ASP.NET Security Overview

Creating a New Application Pool

Creating new application pools is simply a matter of selecting the appropriate menu option, as shown in Figure 14-14, and specifying a name . You can also save an application pool as a template on which to base new application pools (not shown here), or back up and restore the configuration of the application pools and then use the backups to create new application pools (the from file option shown in Figure 14-14).

Figure 14-14:

Selecting the Application Pool for an Application

You can select which application pool an application will run under in IIS 6.0 using the Application pool drop-down list in the Directory or Home Directory page of the Properties dialog for the application as shown in Figure 14-15. This list contains all the application pools that are currently configured in IIS 6.0 on the server.

Figure 14-15:

Running IIS 6.0 in IIS 5.0 Compatibility Mode

If you wish, perhaps because your application uses components or resources that require complete ASP.NET version 1.0 compatibility as regards the process accounts, you can run IIS 6.0 in a mode that makes it compatible with IIS 5.0. All applications then run under the same processes as they would in IIS 5.0, and the ASPNET account is used instead of the NETWORK SERVICE account for access to resources by ASP.NET.

To select this mode, open the Properties dialog for the Web Sites entry in the left-hand tree, and go to the Service tab as shown in Figure 14-16. Note that IIS 5.0 isolation mode can be selected only for the complete WWW Service (the complete server), and not for individual applications or web sites. Also bear in mind that this mode is recommended only if you definitely cannot use IIS 6.0 default mode. It is not as robust, hits performance, reduces scalability, impinges on security, and negates the many advantages of true process separation.

Figure 14-16:

Creating a New Web Service Extension

If the required web service extension does not exist, you can create one using the Add a new Web service extension link in the page shown in Figure 14-17. This link opens another dialog, as shown in Figure 14-18, to which you add a reference to the resource that will handle requests for files with this extension or of this type. With ASP.NET, as mentioned before, you can set up web service extensions for different versions.

Figure 14-18:

Afterwards the new extension appears in IIS Manager, as shown in Figure 14-19. Because the checkbox marked Set extension to Allowed is set in the dialog shown in Figure 14-18, the new web service extension is set to Allowed automatically:

Figure 14-19:

Setting Up Windows Authentication

To set up an application or a section of an application to use Windows authentication, simply specify this authentication mode and then turn on impersonation within the <identity> element. Now each user will access resources under the context of the account that they logged into IIS with. The <identity> element is only used with Windows authentication, and not with the other types of authentication that we'll meet later.

  <configuration>   ...   <system.web>   <authentication mode="Windows" />   <identity impersonate="true" />   </system.web>   ...   </configuration>  

Specifying Users and Groups

As well as simply specifying Windows authentication, you can also provide a list of users and groups that will be able to access the application. This is done within the <authorization> section of the web.config file, with a series of <allow> and <deny> elements. The general form of each of these elements is shown in the following code:

  <allow roles="  comma-separated list of Windows account group names  "   users="  comma-separated list of Windows user account names  "   verb="GETPOSTHEAD"   />     <deny roles="  comma-separated list of Windows account group names  "   users="  comma-separated list of Windows user account names  "   verb="GETPOSTHEAD"   />  

The <allow> and <deny> elements must contain either a roles or a users attribute. They do not have to contain both, and the verb attribute is always optional. To specify a domain user account, include the domain name followed by a backslash and the username, for example MyDomainName\MyUserName . There are also special values that refer to built-in account groups, such as Everyone , BUILTIN\Administrators , etc.

To specify a local (machine) account you can just use the machine name in place of the domain name. There is no way to specify a domain account without the actual domain (there is no short-cut that means 'use the local domain'), so you have to edit the list if you change the domain name or move the application to another domain.

There are also two special symbols that you can use:

• An asterisk ( * ) means all users , roles , or verbs , depending on the attribute it is used in.

• A question mark ( ? ) means 'anonymous access'. In the case of Windows authentication, this is the account set up in IIS for anonymous access. This character can only be used within the users attribute.

The default configuration for a server is in the file machine.config , stored in the directory C:\WINNT\Microsoft.NET\Framework\[version]\CONFIG\ . It contains a single <allow> element that permits all users to access ASP.NET resources:

  <authorization>   <allow users="*" />   </authorization>  

The <allow> and <deny> elements are merged for all configuration files in the application path , starting with the root (default) configuration file machine.config , and including all web.config files in folders below this application directory. Rules that are higher up in the hierarchy (that is, nearer the application directory) take precedence over those in web.config files below them (nearer the root).

