
  30. 30. Profile tables
  31. 31. Configuring Profile Provider andProperties in web.config
  32. 32. Using Profile Properties
  33. 33. Profile Groups
  34. 34. Profiles and Custom Datatypes
  35. 35. Profiles and CustomDataTypes
  36. 36. Report #5 How to add Custom Data Types (User-defined classes) to Profile?
  37. 37. Lab #5 Add the following pages: ◦ Login.aspx ◦ RecoverPassword.aspx (accessed by logged in users only) ◦ ChangePassword.aspx ◦ Admin/manage.aspx  a grid with all users Create the following Roles ◦ Admin (has access to Admin folder) ◦ Customer(has access to Customer folder) Create 3 masterpages (one for each folder and one on root) Add LoginName and LoginStatus controls to all master pages
  38. 38. Lab #5 In Home.aspx ◦ Add a LoginView that presents hyperlinks to all available pages according to the user group In register.aspx ◦ Add password, confirmpassword and email controls, don’t forget to validate them. ◦ When adding a new customer, create a user for each customer and add it to the customer role ◦ Add preferences and download type to profile In books.aspx
  39. 39. Lab Hints Use location section in web.config
  40. 40. Reading Assignment #5 Cryptography: Read from Pro ASP.NET 4 pages 1029-1059
  41. 41. REFERENCES [1] Beginning ASP.NET 4 In C# 2010, Matthew Macdonald, Apress [2] Web Application Architecture Principles, Protocols And Practices, Leon Shklar And Richard Rosen, Wiley [3] Professional AS P.NE T 4 In C# And VB, Bill Evjen, Scott Hanselman And Devin Rader, Wiley [4] Pro ASP.NET In C# 2010, Fourth Edition,matthew Macdonald, Adam Freeman, And Mario Szpuszta, Apress