Chapter 28. Writing a Secure Web Application in the .NET Development Platform

By Kevin Price

IN THIS CHAPTER

• ASP.NET with Remoting Versus Web Services

• Authentication and Authorization Without IIS

The goal of this chapter is to answer the question of what to do when your application uses the Internet but isn't just a Web site or isn't a Web site at all. It will also show you how to use encryption features from within ASP.NET to help secure your application. These applications are where you can exercise a great deal of control over the security of your application, because in some cases, you control the client completely. There are also applications that are both ”browser-based and have B2B or B2C type transactions that take place on the back-end. In this chapter, you will learn the following:

• How to encrypt data within ASP.NET

• The differences between ASP.NET using .NET remoting and Web Services

• How to incorporate authentication when using IIS is not possible

• How to authorize users when IIS is not available

• How using Channels keeps data secure

Inevitably, there will come a time when the project at hand is not entirely using the Microsoft .NET platform, or even entirely Microsoft-based technologies. This is one of the arenas that gets seldom covered and, if so, is usually garbled with philosophical rhetoric instead of what to do. With the advent of SOAP, services that are exposed via the Internet have a means to communicate; this is always the first step in managing a relationship. Now that they can exchange data, they can almost interoperate . What makes this possible is what the services are programmed to do. Because services, and pages for that matter, can contain code that accepts parameters that could execute commands on a remote machine, security is of the highest priority. Although Microsoft has provided such tools as the .NET Framework Wizards and Microsoft .NET Framework Configuration applet, there may be a time when you need to adjust security dynamically.