Once the merged list of <allow> and <deny> elements is created, they are processed from top to bottom and the best match for a user or role is selected. Processing doesn't just stop when the first match is found, but continues throughout all the entries fine-tuning the selection. This means that a specific reference to a user will take precedence over a role , and over a wildcard rule that uses the asterisk character. The merge process also gives <deny> elements precedence over <allow> elements, so that you can allow a Windows account group using <allow roles=" xxxx "/> , but deny specific users that are within that account group using <deny users=" yyyy "/> .

So, to control access to a specific application or a directory within an application, add a web.config file to that directory. For example, the <authorization> element shown in the following code permits access to the application for the domain-level account named billjones from the domain named MyDomainName and the local (machine) account named marthasmith, plus all members of the domain- level account group named SalesDept. All other users will be denied access.

  <configuration>   ...   <system.web>   <authorization>   <allow roles="MyDomainName\SalesDept"   users="MyDomainName\billjones,MyMachineName\marthasmith" />   <deny users="*" />   </authorization>   </system.web>   ...   </configuration>  

Specifying HTTP Access Types

You can also use the <allow> and <deny> elements to control the type of HTTP action that a user can take when accessing an application or directory by using the verb attribute. The example shown in the following code allows the domain-level account named marthasmith to send POST requests to the application (submit an HTML form), but all other users will only be able to send GET requests. And, of course, you can combine this access control setting with the list of groups and users, by adding the verb attribute to the previous example that used the roles and users attributes.

  <configuration>   <system.web>   <authorization>   <allow verb="GET" users="*" />   <allow verb="POST" users="MyDomainName\marthasmith" />   <deny verb="POST" users="*" />   </authorization>   </system.web>   </configuration>  

You can also use the <location> element to specify more than one <system.web> section, applying each of these sections to a specific path or file. This is useful for setting different permissions for subfolders or files using a single web.config file. For example, the following code shows how you can specify that a file named mypage.aspx will have different authorization settings from the rest of the files in the same folder:

  <configuration>   ...   <system.web> <!-- default for this application -->   <authorization>   <allow verb="GET" users="*" />   <allow verb="POST" users="MyDomainName\marthasmith" />   <deny verb="POST" users="*" />   </authorization>   </system.web>   <location path="mypage.aspx"> <!-- only applies to this file -->   <system.web>   <authorization>   <allow verb="GET" users="*" />   <allow verb="POST" users="MyDomainName\billjones" />   <deny verb="POST" users="*" />   </authorization>   </system.web>   </location>   ...   </configuration>  

Running Under Another Specific Account

Finally, you can instruct ASP.NET to access resources under a specific account, rather than the user account that was authenticated by IIS or the special ASP.NET process account (which is normally used when impersonation is not enabled).

Here you're specifying that impersonation is enabled but, instead of using the ASP.NET process account, ASP.NET should access all resources under the context of the domain-level account named MyUserName from the domain named MyDomainName . You also have to provide the password for the account so that ASP.NET can present it to the operating system and other applications and services when it requires access to them.

  <configuration>   ...   <system.web>   <identity impersonate="true"   userName="MyDomainName\MyUserName   password="MyPassword" />   </system.web>   ...   </configuration>  

IIS and Windows Security Settings for Windows Authentication

Remember that access control using the Windows authentication method depends on a Windows account being available for ASP.NET to use to access the requested resources. You can tighten security by using the ACLs on resources to allocate permission to just specific users, or to the accounts that the user will be running under. This isn't required, but does provide a second level of protection.

To be able to do this, you must be aware of which account is actually being used to access the resource, and give that account the appropriate permissions while removing any permissions that are not required. The schematic in Figure 14-20 shows which accounts you must set permissions for, depending on the configuration in your machine.config and web.config files:

Figure 14-20:

The Logon Process in Windows Authentication

When you access a resource in a secured application or virtual directory that does not allow anonymous access, you are always required to log on. However, if you are accessing the application or directory from the local machine or a machine on the same domain, you may not actually see the logon dialog. This is because “ providing Integrated Windows authentication is enabled in Internet Services Manager (the default) “ your browser will send your current Windows logon details in response to the logon challenge from the web server.

