ASP.NET Security Examples

Checking for Authentication and Accessing the User's Identity

The code that gets information about the current user is in the Page_Load event, so it runs as the page is being created. The first thing to do is check that the user has in fact been authenticated. This will always be the case with the web.config file you're using, but it's a good idea to include this check.

Access the User object via the current context of the page (it is a property of the integral HttpContext object), and get a reference to the user's Identity object from it. The IsAuthenticated property returns True if the user has been authenticated:

Now you can get a reference to the actual WindowsIdentity object for this user. The Identity property returns an Identity object, and you cast this to a WindowsIdentity object (in VB this is done with the CType method). This is why you need to import the System.Security.Principal namespace, as it contains the definition of the WindowsIdentity class. From this WindowsIdentity object you can get more detailed information by calling the GetCurrent method, which also returns a WindowsIdentity object.

  Sub Page_Load()     'see if the user has been authenticated   If User.Identity.IsAuthenticated Then     'create a reference to a WindowsIdentity object that   'represents this user's Indentity object   Dim objIdentity = CType(User.Identity, WindowsIdentity)     'get the current WindowsIdentity object for this user   'this contains more specific information   Dim objWinIdentity = objIdentity.GetCurrent()   ...  

Displaying the Account Details

You can now access your WindowsIdentity object to display information about this user's account. As shown in the following code, display the username and authentication type from the appropriate properties, and you can tell if the account is a System , Anonymous , or Guest account using three more of the properties of the WindowsIdentity object:

  ...   'display the properties   msgHello.InnerHtml = "Hello " & objWinIdentity.Name & "<br />" _   & "The authentication method used was " _   & objWinIdentity.AuthenticationType & "<br />" _   & "Is this a System account: " _   & objWinIdentity.IsSystem & "<br />" _   & "Is this an Anonymous account: " _   & objWinIdentity.IsAnonymous & "<br />" _   & "Is this a Guest account: " _   & objWinIdentity.IsGuest & "<br />" _   ...  

Accessing the User's Role

Now you can investigate which roles (that is, which Windows account groups) this user account belongs to. For this, you can use the IsInRole method of the User object, and specify the account group you're checking against.

Of course, you'll have to edit the code here to specify your own machine name “ and you can add checks to see if the account is in other groups that exist on your own server and domain. However, it's easy to see from this how you can use programmatic security techniques to modify the behavior of an application based on the details of the user that are exposed by the WindowsIdentity object. We demonstrate a few of these techniques in conjunction with forms-based authentication in the final example of this chapter.

The final few lines in the page complete the If .. Then construct, and (just for completeness) display a message if the user accessed this page without being authenticated.

  ...   & "Is this account a member of 'Administrators' group: " _   & User.IsInRole("BUILTIN\Administrators") & "<br />" _   & "Is this account a member of the 'Users' group: " _   & User.IsInRole("BUILTIN\Users") & "<br />"   & "Is this account a member of '  DANDARE  \TestGroup' group: " _   & User.IsInRole("  DANDARE  \TestGroup") & "<br />" _   & "Is this account a member of  'DANDARE  \NoMembers' group: " _   & User.IsInRole("  DANDARE  \NoMembers")   Else     msgHello.InnerHtml = "Hello, you were not authenticated"     End If     End Sub  

  <form runat="server">   UserName: <input id="txtUsr" type="text" runat="server" /><p />   Password: <input id="txtPwd" type="password" runat="server" /><p />   <ASP:CheckBox id="chkPersist" runat="server" />   Remember my credentials<p />   <input type="submit" Value="Login" runat="server"   onserverclick="DoLogin" /><p />   <div id="outMessage" runat="server" />   </form>   Sub DoLogin(objSender As Object, objArgs As EventArgs)   If FormsAuthentication.Authenticate(txtUsr.Value, txtPwd.Value) Then   FormsAuthentication.RedirectFromLoginPage(txtUsr.Value, _   chkPersist.Checked)   Else   outMessage.InnerHtml = "<b>Invalid credentials</b> please re-enter."   End If   End Sub  

The default.aspx Page

If the user has been successfully authenticated, they will be redirected to the page that they attempted to load originally ( default.apx in your example). The page contains a <div> element where we'll display some details about the user, and an HTML <form> on which there is a single submit button labeled Log Off :

  <div id="msgHello" runat="server" /><p />   <form runat="server">   <input type="submit" Value="Log Off" runat="server"   onserverclick="DoSignOut" />   </form>  

Accessing the User's Identity

Getting the user's name and authentication method is easy when using forms-based authentication. First check that they were authenticated (as in the previous Windows authentication example) and if so, you can access the properties of the User.Identity object. And again, as before, you can display a message if the user was not authenticated.

