Using the Visual Studio .NET Passport Features

Previous page
Table of content
Next page


Most of the resources you read will view Passport from the perspective of user identification and authentication. In fact, the essential focus of this section is on both identification and authentication. However, vendors didn’t design Passport and technologies like it (see the “A Quick Overview of the Liberty Alliance Project” sidebar) for simple identification and authentication. These technologies store and manage a caller’s personal information, so they’re personal identification management technologies.

Note

While the .NET Framework does provide the hooks required to use Passport, it doesn’t provide all of the software you need. At a minimum, you must download the Passport SDK from http://msdn.microsoft.com/downloads/list/websrvpass.asp. In some cases, you might need additional software to make Passport work on your system. Your server must fully support SSL and have a certificate installed to use the Passport SDK. The current version of the Passport SDK works with Windows 2000 Server (not Professional), Windows XP Professional, and Windows 2003 Server. Microsoft warns against using older Passport versions (especially the 1.4 version) with the .NET Framework and testing shows that heeding the warning is a good idea.

When a user stores credit card or address information as part of their Passport settings, Passport becomes a convenience tool for the user as well as a means for a third party to identify and authenticate the user. The goal is to identify and authenticate the user in a way that doesn’t transfer sensitive user information over the wire. A user can make a purchase online without revealing secret (personal) information, yet the vendor gains access to information to make the sale. This perspective of the services that Passport offers is important because it changes the way businesses use the technology and consequently changes the way you develop applications using Passport.

The following sections discuss the security features that Passport provides. I’m not providing a complete view of all Passport functionality because the goal of this section is to discuss ways you can use Passport to make your application more secure. Be aware, however, that you’ll probably use Passport for purposes other than identification and authorization at some point.

start sidebar
A Quick Overview of the Liberty Alliance Project

Using a Microsoft product means that you normally use Microsoft development strategies, unless, of course, you’re willing to do a lot of extra work to accomplish a specific task using a different strategy. Fortunately, you do have alternatives when it comes to personal identification management in the form of the Liberty Alliance Project. Many developers have questioned which technology to use and the media has followed suit (see the eWeek article at http://www.eweek.com/article2/0,3959,266840,00.asp.) The .NET Framework doesn’t include any support for the Liberty Alliance project, but you can add support using third party add-ons such as SourceID (http://www.sourceid.org/?SourceID.NET). The appearance of these third party alternatives leaves the decision of which technology to use up to you.

You need to consider a number of issues when determining which technology to use. The Liberty Alliance Project is open source and used mainly on Unix systems (including Linux) right now. Many developers point to the fact that Passport came out well before the Liberty Alliance Project and that Passport has a lead in testing and functionality. In fact, the Liberty Alliance recently released the second phase of their specification, which is the Identity Web Services Framework (ID-WSF). You can learn more about this specification in the InfoWorld article at http://www.infoworld.com/article/03/04/15/15appnews_1.html and the Specifications link on the Liberty Alliance Web site at http://www.projectliberty.org/.

The differences in strategy will ultimately affect the functionality of both technologies. The single company view the tightly controlled Passport provides means you won’t suffer the problems of “designed by committee” software. However, the design of the Liberty Alliance Project technology makes it more flexible. In fact, this technology already appears on more platforms than Passport does. Consequently, if you work in a mixed platform environment such as Linux and Windows, then the Liberty Alliance Project technology might be your only viable option. The InternetNews article at http://www.internetnews.com/bus-news/article.php/973001 discusses additional strategic differences between the two products.

Passport and the Liberty Alliance Project have essential differences. Even the technique used to move the identification token from one site to another differs. While Passport uses a proprietary schema, the Liberty Alliance Project uses the Security Assertions Markup Language (SAML) (you can learn more about SAML from the Organization for the Advancement of Structured Information Standards, OASIS, site at http://www.oasis-open.org/committees/ tc_home.php?wg_abbrev=security). However, a recent eWeek article (http://www.eweek.com/article2/0,3959,890520,00.asp) points out that the Liberty Alliance is working on a strategy where a third party Web site would act as an intermediary between the two technologies, giving developers at least some sense of interoperability.

end sidebar

Passport Features in the System.Web.Security Namespace

The System.Web.Security namespace provides access to most of the Passport features you need. The goal of using Passport is to obtain a ticket that identifies a particular user. The ticket doesn’t provide any confidential information about the user—it simply states that the server has authenticated the user. In short, the identity saves an application time authenticating a caller and the caller time providing credentials. The PassportIdentity class provides access to this ticket.