So, it's a good plan if you are building applications for the web (rather than for a corporate Intranet) to access the site from a machine that is not logged into the domain, as well as experimenting with one that is. On a machine that is not on the same domain (and not on a trusted domain), you will see the standard logon dialog, as shown in Figure 14-21:

Figure 14-21:

One useful way that you can tell what's going on as far as IIS authentication is concerned is to look at the page you get back if you make three attempts to access a secured resource with an invalid username or password. If anonymous access is not enabled in IIS, you get the standard IIS error page, as shown in Figure 14-22. This is because you have failed the IIS logon process.

Figure 14-22:

However, if anonymous access is enabled within Internet Services Manager (the default), you are granted access and the request is passed to ASP.NET. It then detects that you don't have permission to access the resource (because your Windows account username and/or password are invalid) and it sends back its own error page, as shown in Figure 14-23. Later on in this chapter, we'll see an example of Windows authentication that you can use to help configure your applications and virtual directories.

Figure 14-23:

Setting Up Passport Authentication

Unfortunately, passport authentication doesn't come free “ someone has to pay the running costs of the service. To set up passport authentication you must subscribe to the service, and install special software on your Web server to allow the process to work. Full details are available from http://www.microsoft.com/net/services/passport/business.asp.

Once you've installed the software and subscribed to the service, you configure passport authentication in the web.config file, as shown in the following code. The <passport> section supports a single attribute named redirectUrl . The default value (before you install and configure passport authentication) is internal , which means that unauthenticated requests will receive a generic error message created by your server. Any other string is assumed to be the URL of the passport service that unauthenticated requests will be redirected to for authentication.

  <configuration>   ...   <system.web>   <authentication mode="Passport">   <passport redirectUrl="internal  url  " />   </authentication>   </system.web>   ...   </configuration>  

Once passport authentication is enabled, the login process to your server goes something like this:

• The user requests a protected resource from your server. If they have already logged into the passport service, there will be an encrypted ticket in a cookie or the query string, and your server will access the passport service to get the user's identity.

• If there is no ticket, or if it has expired or is invalid, they are redirected to the passport service's login page on the main passport service servers. They present their credentials, are authenticated, and are redirected back to your server with an appropriate ticket.

• Your server can now check the user's authorization and provide the protected resource if they have the relevant permission.

Setting Up Forms-Based Authentication

Like all other ASP.NET security settings, forms-based authentication is configured within the web.config file for an application or a virtual directory. As shown in the following code, the <authentication> section carries the value " Forms " for the mode attribute, and within the element itself you can add more elements to specify how the authentication of users will behave:

  <configuration>   ...   <system.web>   <authentication mode="Forms">   <forms name="  cookie-name  "   path="  cookie-path  "   loginurl="  url  "   protection="AllNoneEncryptionValidation"   timeout="  number-of-minutes  "   requireSSL="truefalse"   slidingExpiration="truefalse" >   <credentials passwordFormat="ClearSHA1MD5">   <user name="  user-name  " password="  user-password  " />   <user name="  user-name  " password="  user-password  " />   ... more users listed here ...   </credentials>   </forms>   </authentication>   <machineKey validationKey="AutoGenerate[,IsolateApps]  key  "   decryptionKey="AutoGenerate[,IsolateApps]  key  "   validation="SHA1MD5"/>   </system.web>   ...   </configuration>  

The attributes of the <forms> element define:

• The name that will be assigned to the cookie.

• The path that the cookie is valid for. This is usually set to " / " to indicate the complete site. If not, and the site contains links that are not in the correct letter case (for example an <a> element with href="mypage.aspx" where the actual page name is MyPage.aspx ), then the cookie will not be returned by some browsers. This will cause the login form to be displayed again.

• The loginurl that specifies the virtual path to the login form page.

• The protection level required for the cookie. The settings are.

  • All (the default), which uses both data validation (based on the <machineKey> element) and encryption (Triple DES if available and if the key is at least 48 bytes long)

  • None (should be used only for personalization purposes)

  • Encryption (the cookie is encrypted but data validation is not performed)

  • Validation (validation is performed but the cookie is not encrypted)

• The timeout in minutes before the cookie expires on the user's machine and the server.

• The requiresSSL value can be set to true to force the use of SSL for any pages that pass the authentication cookie across the wire. The default is false . This feature was added in version 1.1.

• The slidingExpiration value determines if sliding expiration is used. When true (the default), each access to a secured page resets the timeout. When false , the timeout is enforced from initial login. This feature was added in version 1.1.