  Sub Page_Load()   'see if the user has been authenticated   If User.Identity.IsAuthenticated Then   'display the properties   msgHello.InnerHtml = "Hello " & User.Identity.Name & "<br />" _   & "The authentication method used was " _   & User.Identity.AuthenticationType   Else   msgHello.InnerHtml = "Hello, you were not authenticated"   End If   End Sub  

Logging a User Out of an Application

The log off button on this page has its onserverclick event set to DoSignOut . This is the name of the event handler that is executed when the user clicks this button. The code itself is trivial, as you can see from the following code:

  Sub DoSignOut(objSender As Object, objArgs As EventArgs)   'destroy the users authentication cookie   FormsAuthentication.SignOut()   'and redirect them to the login page   Response.Clear()   Response.Redirect(Request.UrlReferrer.ToString())   End Sub  

And once you've executed the SignOut method, you can redirect the browser back to the referring page (in this case the login page). They can then experiment and log on using a different account.

Password Hashing Example

The page is named hash-password.aspx and is in the security folder of the samples we provide for this chapter. You can open it from the main menu page ( default.htm ) in the same folder. Simply select the encryption type as shown in Figure 14-36, enter the password, and click the Create Hash button.

Figure 14-36:

Now you can copy the password hash into the appropriate user's entry in web.config , and change the setting for the passwordFormat in the <credentials> element to suit the encryption method used, as shown in the following code:

  <credentials passwordFormat="SHA1">   <user name="billjones"   password="87F8ED9157125FFC4DA9E06A7B8011AD80A53FE1" />   <user name="marthasmith"   password="2E1FA0D4D3B6CA2623EA6AF07624C3CD29D47344" />   <user name="joesoap"   password="36854FAFECB73E79DC3DFF61E76CF24CF8B490CC" />   </credentials>  

How the Password Hashing Example Works

The HTML section of this example page is just a simple <form> containing the two radio buttons , the textbox for the password, and a Create Hash button. There is also a <div> element that is used to display the result.

Next is the code to create the hash, which runs when the Create Hash button is clicked. It gets the encryption type from the selected radio button (using the Request.Form collection), and passes it and the password to the HashPasswordForStoringInConfigFile method. The result is then displayed in the <div> element.

  <form runat="server">   Password Format:   <input type="radio" value="SHA1" name="chkFormat"   checked="true" runat="server" /> SHA1 &nbsp;   <input type="radio" value="MD5" name="chkFormat" runat="server" /> MD5<p />   Password: <input id="txtPwd" type="text" runat="server" /><p />   <input type="submit" value="Create Hash" runat="server"   onserverclick="DoHashPassword" /><p />   <div id="outMessage" runat="server" />   </form>     Sub DoHashPassword(objSender As Object, objArgs As EventArgs)   Dim strHash, strFormat As String     'get the format name as a string from the radio button value   strFormat = Request.Form("chkFormat")     'create the hash using the password value provided   strHash = FormsAuthentication.HashPasswordForStoringInConfigFile _   (txtPwd.Value, strFormat)   'and display the result   outMessage.InnerHtml = strFormat & " Password Hash is: " & strHash     End Sub  

An XML User List Document

A simple format is chosen for the XML user list document to minimize the code required to access it. As shown in the following code, there is a root element <userlist> , within which is a list of elements that are the usernames. The value of each element is that user's password.

  <?xml version="1.0" ?>     <userlist>   <billjones>test</billjones>   <marthasmith>test</marthasmith>   <joesoap>test</joesoap>   </userlist>  

This file, named userlist.xml , is placed in the same folder as the login page. You'll see how to use it when you look at the code in that page shortly.

A User List in a Relational Database

We've also set up a simple table named Users in a relational database named UserList , as shown in Figure 14-37. It contains the same users, with varchar -type columns named UserName and Password. This table is used in the next example as well, so it contains an extra column named BGColor .