Warning

Passport is still a young technology. Although Microsoft has made great strides in creating a useful and secure verification mechanism, problems still abound (as they will with any new technology). For example, a recent InfoWorld article states that a bug in Passport could reveal user information (http://www.infoworld.com/article/03/05/08/HNpassportflaw_1.html). Hardly a week passes without some mention of a Passport problem. Microsoft is quick to fix these problems, but the newness of the technology is definitely a problem. Make sure you consider the potential problems in using Passport for mission critical applications.

You normally use the PassportIdentity class directly to create the initial login. However, much of the actual work takes place indirectly through the PassportAuthenticationModule class. You can intercept the actual authentication event by adding an event handler to the Authenticate event of the PassportAuthenticationModule class. When you do intercept the authentication schedule, you’ll receive a PassportAuthenticationEventArgs object that includes information such as the username and identity. Note that the Identity property, in this case, is the Passport identity, not a local identity.

A Simple Passport Example

This section includes a simple Passport example consisting of two Web pages. The first page appears when the user selects the site. This page contains only the Passport logon button. When the user clicks this button, the Passport logon dialog appears. The user must enter their Passport email address and password. Once Passport authenticates the user, it redirects the call to the second page. This page logs on the user as long as the user has a ticket. The page then displays the logged on status. Listing 11.5 contains the code for the first page. You’ll find this example in the \Chapter 11\C#\PassportTest and \Chapter 11\VB\PassportTest folders of the source code located on the Sybex Web site.

Listing 11.5 Logging in with Passport

start example 
// Contains an <Img> tag for the Passport Login. protected String LogoTag; private void Page_Load(object sender, System.EventArgs e) {    PassportIdentity  PI;   // The Passport Identity.    // Create a new identity.    PI = new PassportIdentity();    // Tell the user to log in.    LogoTag = PI.LogoTag2("LoggedIn.ASPX", // Return URL                          3600,            // Time to wait.                          0,               // Don’t force login.                          null,            // No co-branding site.                          -1,              // Use default language.                          1,               // Non-secure page.                          "",              // Passport namespace.                          -1,              // Children’s privacy policy.                          0);              // Use secure authorization.    // If the user is successful, provide the Passport    // User ID with the return value.    if (PI.IsAuthenticated)       Response.Write(PI.HexPUID); }
end example

The code begins by creating a PassportIdentity object. It uses this object to call the LogoTag2() method, which does more than the document states. Supposedly, all of this information will create a piece of HTML code that displays a Passport icon. In fact, this code indirectly generates the call to the Passport service for authentication. Of course, this begs the question of how the Passport icon appears on screen. Notice that the LogoTag variable is global to the namespace. A little code in the HTML portion of the example, as shown here, takes care of the rest.

<form  method="post" runat="server">    <%=LogoTag%> </form>

The remainder of the code verifies the authenticated state of the caller. If Passport authenticated the caller, then the code writes the Passport Unique Identifier (PUID) to the response stream. At this point, the Passport service redirects the user to the LoggedIn.ASPX page. Listing 11.6 shows the code for this page.

Listing 11.6 Displaying the Logged In Status

start example 
// Contains an <Img> tag for the Passport Login. protected String LogoTag; private void Page_Load(object sender, System.EventArgs e) {    PassportIdentity  PI;   // The Passport Identity.    // Create a new identity.    PI = new PassportIdentity();    // Log the user into this page.    if (PI.HasTicket && !PI.IsAuthenticated)       PI.LoginUser("LoggedIn.ASPX");    // Display the Passport status.    if (PI.IsAuthenticated)       LoggedStatus.Text = "You’re Logged In!";    else       LoggedStatus.Text = "You Didn’t Log In."; }
end example

This page begins by creating a PassportIdentity object again. However, this time the code verifies that the user has a ticket. If the user has a ticket and isn’t authenticated for this page, the code silently logs the user back into the system. The code ends by displaying the user’s logged in status.


Previous page
Table of content
Next page
.Net Development Security Solutions
.NET Development Security Solutions
ISBN: 0782142664
EAN: 2147483647
Year: 2003
Pages: 168
Authors: John Paul Mueller
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Documenting Software Architectures: Views and Beyond
Visual C# 2005 How to Program (2nd Edition)
The Java Tutorial: A Short Course on the Basics, 4th Edition
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy