ASP .NET Web Developer s Guide - Mesbah Ahmed, Chris Garrett
.pdf200 Chapter 4 • Configuring ASP.NET
The following code shows the use of these options as they could be configured for a multiprocessor system:
<configuration>
<system.web>
<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:10"
requestLimit="Infinite"
requestQueueLimit="8000"
restartQueueLimit="10"
memoryLimit="70"
webGarden="true"
cpuMask="13"
userName="SYSTEM"
password="AutoGenerate"
logLevel="All"
clientConnectedCheck="0:00:10"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
/>
</system.web>
</configuration>
Configuring the Session State
Using the <sessionState> Tag
The <sessionState> tag enables you to configure the session state HTTP module. This tag supports five attributes, which are detailed in Table 4.10. For further information on session state, please refer to Chapter 5.
www.syngress.com
|
|
Configuring ASP.NET • Chapter 4 |
201 |
|
Table 4.10 <sessionState> Tag Attributes |
|
|
||
|
|
|
|
|
Attribute |
Options |
Description |
Default |
|
|
|
|
|
|
mode |
Off/InProc/ |
Enables you to specify |
InProc |
|
|
StateServer/ |
where to store the |
|
|
|
SqlServer |
session state. The Off |
|
|
|
|
value disables session |
|
|
|
|
state, the InProc value |
|
|
|
|
stores the session state |
|
|
|
|
locally, the StateServer |
|
|
|
|
stores the session state |
|
|
|
|
on a remote server, |
|
|
|
|
and the SqlServer value |
|
|
|
|
stores the session state |
|
|
|
|
on a SQL server. |
|
|
cookieless |
true/false |
Enables you to specify |
false |
|
|
|
whether sessions |
|
|
|
|
without cookies should |
|
|
|
|
be used to identify |
|
|
|
|
client sessions with a |
|
|
|
|
value of true, indicating |
|
|
|
|
that sessions without |
|
|
|
|
cookies should be |
|
|
|
|
used. |
|
|
timeout |
|
Enables you to specify |
20 |
|
|
|
the amount of time in |
|
|
|
|
minutes before an idle |
|
|
|
|
session is abandoned. |
|
|
stateConnectionString |
|
Enables you to specify |
tcpip= |
|
|
|
the server name and |
127.0.0.1:42424 |
|
|
|
port to use when the |
|
|
|
|
session state is stored |
|
|
|
|
remotely, as specified |
|
|
|
|
with the StateServer |
|
|
|
|
value under the mode |
|
|
|
|
attribute. |
|
|
sqlConnectionString |
|
Enables you to specify |
data source= |
|
|
|
a SQL connection |
127.0.0.1; |
|
|
|
string to use when the |
user id= |
|
|
|
session state is stored |
sa;password= |
|
|
|
on a SQL server, as spec- |
|
|
ified with the SqlServer value under the mode attribute.
www.syngress.com
202 Chapter 4 • Configuring ASP.NET
An example use of this tag is illustrated in the following code sample:
<configuration>
<system.web>
<sessionState>
mode="SqlServer"
sqlConnectionString="data source=10.10.10.1;user
id=sa;password=mypass"
cookieless="false"
timeout="25"
</sessionState>
</system.web>
</configuration>
Configuring Request Modules Using the <webRequestModule> Tag
The <webRequestModules> tag enables you to configure the request modules used within your application.These modules control the way that ASP.NET will respond to different requests. As an example, one of the default modules is the System.Net.FileWebRequestCreator module.Whenever a request prefaced with “file://” is sent to the server, the System.Net.FileWebRequestCreator module is called to handle the request.
This tag supports the <add>, <remove>, and <clear> subtags.The <add> subtag specifies the request module class to add to your application. It has two attributes, prefix and type. Proper usage of the <add> subtag is illustrated in the following code sample.The <remove> subtag accepts the same attributes of prefix and type and is used to remove request modules previously specified with the <add> subtag.Wildcards are not supported with the <remove> tag.The <clear> subtag removes all request modules from the configuration whether explicitly defined or inherited.
<configuration>
<system.net>
<webRequestModules>
<add
prefix="http"
type="System.Net.HttpRequestCreator"
www.syngress.com
Configuring ASP.NET • Chapter 4 |
203 |
/>
<add
prefix="https"
type="System.Net.HttpRequestCreator"
/>
<add
prefix="file"
type="System.Net.FileWebRequestCreator"
/>
</webRequestModules>
</system.net>
</configuration>
Configuring Web Services
Using the <webServices> Tag
The <webServices> tag enables you to configure aspects of ASP.NET’s web services and how they function.Web services are explained in detail in Chapter 10. By using various subtags, you can add protocol types, writer and reader types, as well as configure many other options. All of the subtags supported by the <webServices> tag support the three attributes of add, remove, and clear.There are two different styles of subtags supported, standard subtags, and type subtags.When using a standard subtag, the add and remove attributes use the name value.When using a type subtag, these attributes use the type value.
