- •About the Authors
- •Contents at a Glance
- •Contents
- •Introduction
- •Goal of the Book
- •How to Use this Book
- •Introduction to the .NET Framework
- •Common Language Runtime (CLR)
- •Class Library
- •Assembly
- •Versioning
- •Exceptions
- •Threads
- •Delegates
- •Summary
- •Introduction to C#
- •Variables
- •Initializing Variables
- •Variable Modifiers
- •Variable Data Types
- •Types of Variables
- •Variable Scope
- •Types of Data Type Casting
- •Arrays
- •Strings
- •Initializing Strings
- •Working with Strings
- •Statements and Expressions
- •Types of Statements
- •Expressions
- •Summary
- •Classes
- •Declaring Classes
- •Inheritance
- •Constructors
- •Destructors
- •Methods
- •Declaring a Method
- •Calling a Method
- •Passing Parameters to Methods
- •Method Modifiers
- •Overloading a Method
- •Namespaces
- •Declaring Namespaces
- •Aliases
- •Structs
- •Enumerations
- •Interfaces
- •Writing, Compiling, and Executing
- •Writing a C# Program
- •Compiling a C# Program
- •Executing a C# Program
- •Summary
- •Arrays
- •Single-Dimensional Arrays
- •Multidimensional Arrays
- •Methods in Arrays
- •Collections
- •Creating Collections
- •Working with Collections
- •Indexers
- •Boxing and Unboxing
- •Preprocessor Directives
- •Summary
- •Attributes
- •Declaring Attributes
- •Attribute Class
- •Attribute Parameters
- •Default Attributes
- •Properties
- •Declaring Properties
- •Accessors
- •Types of Properties
- •Summary
- •Introduction to Threads
- •Creating Threads
- •Aborting Threads
- •Joining Threads
- •Suspending Threads
- •Making Threads Sleep
- •Thread States
- •Thread Priorities
- •Synchronization
- •Summary
- •Case Study
- •Project Life Cycle
- •Analyzing Requirements
- •High-Level Design
- •Primary and Foreign Keys
- •Referential Integrity
- •Normalization
- •Designing a Database
- •Low-Level Design
- •Construction
- •Integration and Testing
- •User Acceptance Testing
- •Implementation
- •Operations and Maintenance
- •Summary
- •Creating a New Project
- •Console Application
- •Windows Applications
- •Creating a Windows Application for the Customer Maintenance Project
- •Creating an Interface for Form1
- •Creating an Interface for WorkerForm
- •Creating an Interface for CustomerForm
- •Creating an Interface for ReportsForm
- •Creating an Interface for JobDetailsForm
- •Summary
- •Performing Validations
- •Identifying the Validation Mechanism
- •Using the ErrorProvider Control
- •Handling Exceptions
- •Using the try and catch Statements
- •Using the Debug and Trace Classes
- •Using the Debugging Features of Visual Studio .NET
- •Using the Task List
- •Summary
- •Creating Form1
- •Connecting WorkerForm to the Workers Table
- •Connecting CustomerForm to the tblCustomer Table
- •Connecting the JobDetails Form
- •to the tblJobDetails Table
- •Summary
- •Introduction to the Crystal Reports Designer Tool
- •Creating the Reports Form
- •Creating Crystal Reports
- •Creating the Windows Forms Viewer Control
- •Creating the Monthly Worker Report
- •Summary
- •Introduction to Deploying a Windows Application
- •Deployment Projects Available in Visual Studio .NET
- •Deployment Project Editors
- •Summary
- •Case Study
- •Project Life Cycle
- •Analyzing Requirements
- •High-Level Design
- •Low-Level Design
- •Summary
- •Populating the TreeView Control
- •Displaying Employee Codes in the TreeView Control
- •Event Handling
- •Displaying Employee Details in the ListView Control
- •Summary
- •Case Study
- •Project Life Cycle
- •Analyzing Requirements
- •High-Level Design
- •Low-Level Design
- •Summary
- •Adding the Programming Logic to the Application
- •Adding Code to the Form Load() Method
- •Adding Code to the OK Button
- •Adding Code to the Exit Button
- •Summary
- •The Created Event
- •Adding Code to the Created Event
- •Overview of XML
- •The XmlReader Class
- •The XmlWriter Class
- •Displaying Data in an XML Document
- •Displaying an Error Message in the Event Log
- •Displaying Event Entries from Event Viewer
- •Displaying Data from the Summary.xml Document in a Message Box