Within the <forms> element is an optional <credentials> element that specifies the encryption algorithm used to encrypt the user's password in the web.config file. Within this element there can be a series of optional <user> elements, which between them specify the users who will be able to access the protected resources.

Specifying Encryption and Validation Key Generation Methods

You can also specify an optional <machineKey> element within the <system.web> section, which specifies the keys and method to be used to encrypt the cookie contents. In general you will omit this element and allow a key to be created automatically. However, it can be useful in a situation like a web farm, where you want all machines to use the same key. The key length must match the number of characters required for the encryption level and method that is used. The entry in the default machine.config file (in the following code) specifies that the keys are auto-generated:

  <machineKey validationKey="AutoGenerate,IsolateApps"   decryptionKey="AutoGenerate,IsolateApps"   validation="SHA1" />  

Notice the IsolateApps modifier (suffix) on the validationKey and decryptionKey attribute values. These are new in version 1.1 of ASP.NET, and cause the auto-generated keys to include details of the ASP.NET application that is using Forms authentication (and which is creating the cookie) within the key that is generated. This improves security and application isolation, especially where a server is hosting multiple sites or applications that are not supposed to be able to share authentication cookies.

In reality, it means that different applications using Forms authentication, running on the same machine, will generate different keys for securing their cookies, rather than all using the same key (as was the case in version 1.0). However, the only times that this new behavior is likely to affect your applications are:

• Where you rely on shared authentication cookies, perhaps where you have nested applications (an application within a subfolder of another application, with the Path of the cookie set to "/" in the local web.config file).

• Where you are passing the viewstate in a page to a different application through some kind of customized form-post. This is because the values in the <machineKey> element are used to validate and encrypt the viewstate string that is inserted into a hidden control when an ASP.NET server-side <form> is used.

To retain the version 1.0 behavior when running under version 1.1 of the .NET Framework, you can:

• Remove the IsolateApps modifiers from machine.config , or (better) use a local web.config file that does not contain the IsolateApps modifiers. This gives behavior that is identical to version 1.0.

• Change the validationKey and decryptionKey attribute values to specify an explicit key, rather than auto-generating it. If you are using a web farm or other shared server setup to drive the site, you will be using a specific key that is the same on all the servers anyway, and so the behavior will be identical to version 1.0.

An Example: Forms-Based Authentication Configuration

So, an example web.config file might look like that shown in the following code. Remember that the <credentials> and <machineKey> sections are optional. The example shown also lists some users, and you can see that the passwords are encrypted in this case. You'll see where you get these values from later in the chapter.

  <configuration>   ...   <system.web>   <authentication mode="Forms">   <forms name="MyNewApp" path="/" loginUrl="/main/login.aspx"   protection="All" timeout="30" >   <credentials passwordFormat="SHA1">   <user name="billjones"   password="87F8ED9157125FFC4DA9E06A7B8011AD80A53FE1" />   <user name="marthasmith"   password="93FB8A49CC350BAEB2661FA5C5C97959BD328C50" />   <user name="joesoap"   password="5469541CA9236F939D889B2B465F9B15A09149E4" />   </credentials>   </forms>   </authentication>   <!-- keys usually only specified for a Web farm -->   <machineKey validationKey="3875f9...645a78ff"   decryptionKey="3875f9...645a78ff"   validation="SHA1" />   </system.web>   ...   </configuration>  

Creating a Login Form

After you've completed the configuration tasks with web.config , what about the things you have to do as developers to complete the setup of forms-based authentication? You need a form that will be used to collect the user's credentials, and code to process these credentials. The following code shows a simple example of the HTML section of the page:

  <%@Page Language="VB" %>   <html>   <body>     <form runat="server">     UserName: <input id="txtUsr" type="text" runat="server" /><p />   Password: <input id="txtPwd" type="password" runat="server" /><p />   <ASP:CheckBox id="chkPersist" runat="server" />   Remember my credentials<p />   <input type="submit" value="Login" runat="server"   onserverclick="DoLogin" />   <div id="outMessage" runat="server" />   </form>     </body>   </html>   ... script section goes here ...  

