SECURING THE APPLICATION |
Chapter 25 |
571 |
|
|
|
|
|
The corporate office and regional offices of SkyShark Airlines are connected on a LAN. Therefore, every user who accesses the Web application has a valid Windows account. Consequently, as the first level of authentication, you can make Windows authentication available on IIS. This ensures that anonymous users do not access the Web site. As the next level of security, you can enable form-based authentication for your ASP.NET application and validate users with their accounts in the dtUsers table of SQL Server before they can access the Web site resources.
Therefore, the SkyShark Airlines application has two levels of security. The first level of security is implemented by IIS. Users authenticated by IIS access the Web application and are then authenticated against the dtUsers table of the SQL Server database. When users are authenticated, their profile is also retrieved from the dtUsers table, which is used to grant access to Web pages. You can view the mechanism of granting permissions to users for accessing Web pages in Chapter 21, “Implementing the Business Logic.”
To restrict access to Web pages, the SkyShark Airlines application uses the Session variables usrRole and usrName. The code to initialize these variables is discussed in Chapter 21.
I will now discuss the steps to implement Windows authentication on IIS and Forms authentication on ASP.NET.
Enabling Authentication
in SkyShark Airlines
In the SkyShark Airlines application, you need to enable Windows authentication on the IIS Web server and Forms authentication for the SkyShark Airlines application. In this section, I list the steps to configure these two authentication modes for the SkyShark Airlines application.
Configuring IIS Authentication
To enable Windows authentication, you can use the IIS console. The steps to open the console and configure the application are given as follows:
1. Click on Start and point to Programs.
572Project 4 CREATING AN AIRLINE RESERVATION PORTAL
2.From the Programs menu, select Administrative Tools and then click on Internet Services Manager. The Internet Information Services window will open.
3.In the Internet Information Services window, double-click on Default Web Site to view a list of Web sites installed on the computer.
4.In Default Web Site, right-click on SkyShark and select Properties. The SkyShark Properties dialog box will appear.
5.Click on the Directory Security tab of the SkyShark Properties dialog box.This tab of the dialog box is shown in Figure 25-1.
FIGURE 25-1 Directory Security tab of the SkyShark Properties dialog box
6.In the SkyShark Properties dialog box, click on Edit in the Anonymous access and authentication control section.
7.In the Authentication Methods dialog box, clear the Anonymous access option and check the Integrated Windows authentication option, as shown in Figure 25-2.
SECURING THE APPLICATION |
Chapter 25 |
573 |
|
|
|
|
|
FIGURE 25-2 Enabling Integrated Windows authentication
8.Click on OK to close the Authentication Methods dialog box.The SkyShark Properties dialog box will reappear.
9.Click on OK to close the SkyShark Properties dialog box.
Your Web server is now configured for Windows authentication. Next, you need to configure the Web application to use Form authentication. In the next section, I will discuss Form authentication in ASP.NET.
Configuring Authentication in ASP.NET
To configure ASP.NET security, you need to specify a default logon page that is displayed to a user if the identity of the user is not validated. The default logon page for SkyShark Airlines is default.aspx. Therefore, if an unauthenticated user tries to navigate directly to a page of the Web application, the user will be directed to the default.aspx page.
ASP.NETprovides the System.Web.Security namespace that makes the necessary classes available for configuring authentication. To authenticate a user, you need
to use the FormsAuthentication class of the System.Web.Security namespace.
Some important functions of this class, which help you to authenticate users on your Web application, are listed in Table 25-2.
574 |
Project 4 |
CREATING AN AIRLINE RESERVATION PORTAL |
||
|
|
|
|
|
|
|
Table 25-2 Methods of the FormsAuthentication Class |
||
|
|
|
|
|
|
|
Method |
Description |
|
|
|
|
|
|
|
|
Authenticate |
The Authenticate method validates usernames and passwords |
|
|
|
|
|
against those specified in the data store. |
|
|
GetAuthCookie |
The GetAuthCookie method creates an authentication cookie for |
|
|
|
|
|
an authenticated user. The cookie can be used for identifying |
|
|
|
|
authenticated users. |
|
|
RedirectFromLoginPage |
After validating a user, the RedirectFromLoginPage method redi- |
|
|
|
|
|
rects a user to the requested page. |
|
|
RenewTicketIfOld |
The RenewTicketIfOld method renews/revalidates the authentica- |
|
|
|
|
|
tion ticket of a user after it is no longer valid. |
|
|
SignOut |
The SignOut method is used for logging a user off from the Web |
|
|
|
|
|
application. |
|
|
|
|
|
To implement Forms authentication, you need to change the <authentication> and <authorization> elements of the Web.Config file. By default, when you create a new application, authentication is not enabled in your application, as specified by the following line of code in the Web.Config file:
<authentication mode=”None”/>
To enable Forms authentication on your Web site, change the <authentication> property as follows:
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”.ASPXFORMSAUTH”/> </authentication>
<authorization>
<deny users=”?” /> </authorization>
In the preceding code snippet, I have changed the authentication mode to Forms by changing the mode attribute of the <authentication> element.
When the authentication mode is set to Forms, the Web application issues a cookie to an authenticated user. You need to specify the suffix of the cookie by using the
SECURING THE APPLICATION |
Chapter 25 |
575 |
|
|
|
|
|
name attribute of the <forms> element. You also need to specify the name of the logon form, where an unauthenticated user is redirected. In the preceding code snippet, I have specified the name of the logon form as default.aspx, which is the logon form for SkyShark Airlines, and the suffix of the cookies is specified as
.ASPXFORMSAUTH.
TIP
ASP.NET uses the * and ? user types to control access to Web site resources. The * user type represents all users and the ? user type represents anonymous users.
After enabling Forms authentication, you need to prevent Web application access to anonymous users.The <deny users=”?”/> statement uses the ? user type to prevent access to anonymous users.
After enabling custom authentication for SkyShark Airlines, you can modify the code of the default.aspx form so that an authentication ticket can be issued to the user after the user’s credentials are validated. To issue authentication tickets, the
FormsAuthentication class provides the GetAuthCookie and RedirectFromLoginPage
methods. The difference in the two methods is that the GetAuthCookie method generates an authentication ticket but does not redirect the user to the page requested initially. However, the RedirectFromLoginPage method authenticates the user and then redirects the user to the page requested initially.
For the SkyShark Airlines application, you need to use the GetAuthCookie method to generate the authentication ticket. You cannot use the RedirectFromLoginPage method because you have implemented a custom solution based on Session state variables. These variables redirect the user to Web forms depending upon the role of the users. For example, if you implement the RedirectFromLoginPage method, when a line-of-business executive requests the ManageUsers.aspx page, which should be accessible to network administrators only, the RedirectFromLoginPage method will authenticate and redirect him to the ManageUsers.aspx page. This should not be the case.
The GetAuthCookie method uses two parameters to generate the authentication ticket, the username and the state of the cookie (persistent or not). To generate