Figure 14-37:

There are also three more users, and you can see that the Password column values are encrypted for these users. Just ignore all this for the time being.

Running the Example

When you first access the example folder to load default.aspx , the forms-based security system detects that you haven't been authenticated and redirects you to the login page as shown in Figure 14-38. This is similar to the previous example, but now it contains a pair of radio buttons where you can select the user store you want to be authenticated against.

Figure 14-38:

Enter the credentials of a suitable account (one with a plain-text password from the database table shown earlier “ marthasmith with the password test will do). If you get it wrong, a message is displayed as in the previous example. If you get it right, as shown in Figure 14-39, you can then access the default.aspx page. Again, as in the previous example, this page displays your username and the type of authentication used. It also contains the same Log Off button as the previous example:

Figure 14-39:

How This Example Works

In the login.aspx page (where you are redirected if you haven't already been authenticated) first import the namespaces you'll need. As code in this page contains references to classes for accessing relational data and XML documents, you need to add these namespaces to the page.

The HTML section of the page contains a <form> within which the same controls are placed as the previous example “ textboxes for the username, password, persistent cookie checkbox, and Login button. However, at the top of the form also add the two radio buttons that allow you to choose the user list against which you want to be authenticated.

  <%@Import Namespace="System.Data" %>   <%@Import Namespace="System.Data.OleDb" %>   <%@Import Namespace="System.Xml" %>   <form runat="server">   Authenticate against:   <input type="radio" id="chkXML" name="chkReadFrom" checked="true"   runat="server" /> XML document &nbsp;   <input type="radio" id="chkSQL" name="chkReadFrom"   runat="server" /> Database table<p />   UserName: <input id="txtUsr" type="text" runat="server" /><p />   Password: <input id="txtPwd" type="password" runat="server" /><p />   <ASP:CheckBox id="chkPersist" runat="server" />   Remember my credentials<p />   <input type="submit" Value="Login" runat="server"   onserverclick="DoLogin" /><p />   <div id="outMessage" runat="server" />   </form>  

The Login Code

When the Login button is clicked, the event handler named DoLogin is executed. In this first create a suitable connection string to access the database you're using. This value is extracted from the web.config file in the root folder of the samples, and you may have to edit this to suit your own setup.

After that, collect the values for the username and password from the form controls, and declare a flag variable to indicate if validation of the user's credentials was successful. Set the default value of this variable to False .

  Sub DoLogin(objSender As Object, objArgs As EventArgs)     'get the connection string from web.config file   Dim strConnect As String   strConnect = ConfigurationSettings.AppSettings("DsnUserList")     'get username and password from form   Dim strUsr As String = txtUsr.Value   Dim strPwd As String = txtPwd.Value     'set a flag to indicate successful authentication   Dim blnIsAuthenticated As Boolean = False 'default value   ...  

Validating the Credentials against the User List XML Document

Now you can check to see which list of users was selected in the form by checking value of the radio button with the ID of chkXML . If this is Checked , you are authenticating against an XML document, so you can create the physical path to the document and load it into a new instance of an XmlDocument object.

Providing that the file is loaded without an error, you can use the GetElementsByTagname method to return an XmlNodeList containing the node for this username. From that, you can access the value of the #text child node of the element to get the password. If this matches the value entered by the user, you know that they are a valid user so set the blnIsAuthenticated flag variable to True .

  ...   'see which method we're using to authenticate the user   If chkXML.Checked Then     'load the XML document containing the user credentials   Dim strCurrentPath As String = Request.PhysicalPath   Dim strXMLPath As String = Left(strCurrentPath, _   InStrRev(strCurrentPath, "\")) & "userlist.xml"     'create a new XmlDocument object   Dim objXMLDoc As New XmlDocument()   Try     'load the XML file into the XmlDocument object   objXMLDoc.Load(strXMLPath)     Catch objError As Exception     'display error details   outMessage.innerHTML = "Error accessing XML document.<br />" _   & objError.Message & "<br />" & objError.Source   Exit Sub ' and stop execution     End Try     'create a NodeList collection of all matching child nodes   'there should be only one for this user   Dim colUser As XmlNodeList   colUser = objXMLDoc.GetElementsByTagname(strUsr)     'see if we found an element with this username   If colUser.Count > 0 Then     'check if the value of the element (the child #text node)   'is equal to the password that the user entered   If strPwd = colUser(0).FirstChild().Value Then   blnIsAuthenticated = True   End If     End If   ...  

