Security

 

My next step was to configure the security on the Web site. A major goal of the BikeBlogSecured Web site was to allow authorized users to enter information while allowing read-only access for all others. Classic ASP had absolutely no support for security, so pages had to be secured manually in code. With ASP.NET, developers could declaratively configure security by adding tags in the Web.config file that would allow or deny access to specific users or groups of users. This was a huge step in the right direction, but a great deal of manual work was still required to get security working correctly. Fortunately, ASP.NET 2.0 offers excellent support for developers who need to secure their applications.

Users of ASP.NET applications (and in fact, users of any application that uses IIS) can be authenticated in one of two ways. The default authentication method is Windows Authentication.

When Windows Authentication is selected, the user of the Web Forms application is determined by the identity of the user in some Windows domain. For an intranet application, this can be convenient. As the developer of the application, you have to do very little to maintain a user list. The user list, by default, is the list of users in the domain. You can restrict that list by using some other means, (for instance, by checking the user's domain name against a database of domain users, such as Active Directory directory service, that you want to allow into your application), but precautions such as login Web Forms are generally not required, because users will either be automatically recognized or prompted for credentials before they reach the site.

Windows Authentication is not always the perfect solution, however, especially for Internet applications. You cannot expect any user who needs to be identified in your Internet application to have domain credentials on your Windows domain. Fortunately, forms authentication is a good alternative. By using forms authentication, you as the developer are responsible for providing a page that allows users to enter their credentials. More importantly, the storage of those credentials and the management of user information is also up to you. Sadly, most users get the details of storing user credentials wrong. As we will see later in this chapter, this potentially daunting task is made much easier in ASP.NET 2.0 by several controls designed to assist you in identifying and registering users.

From the main page of the ASP.NET Web Site Administration Tool, click the Security tab to see a page like the one shown in Figure 7-4.

image from book
Figure 7-4: The Security page in the ASP.NET Web Site Administration Tool

The easiest way to configure security is to click Use The Security Setup Wizard To Configure Security Step By Step. The first step of the Security Setup Wizard is a welcome page, as shown in Figure 7-5.

image from book
Figure 7-5: The Security Setup Wizard welcome page

Click Next to proceed to step 2, Select Access Method, shown in Figure 7-6.

image from book
Figure 7-6: The Security Setup Wizard Select Access Method step

Although the wizard page shown in Figure 7-6 does not refer to the authentication methods by name, the first option, From The Internet, refers to forms authentication, and the second option, From A Local Area Network, refers to Windows Authentication. For the BikeBlogSecured Web site, I selected From The Internet and clicked Next. The third step, Data Store, simply reminds me that the provider settings that I configured in the previous section are established outside of this wizard. Any changes that I might like to make at this point must be made from the administration tool's Provider page (see Figure 7-2). The Data Store step is shown in Figure 7-7.

image from book
Figure 7-7: The Security Setup Wizard Data Store step

Click Next to proceed to the next step, Define Roles, as shown in Figure 7-8.

image from book
Figure 7-8: The Security Setup Wizard Define Roles step

Roles are a convenient way to group together users who need the same set of rights to the application. Even when only one user will need to perform a given task, assigning that task to a role and adding the single user to the role is cleaner than assigning the task to each user individually, and it allows for flexibility in the future. For the BikeBlogSecured Web site, I enabled roles by selecting the Enable Roles For This Web Site check box and clicking Next, which opened the page shown in Figure 7-9.

image from book
Figure 7-9: The Security Setup Wizard Create New Role page

I created a new role named admins and clicked Add Role, which resulted in the page shown in Figure 7-10.

image from book
Figure 7-10: The Security Setup Wizard Create New Role page, after creating the admins role

After I clicked Next, step 5, Add New Users, appeared. I entered a new user, filling in the fields as shown in Figure 7-11.

image from book
Figure 7-11: The Security Setup Wizard Add New Users step

When I clicked Create User, the user was created and a page appeared confirming this and offering me the opportunity to continue. After I clicked Continue, an empty Create User page appeared. I clicked Next again, and the Add New Access Rules step appeared, as shown in Figure 7-12.

image from book
Figure 7-12: The Security Setup Wizard Add New Access Rules step

The page shown in Figure 7-12 allows you to create rules to allow and deny users at the directory level. By selecting Admin in the list of folders, clicking Admins in the list of roles, and clicking Allow in the Permission section, you can add a rule that allows members of the admins group to access the Admin folder. Next, add another rule: Select Admin in the list of folders, click All Users in the list of roles, and click Deny in the Permission section. When you have added the two rules, to allow admins and deny all users to the Admin folder, a list of rules is displayed, as shown in Figure 7-13.

image from book
Figure 7-13: The Security Setup Wizard Add New Access Rules step, after adding two rules

After access rules have been set, the Security Setup Wizard is complete. Click Finish, and you are almost done. On the Security page of the ASP.NET Web Site Administration Tool, click Create Or Manage Roles. The page shown in Figure 7-14 appears.

image from book
Figure 7-14: The Manage Roles page in the ASP.NET Web Site Administration Tool

Click the Manage link next to the admins group, and a page appears that allows you to search for a user. In my case, I added user "dreilly." By clicking the D link, I saw that the single user had been added, and I could select a check box entitled User Is In Role, which, when selected, indicates that the user is a member of the role, as shown in Figure 7-15.

image from book
Figure 7-15: Adding the user dreilly to the admins role in the ASP.NET Web Site Administration Tool

Clicking Back twice returns you to the main Security page of the ASP.NET Web Site Administration Tool.

Behind the new administrative interface, ASP.NET 2.0 continues to store information about user rights inside the Web.config file. For instance, after I set the rules for the admin folder, a Web.config file was stored in the admin folder with the rules spelled out, as shown here.

<?xml version="1.0" encoding="utf-8"?> <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">     <system.web>         <authorization>             <allow roles="admins" />             <deny users="*" />         </authorization>     </system.web> </configuration> 

The </authorization> section tells ASP.NET that admins are allowed in the folder and all other users are denied.

 


Programming Microsoft Web Forms
Programming Microsoft Web Forms (Pro Developer)
ISBN: 0735621799
EAN: 2147483647
Year: 2005
Pages: 70
Authors: Douglas J. Reilly
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net