There are many subtags supported by the <webServices> attribute.Table 4.11 contains a partial list of these subtags and describes the style of each subtag.
Table 4.11 <webServices> Tag Subtags
Subtag |
Style |
protocolTypes |
type |
protocols |
standard |
returnWriterTypes |
type |
returnWriters |
standard |
parameterReaderTypes |
type |
parameterReaders |
standard |
Continued
www.syngress.com
204 Chapter 4 • Configuring ASP.NET
Table 4.11 Continued
Subtag |
Style |
|
|
protocolReflectorTypes |
type |
protocolReflectors |
standard |
mimeReflectorTypes |
type |
mimeReflectors |
standard |
protocolImporterTypes |
type |
protocolImporters |
standard |
mimeImporterTypes |
type |
mimeImporters |
standard |
protocolInfoTypes |
type |
protocolInfo |
standard |
mimeInfoTypes |
type |
mimeInfo |
standard |
referenceResolverTypes |
type |
referenceResolvers |
standard |
discoverySearchPatternTypes |
type |
discoverySearchPatterns |
standard |
soapExtensionTypes |
type |
soapExtensions |
standard |
soapExtensionReflectorTypes |
type |
soapExtensionReflectors |
standard |
soapExtensionImporterTypes |
type |
soapExtensionImporters |
standard |
|
|
Security
Security is a very important area of configuration for ASP.NET.The tags provided in this section enable you to configure several aspects of ASP.NET security including encryption and authentication.When planning any application, you should always keep security in mind and make sure that all aspects of your application are as secure as possible.These tags, when configured properly, can assist in reaching the goal of a secure application.
www.syngress.com
Configuring ASP.NET • Chapter 4 |
205 |
Authenticating Users Using the <authentication> Tag
Authentication refers to the portion of ASP.NET, which verifies that the users accessing your application are indeed who they say they are.This should be used to verify the identity of your users for security reasons as well as personalization of the application.The mode attribute specifies the type of authentication to use. Table 4.12 shows the available options for this attribute and what they mean. When Windows authentication is referred to, this includes all forms of authentication supported by IIS such as basic, digest, NTLM/kerberos, or certificates.
Table 4.12 mode Attribute Options
Option |
Description |
|
|
Windows |
Specifies Windows/IIS authentication mode. |
Forms |
Specifies an ASP.NET forms-based authentication mode. |
Passport |
Specifies the use of Microsoft Passport authentication mode. |
None |
No authentication specified. This should only be used for |
|
anonymous access-based applications or applications designed |
|
with their own authentication scheme. |
The <authentication> tag also supports two subtags, <forms> and <passport>.The <forms> tag is used to specify configuration information for using ASP.NET’s forms-based authentication mode.This subtag supports five attributes and one subtag.These attributes are shown in Table 4.13.
Table 4.13 <forms> Subtag Attributes
Attribute |
Options |
Description |
|
|
|
|
|
name |
|
Enables you to specify a cookie name to |
|
|
|
use for authentication. ASP.NET defaults |
|
|
|
to .ASPXAUTH. |
|
loginUrl |
|
If the specified cookie is not found, the |
|
|
|
user will be redirected to the URL specified |
|
|
|
in this attribute to log in. ASP.NET defaults |
|
|
|
to default.aspx. |
|
protection |
All/None/Encryption/ |
The All option specifies that the applica- |
|
|
Validation |
tion uses both validation and encryption |
|
|
|
to protect the authentication cookie. This |
|
|
|
is the default value. The None option spec- |
|
|
|
ifies that neither validation nor encryption |
|
|
|
|
|
|
|
Continued |
www.syngress.com
206 |
Chapter 4 • Configuring ASP.NET |
|
||
|
|
Table 4.13 <forms> Subtag Attributes |
||
|
|
|
|
|
|
|
Attribute Options |
Description |
|
|
|
|
|
|
|
|
|
|
is used, and therefore the cookie is not |
|
|
|
|
secure. This should only be used when |
|
|
|
|
there are no security requirements and the |
|
|
|
|
authentication features are only being |
|
|
|
|
used for personalization. |
|
|
timeout |
|
Enables you to specify a maximum length |
|
|
|
|
of time for the authentication cookie to |
|
|
|
|
remain valid. This value is in seconds and |
|
|
|
|
the default is 30. |
|
|
path |
|
Enables you to specify a specific path for |
|
|
|
|
storing cookies used by your application. |
|
|
|
|
The default is /. |
|
|
|
||
|
|
The <forms> subtag supports the <credentials> subtag.This subtag enables |
||
|
|
you to specify user id and password credentials within the configuration file.This |
||
|
|
is done by using the passwordFormat attribute and the <user> subtag.The |
||
|
|
passwordFormat attribute accepts three values, which specifies the password |
||
|
|
encryption.These values are as follows: |
||
|
|
■ |
Clear No encryption |
|
|
|
■ |
MD5 Encrypted with the MD5 hash algorithm |
|
|
|
■ |
SHA1 Encrypted with the SHA1 hash algorithm |
The <user> subtag supports the use of the name and password attributes.These values are simply text values containing the user’s id and password.