This creates a login form page containing textboxes for the username and password, and a checkbox where the user can specify whether their credentials are to be remembered so that they won't have to login again next time they visit the site. Next there is a Login button that fires an event handler named DoLogin on the server, followed by a < div > element where you display a message if the user's credentials are incorrect. The visual appearance of the page can be seen in Figure 14-25:

Figure 14-25:

Writing the Login Code

While forms-based authentication is a clever technology, it can't do everything automatically. You have to write code that authenticates the user and performs the other operations required, such as creating the cookie and redirecting the user to the page they originally requested. However, this is very simple.

All the classes used in ASP.NET security are in the System.Web.Security namespace of the class library. The class that handles forms-based authentication is called FormsAuthentication , and it exposes a range of Static methods and properties that you can use in your code. The most common methods are shown in the following table:

The following table lists the read-only static properties of the FormsAuthentication class:

So, to authenticate your user and return them to the page they originally requested, you just need to create an event handler that is executed when the Login button is clicked. In your login form, you specified the subroutine DoLogin as the value of the onserverclick attribute of the login button. Let's start by checking to see if the username and password that were provided are valid within the list of users in web.config . If they are, the Authenticate method returns True and you can call the RedirectFromLoginPage method to create the cookie, add it to the request headers, and redirect the user to the page they originally requested. It's as simple as that.

  Sub DoLogin(objSender As Object, objArgs As EventArgs)   If FormsAuthentication.Authenticate(txtUsr.Value, txtPwd.Value) Then   FormsAuthentication.RedirectFromLoginPage(txtUsr.Value, _   chkPersist.Checked)   Else   outMessage.InnerHtml = "<b>Invalid credentials</b> please re-enter."   End If   End Sub  

How Long Is a Login Valid?

One interesting point is how long the authentication cookie will be valid for. If you don't specify a value for the timeout attribute in the <forms> element in web.config , the cookie will only remain on the user's machine for 30 minutes (the default setting in machine.config ), or until they close their browser. However, you can set the timeout attribute in the <forms> element to over ride this setting.

This means that they will be able to leave the site and come back to it again within 30 minutes providing that they haven't closed their browser (or deleted the cookie). Of course, as the user accesses pages within the site, the cookie will be updated with each response from the server, and so the timeout only comes into force the specified number of minutes after the last time they accessed a page. This is called sliding expiration . But, even if they leave their browser running, they will be effectively logged out after the timeout period. This provides a better level of security. You also have the option to persist the cookie between sessions. When you call the RedirectFromLoginPage method, you need to specify a Boolean value for the second parameter. In the example code, this is the value of the Checked property of the checkbox control on the login page:

  FormsAuthentication.RedirectFromLoginPage(  username, persist-cookie  )  

Passing the value True to the method causes it to create a cookie with a long expiry date and time (50 years from now!) so that the user will not have to log back into the site when they return again. Although most modern browsers store cookies on a per-user basis (providing that the client machine is set up to force users to log in), this can present a security risk. It's not difficult to hijack a cookie, and by doing so the hijacker will automatically be granted access to the site during the lifespan of that cookie. Nevertheless, it is a useful feature for low-security or personalization-only scenarios.

Finally, you can expire a cookie immediately on demand by calling the SignOut method. You can place a Log Off button or link on a page, and create an event handler that destroys the cookie and prevents the user accessing any other resources until they log in again. In the event handler all that's needed is:

  FormsAuthentication.SignOut()  

However, if a user has stolen a persistent cookie, this will not detect and remove it. Hence, persistent cookies should never be used for applications other than those performing basic personalization and requiring the minimum level of security.

  <configuration>   ...   <system.web>   <authorization>   <allow users="billjones,marthasmith,joesoap" verb="GET" />   <allow users="marthasmith" verb="POST" />   <deny users="?" />   </authorization>   </system.web>   ...   </configuration>  

Custom Lists of User Credentials

All your forms-based authentication configuration examples so far have used the <credentials> section of web.config to store the list of users that you authenticate requests against. In many cases this is not practical. Rather than manually editing a text file to add and remove users, you will often want to store user details elsewhere “ maybe in a database table, an XML document, or even Active Directory. However, it's still useful to be able to take advantage of the other features that forms-based authentication provides, such as automatic redirection to a login page, encryption and validation of the authentication cookie, and integration with the environment (which allows you to retrieve the user's details elsewhere in your code; more details of this coming up later).

It's easy to accomplish lookups of user credentials in other data stores, as the examples at the end of the chapter demonstrate . For example, you can use the relational data access capabilities of .NET to retrieve values from a relational database using SQL statements or stored procedures, or you can use classes from the System.Xml namespace to access XML documents.