Working with Exceptions

For this chapter we're going to work with Web security. There's a lot to security, way more than we can cover in this book, but the sample application should give you a taste for some of the security features in ASP.NET.

ASP.NET has three types of security: Windows security, Forms security, and Passport security. Windows security has to do with domain-based security. For Windows security to work, you have to add user accounts to the server, then configure the server to ask users for their user ID and password. Passport security has to do with Microsoft's Passport authentication. If you use instant messaging or have a Hotmail account you should be familiar with this type of authentication. To do Passport security you need to have the Passport SDK, and do more intense programming than what we can do in this chapter. Forms security is what you commonly see in Web applications. It involves a login screen in which a user can enter a name and a password. This is the type of security that we'll be working with.

In the sample application we're going to use the ASP.NET forms authentication module. This module intercepts all requests to your application and ensures that the user has been authenticated (user ID and password are correct). If the user hasn't been authenticated, the module routes the request to a login page.

In the past, developers would create their own security code. First, they would present the user with a login screen. Then, once they verified the name and password, they would write something to the session objecta key of some sort that told the application that the user had logged in. Finally, developers would then test in each page to see if the key was there in the session object. If it wasn't, they would route the request to the login screen. With ASP.NET you don't have to check in each page; the module takes care of intercepting requests and making sure the user has logged in.

You're going to create two pages. The first will be the login page, and the second a page in which you can perform two tasks : require Administration rights and require only User rights. When a user logs in we're going to verify the password and check what groups the user belongs to. Then we're going to create a GenericPrincipal object. GenericPrincipal is a class in the System.Security.Principal namespace. It can store the name of the user as well as the groups that the user belongs to (Admin, User, Guest, for example). There's a property called HttpContext.User that all pages have access to. This property can store our GenericPrincipal object. When a user clicks on one of the buttons in the secured page, we'll do a security check to see if the user is part of the group. If the user is not part of the group , then we'll generate exceptions.

It sounds like a lot of work, but it's really not that bad, since the framework does a lot of the dirty work. Also, to simplify things, we won't look up names in a database. We'll just write some code that checks a few name/password combinations in place.

To start the sample application:

1. Launch Visual Studio .NET. (Start > All Programs > Microsoft Visual Studio .NET > Microsoft Visual Studio .NET).

2. Select File > New > Project to bring up the New Project dialog.

3. Under project types on the left side of the New Project window click the Visual C# projects folder.

4. Select the ASP.NET Web Application icon and change the name of the application to exceptionsproject ( Figure 11.1 ).

   Figure 11.1. As with many of the other chapters, the sample application will be an ASP.NET Web application.

   

5. Visual Studio will create a new project and open WebForm1.aspx.

6. Change the form's name to secured.aspx. To do this, choose View > Solution Explorer from the top menu bar.

7. Right-click on WebForm1.aspx and choose properties. In the property grid below, change the FileName property from WebForm1.aspx to secured.aspx ( Figure 11.2 ).

   Figure 11.2. This is one way to change the name of the file. You could also click once on the filename, wait a few seconds and click again. This will let you change the name of the file in place.

   

8. Change the secured.aspx page so that it looks like the form in Figure 11.3 . Obviously this is a lot of work to do by hand. Instead you can enter the HTML directly into the editor. Figure 11.4 shows the HTML necessary to create the form. To enter the HTML directly, click the HTML button under the editor's window. As an alternative you could download the skeleton file for this project (see Tips later in this section).

   Figure 11.3. The Secured Site page has two buttons. We're going to implement a security system based on roles. The first button will require someone who is part of the Users role and the second one will require someone who is part of the Admin role.

   

   Figure 11.4 The form is basically three labels and two buttons. The code is where the real work takes place.

    <%@ Page language="c#" Codebehind="secured.aspx.cs" AutoEventWireup="false" Inherits="exceptionsproject.WebForm1" %> <HTML>    <HEAD>       <title>WebForm1</title>    </HEAD>    <body MS_POSITIONING="GridLayout">    <form id="Form1" method="post"    runat="server">       <  asp:Label  id="lblTitle"       style="Z-INDEX: 100; LEFT: 37px;       POSITION: absolute; TOP: 29px"       runat="server" Font-Size="X-Large"       Font-Underline="True">  Secured Site  </asp:Label>       <  asp:Button  id="btnHighTask"       style="Z-INDEX: 106; LEFT: 169px;       POSITION: absolute; TOP: 130px"       runat="server" Text="Task">       </asp:Button>       <  asp:Label  id="Label2"       style="Z-INDEX: 105; LEFT: 44px;       POSITION: absolute; TOP: 132px"       runat="server" Width="124px"       Height="20px">  High security task:  </asp:Label>       <  asp:Button  id="btnLowTask"       style="Z-INDEX: 102; LEFT: 168px;       POSITION: absolute; TOP: 88px"       runat="server" Text="Task">       </asp:Button>       <  asp:Label  id="Label1" style=" Z-       INDEX: 101; LEFT: 42px; POSITION:       absolute; TOP: 89px" runat="server"       Width="124px" Height="20px">  Low security task:  </asp:Label>    </form>    </body> </HTML> 

9. Select Project > Add Web Form from the menu bar. Enter login.aspx for the new filename ( Figure 11.5 ).

   Figure 11.5. The second form in this project is a login form. If the user hasn't logged in, any attempts to reach any other page will make the authentication module present the login page instead.

   

10. Change the login.aspx page so that it looks like Figure 11.6 . You could also input the HTML in Figure 11.7 directly into the editor.

    Figure 11.6. The login page asks for a user's email and a password. The user then clicks the login button.

    

    Figure 11.7 Notice that in addition to the labels with text, there's a label below the login button that will be used to report login failures.

     <%@ Page language="c#" Codebehind="login.aspx.cs" AutoEventWireup="false" Inherits="exceptionsproject.login" %> <HTML>    <HEAD>       <title>login</title>    </HEAD>    <body MS_POSITIONING="GridLayout">    <form id="login" method="post"    runat="server">      <  asp:Label  id="lblEmail"          style="Z-INDEX: 101;          LEFT: 44px; POSITION: absolute;          TOP: 99px" runat="server">  Email:  </asp:Label>      <  asp:Label  id="lblPassword"          style="Z-INDEX: 105;          LEFT: 46px; POSITION: absolute;          TOP: 141px" runat="server">  Password:  </asp:Label>      <  asp:TextBox  id="txtPassword"          style="Z-INDEX: 103;          LEFT: 133px; POSITION:absolute;          TOP: 137px" runat="server"          Width="186px">          </asp:TextBox>      <  asp:Label  id="lblTitle"          style="Z-INDEX: 102;          LEFT: 38px; POSITION: absolute;          TOP: 39px" runat="server"          Font-Size="X-Large">  Login Screen  </asp:Label>      <  asp:TextBox  id="txtEmail"          style="Z-INDEX: 104;          LEFT: 131px; POSITION:absolute;          TOP: 95px" runat="server"          Width="186px">          </asp:TextBox>      <  asp:Button  id="btnLogin"          style="Z-INDEX: 106;          LEFT: 268px; POSITION:absolute;          TOP: 177px"          runat="server" Text="  Login  "></asp:Button>      <  asp:Label  id="lblError"           style="Z-INDEX: 107;           LEFT: 47px; POSITION:absolute;           TOP: 232px" runat="server"           Width="265px"           ForeColor="Red"></asp:Label>    </form>    </body> </HTML>