The second subtag supported by the <authentication> tag is <passport>.This subtag has a single attribute of redirectUrl, and enables you to specify a default URL to redirect the user to if the passport mode is used and the user has not signed on with passport.The following code sample shows the use of these options:
<configuration>
<system.web>
<authentication
mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="authenticate.aspx"
www.syngress.com
Configuring ASP.NET • Chapter 4 |
207 |
protection="All"
timeout="45"
path="/">
<credentials
passwordFormat="SHA1">
<user
name="myuser"
password="mypass"
/>
</credentials>
</forms>
</authentication>
</system.web>
</configuration>
Configuring Security Modules Using the <authenticationModules> Tag
The <authenticationModules> tag enables you to add or remove the security modules used within ASP.NET for authentication.This will only be used if you wish to add some other form of authentication to ASP.NET.This may evolve in the future with the use of smart cards and biometric authentication.This tag supports the <add>, <remove>, and <clear> subtags.The <add> subtag specifies the authentication module class to add to your application. It uses the type attribute to specify the class. Proper usage of the <add> subtag is illustrated in the following code sample.The <remove> subtag accepts the same attribute of type and is used to remove authentication modules previously specified with the <add> subtag.Wildcards are not supported with the <remove> tag.The <clear> subtag removes all authentication modules from the configuration whether explicitly defined or inherited.
<configuration>
<system.net>
<authenticationModules>
<add type="System.Net.DigestClient" />
<add type="System.Net.NegotiateClient" />
<add type="System.Net.KerberosClient" />
www.syngress.com
208 Chapter 4 • Configuring ASP.NET
<add type="System.Net.NtlmClient" />
<add type="System.Net.BasicClient" />
</authenticationModules>
</system.net>
</configuration>
Controlling Access Using the <authorization> Tag
The <authorization> tag is used to control access to specific resources based on permissions granted to the user or role. For any application, you want only authorized users to access your application in certain ways. Historically this has been controlled by the use of user databases, but for small applications this works well. In addition, if a method of access is needed, should the backend database fail, this provides a good failsafe.
This is done by using the two subtags, <allow> and <deny>.The <allow> subtag controls which users or roles are granted access, and the <deny> subtag controls which users or roles to which access is denied. Both subtags support the same three attributes.These are described in Table 4.14. All permissions specified through this configuration are read and applied by ASP.NET from the top down; therefore the order in which you specify your permissions is very important.
Table 4.14 <allow> and <deny> Subtag Attributes
Attribute |
Description |
|
|
users |
Enables you to designate a list of users to either be allowed or |
|
denied access. User names should be separated with a comma. |
|
The ? and * symbols are used to specify anonymous or all users, |
|
respectively. |
roles |
Enables you to designate a list of roles to either be allowed or |
|
denied access. You should separate roles with a comma. |
verbs |
Enables you to specify a list of verbs to either allow or deny |
|
access to. These include GET, HEAD, POST, and DEBUG. You |
|
should separate verbs with a comma. |
The following code sample illustrates the use of these tags:
<configuration>
<system.web>
<authorization>
<allow
www.syngress.com
Configuring ASP.NET • Chapter 4 |
209 |
users="austin,bobby,chris,dave"
roles="Admins"
/>
<deny
users="*"
/>
</authorization>
</system.web>
</configuration>
Configuring Encryption Keys
Using the <machineKey> Tag
The <machineKey> tag enables you to configure encryption keys for use with encryption and decryption of forms authentication cookie data.This is very important to use when high security is necessary for your application.When this is in place, cookies used for forms authentication are encrypted. Forms authentication is explained in the earlier section of this chapter on the <authentication> tag.The <machineKey> tag supports three attributes as shown in Table 4.15.You can specify this tag on any level with exception of the subdirectory level.
Table 4.15 <machineKey> Tag Attributes
Attribute |
Options |
Description |
|
|
|
validationKey |
AutoGenerate/value |
Specifies the key used for validation. |
decryptionKey |
AutoGenerate/value |
Specifies the key used for decryption. |
validation |
SHA1/MD5/3DES |
Specifies the type of encryption being |
|
|
used for validation. |
As shown in Table 4.15, the validationKey and decryptionKey attributes can either be set to AutoGenerate a key or have a specific value set.This value must be at least 40 characters long and have a maximum limit of 128 characters.The recommended length is 128 hexadecimal characters, for maximum security. If you are using multiple Web servers with your application in a Web farm environment, these keys must match between all Web servers. If you use AutoGenerate with a Web farm, your keys will not match, and your application will not work correctly.The following sample code illustrates the usage of this tag.
www.syngress.com