Validating the Credentials against the Users' Database Table

If authentication against your database table is selected, the section of code in the Else part of the If..Then construct will be executed instead of the code that checks against the XML file. However, like that code, checking against a database is quite simple. It follows the techniques we demonstrated in the data access chapters earlier in this book.

So, you can create a suitable SQL statement that will extract the users' password from the row that contains their username and password (you'll see why we chose to return the password shortly). Then create and open a connection to the database and execute the SQL statement returning a DataReader object that contains the password if a matching row was found in the database.

Most relational databases are set up to do case-insensitive text matching in a WHERE clause unless you use a specific function or set options before executing the query. It's easier to return the password from the database and do a case-sensitive comparison in the event handler code (unless you aren't bothered about matching case). If the match succeeds, you can set your flag to indicate that this username and password combination is valid, then close the DataReader object and the database connection.

  ...   Else     'create a suitable SQL statement to retrieve the values   Dim strSQL As String   strSQL = "SELECT Password FROM UserTable WHERE UserName='" _   & strUsr & "' AND Password='" & strPwd & "'"   Try     'create a new Connection object and open it   Dim objConnect As New OleDbConnection(strConnect)   objConnect.Open()     'create a new Command using connection object and SQL statement   Dim objCommand As New OleDbCommand(strSQL, objConnect)     'declare a variable to hold a DataReader object   Dim objDataReader As OleDbDataReader     'execute SQL statement against Command to fill the DataReader   objDataReader = objCommand.ExecuteReader()     'if we get a row back, check password for same letter case   '(usually a SQL SELECT WHERE clause is not case sensitive)   If objDataReader.Read() Then   If objDataReader("Password") = strPwd Then   blnIsAuthenticated = True   End If   End If     'close the DataReader and Connection   objDataReader.Close()   objConnect.Close()     Catch objError As Exception     'display error details   outMessage.InnerHtml = "Error accessing database.<br />" _   & objError.Message & "<br />" & objError.Source   Exit Sub ' and stop execution     End Try     End If   ...  

Authenticating the User

Now you can actually tell ASP.NET that you have validated the user's credentials and that they should be authenticated and receive the appropriate cookie so that they can access your application. If your flag variable is True , simply call the RedirectFromLoginPage method, and specify the username and whether to persist the authentication cookie on their machine:

  ...   If blnIsAuthenticated Then   FormsAuthentication.RedirectFromLoginPage(txtUsr.Value, _   chkPersist.Checked)   Else   outMessage.InnerHtml = Invalid credentials, please re-enter."   End If   End Sub  

Encrypting the Passwords

Like your first example, you've used un-encrypted passwords in both the database table and the XML document. If there is a risk of these being viewed by unauthorized personnel, you may prefer to encrypt the passwords.

You'll have a problem with this approach if you need to provide passwords for users who forget them, as hashing can't be reversed to get the original value. Of course, if this feature isn't a requirement (or if you'll just issue a new password), the problem goes away.

With encrypted password hashes, the authentication process changes. The steps you would take are:

• Encrypt all the user passwords and replace the plain text ones in the database table and/or XML document with the encrypted version.

• In your login pages, get the password that the user provides from the login form controls and encrypt this using the same encryption algorithm.

• Compare the resulting hash with the encrypted password hash in your database or XML file.

We'll use this technique in the next example.

 Sub DoLogin(objSender As Object, objArgs As EventArgs)         'get connection string from web.config file    Dim strConnect As String    strConnect = ConfigurationSettings.AppSettings("DsnUserList")         'get username and password from form    Dim strUsr As String = txtUsr.Value    Dim strPwd As String = txtPwd.Value  'create the SHA1 hash of the password provided by the user   Dim strHash As String   strHash = FormsAuthentication.HashPasswordForStoringInConfigFile( _   strPwd, "SHA1")  'set a flag to indicate successful authentication    Dim blnIsAuthenticated As Boolean = False 'default value 