- •Summary
- •Airline Profile
- •Role of a Business Manager
- •Role of a Network Administrator
- •Role of a Line-of-Business Executive
- •Project Requirements
- •Creation and Deletion of User Accounts
- •Addition of Flight Details
- •Reservations
- •Cancellations
- •Query of Status
- •Confirmation of Tickets
- •Creation of Reports
- •Launch of Frequent Flier Programs
- •Summarizing the Tasks
- •Project Design
- •Database Design
- •Web Forms Design
- •Enabling Security with the Directory Structure
- •Summary
- •Getting Started with ASP.NET
- •Prerequisites for ASP.NET Applications
- •New Features in ASP.NET
- •Types of ASP.NET Applications
- •Exploring ASP.NET Web Applications
- •Introducing Web Forms
- •Web Form Server Controls
- •Configuring ASP.NET Applications
- •Configuring Security for ASP.NET Applications
- •Deploying ASP.NET Applications
- •Creating a Sample ASP.NET Application
- •Creating a New Project
- •Adding Controls to the Project
- •Coding the Application
- •Summary
- •Creating the Database Schema
- •Creating Database Tables
- •Managing Primary Keys and Relationships
- •Viewing the Database Schema
- •Designing Application Forms
- •Standardizing the Interface of the Application
- •Common Forms in the Application
- •Forms for Network Administrators
- •Forms for Business Managers
- •Forms for Line-of-Business Executives
- •Summary
- •The Default.aspx Form
- •The Logoff.aspx Form
- •The ManageUsers.aspx Form
- •The ManageDatabases.aspx Form
- •The ChangePassword.aspx Form
- •Restricting Access to Web Forms
- •The AddFl.aspx Form
- •The RequestID.aspx Form
- •The Reports.aspx Form
- •The FreqFl.aspx Form
- •Coding the Forms for LOB Executives
- •The CreateRes.aspx Form
- •The CancelRes.aspx Form
- •The QueryStat.aspx Form
- •The ConfirmRes.aspx Form
- •Summary
- •Designing the Form
- •The View New Flights Option
- •The View Ticket Status Option
- •The View Flight Status Option
- •The Confirm Reservation Option
- •Testing the Application
- •Summary
- •Locating Errors in Programs
- •Watch Window
- •Locals Window
- •Call Stack Window
- •Autos Window
- •Command Window
- •Testing the Application
- •Summary
- •Managing the Databases
- •Backing Up the SkyShark Airlines Databases
- •Exporting Data from Databases
- •Examining Database Logs
- •Scheduling Database Maintenance Tasks
- •Managing Internet Information Server
- •Configuring IIS Error Pages
- •Managing Web Server Log Files
- •Summary
- •Authentication Mechanisms
- •Securing a Web Site with IIS and ASP.NET
- •Configuring IIS Authentication
- •Configuring Authentication in ASP.NET
- •Securing SQL Server
- •Summary
- •Deployment Scenarios
- •Deployment Editors
- •Creating a Deployment Project
- •Adding the Output of SkySharkDeploy to the Deployment Project
- •Deploying the Project to a Web Server on Another Computer
- •Summary
- •Organization Profile
- •Project Requirements
- •Querying for Information about All Books
- •Querying for Information about Books Based on Criteria
- •Ordering a Book on the Web Site
- •Project Design
- •Database Design
- •Database Schema
- •Web Forms Design
- •Flowcharts for the Web Forms Modules
- •Summary
- •Introduction to ASP.NET Web Services
- •Web Service Architecture
- •Working of a Web Service
- •Technologies Used in Web Services
- •XML in a Web Service
- •WSDL in a Web Service
- •SOAP in a Web Service
- •UDDI in a Web Service
- •Web Services in the .NET Framework
- •The Default Code Generated for a Web Service
- •Testing the SampleWebService Web Service
- •Summary
- •Creating the SearchAll() Web Method
- •Creating the SrchISBN() Web Method
- •Creating the AcceptDetails() Web Method
- •Creating the GenerateOrder() Web Method
- •Testing the Web Service
- •Securing a Web Service
- •Summary
- •Creating the Web Forms for the Bookers Paradise Web Site
- •Adding Code to the Web Forms
- •Summary
- •Case Study
- •Project Life Cycle
- •Analyzing Requirements
- •High-Level Design
- •Low-Level Design
- •Summary
- •Overview of Mobile Applications
- •The Microsoft Mobile Internet Toolkit