Authenticating the User

To see if the username/password that the user entered is valid, you only have to look up the appropriate row in the database table. If it exists, you know that they can be authenticated. If not, deny them access. In this case, because you've created an SHA1 hash for the password, so you don't have to worry about matching letter case. The actual hash that the algorithm creates takes into account the case of the letters , and a different case for one or more characters will create a different password hash. So, there's no need to extract the password from the database table “ your SQL statement just needs to retrieve the personalization value (or values if you've added more personalization settings). If you get a row back, you know that the username/password combination is valid:

  'create a SQL statement to retrieve personalization values   Dim strSQL As String   strSQL = "SELECT BGColor FROM Users WHERE UserName='" _   & strUsr & "' AND Password='" & strHash & "'"  

Now execute the SQL statement and get the results back in a DataReader . Providing that there is a row returned, you can set your authentication flag and collect the personalization value(s) into the string variable(s) you created earlier:

 Try    ...    'code as used in previous examples to create and open    'the connection and execute the SQL statement here    ...  'if we get a row back we know that the user is authenticated   If objDataReader.Read() Then   blnIsAuthenticated = True   'get user's preferred background color   strBGColor = objDataReader("BGColor")   'get other preference values as required   '... etc ...   End If  ... End Try 

You can now save the personalization value(s) in the user's Session object so you can access them within the application pages without having to keep going back to the database. Also tell ASP.NET to create the authentication cookie and redirect the user back to the page they originally requested.

 If blnIsAuthenticated Then  'save background color in Session object   Session("BGColor") = strBGColor   '... save other personalization settings here   'redirect user to original page  FormsAuthentication.RedirectFromLoginPage(strUsr, chkPersist.Checked)    Else       outMessage.InnerHtml = "<b>Invalid credentials</b> please re-enter..."    End If End Sub 

The Personalized default.aspx Page

Following a successful login, the user is redirected to the page default.aspx . In it, you can display their user name. Also include the same Log Off button “ we won't be describing those features again here.

What is different is the way that you apply any personalization features appropriate to this user. In the example, you set the background color of the page and display an appropriate set of hyperlinks depending on the current username.

The opening <body> tag in the page includes a bgcolor attribute, with the value set to a variable named strColor . This variable is declared in the <script> section of the page, and so is globally available throughout the page. Five ASP.NET Hyperlink controls were also placed within the body of the page to create the HTML hyperlinks you saw in Figure 14-41. The last three of these have their Visible property set to False so they won't normally be visible in the final page.

  <script language="VB" runat="server">   Dim strColor As String   ... rest of script code goes here ...   </script>   <body bgcolor="<% = strColor %>">   ...   <ASP:Hyperlink id="lnkUser1" Text="Change Display Settings"   NavigateUrl="http://dummy" runat="server" /><br />   <ASP:Hyperlink id="lnkUser2" Text="Change Sound Options"   NavigateUrl="http://dummy" runat="server" /><br />   <ASP:Hyperlink id="lnkAdmin1" Text="Manage All Users"   Visible="False" NavigateUrl="http://dummy" runat="server" /><br />   <ASP:Hyperlink id="lnkAdmin2" Text="Change Application Settings"   Visible="False" NavigateUrl="http://dummy" runat="server" /><br />   <ASP:Hyperlink id="lnkAdmin3" Text="Display User Session Details"   Visible="False" NavigateUrl="http://dummy" runat="server" /><br />  

The <script> section of the page also contains an event handler that executes as the page is being created in response to the Page-Load event. This first checks that the user has been authenticated, and if so displays the authenticated user name.

Next, it extracts the BGColor value from the user's Session (stored there when they submitted their login details) and sets the strColor variable so that the background color of the page is set to the appropriate color for this user. Finally, you can use the current login username to see if you should display the administration hyperlinks. In this example, only display them if the user is sarahware.

  Sub Page_Load()     If User.Identity.IsAuthenticated Then     'display welcome message   msgHello.InnerHtml = "Hello <b>" & User.Identity.Name & "</b>"     'set preferred background color to the value that was   'saved in this user's Session object by the "login" page   strColor = Session("BGColor")   'if user is "sarahware" display admin hyperlinks in page   If User.Identity.Name = "sarahware" Then   lnkAdmin1.Visible = True   lnkAdmin2.Visible = True   lnkAdmin3.Visible = True   End If     End Sub