- •Overview of WAP
- •The WAP Architecture
- •Overview of WML
- •The Mobile Web Form
- •The Design of the MobileTimeRetriever Application
- •Creating the Interface for the Mobile Web Forms
- •Adding Code to the MobileTimeRetriever Application
- •Summary
- •Creating the Forms Required for the MobileCallStatus Application
- •Creating the frmLogon Form
- •Creating the frmSelectOption Form
- •Creating the frmPending Form
- •Creating the frmUnattended Form
- •Adding Code to the Submit Button in the frmLogon Form
- •Adding Code to the Query Button in the frmSelectOption Form
- •Adding Code to the Mark checked as complete Button in the frmPending Form
- •Adding Code to the Back Button in the frmPending Form
- •Adding Code to the Accept checked call(s) Button in the frmUnattended Form
- •Adding Code to the Back Button in the frmUnattended Form
- •Summary
- •What Is COM?
- •Windows DNA
- •Microsoft Transaction Server (MTS)
- •.NET Interoperability
- •COM Interoperability
- •Messaging
- •Benefits of Message Queues
- •Limitations
- •Key Messaging Terms
- •Summary
- •Pointers
- •Declaring Pointers
- •Types of Code
- •Implementing Pointers
- •Using Pointers with Managed Code
- •Working with Pointers
- •Compiling Unsafe Code
- •Summary
- •Introduction to the Languages of Visual Studio .NET
- •Visual C# .NET
- •Visual Basic .NET
- •Visual C++ .NET
- •Overview of Visual Basic .NET
- •Abstraction
- •Encapsulation
- •Inheritance
- •Polymorphism
- •Components of Visual Basic .NET
- •Variables
- •Constants
- •Operators
- •Arrays
- •Collections
- •Procedures
- •Arguments
- •Functions
- •Adding Code to the Submit Button
- •Adding Code to the Exit Button
- •Summary
- •Introduction to Visual Studio .NET IDE
- •Menu Bar
- •Toolbars
- •Visual Studio .NET IDE Windows
- •Toolbox
- •The Task List Window
- •Managing Windows
- •Customizing Visual Studio .NET IDE
- •The Options Dialog Box
- •The Customize Dialog Box
- •Summary
- •Index
570 Project 4 CREATING AN AIRLINE RESERVATION PORTAL
ASP.NET Authentication Mechanisms
To ensure the security of your Web applications, ASP.NET provides three authentication mechanisms: Forms authentication, Passport authentication, and Windows authentication. These three mechanisms are described as follows:
Forms authentication. This authentication mechanism, also called cookie-based authentication, is based on a single logon form. Users can access this form anytime they need to log on. A few Web sites allow you to browse through Web forms without the need to log on. However, when you have to log on to a Web site, you are directed to a logon form. After the logon process is successful, you are redirected to the original form. In Forms authentication, a logon form is invoked as soon as an unauthenticated user requests for a Web form. Cookies are vulnerable to attack by hackers and can be easily accessed by other users on the site because cookies are transmitted over the Web in an unencr ypted form. However, cookies can be made safer by encryption. In addition, you can embed cookies with the IP address of the original user to restrict unauthenticated users from getting permissions to resources.
Passport authentication. Passport is the default authentication mechanism provided by Microsoft for its Hotmail, MSN, and Passport services. This is a centralized authentication service, which requires fewer resources because you need not implement additional hardware for authentication. Moreover, all users registered for the Passport authentication service are registered users of the Web site. Therefore, Passport authentication caters to a greater number of users as compared to the Forms authentication service. To use the Passport authentication service, you need to download the Passport software development kit.
Windows authentication. Windows authentication is implemented in a Windows 2000 domain. In Windows authentication, users are authenticated against their account in the Windows 2000 domain.
Securing a Web Site with IIS and ASP.NET
By configuring security settings on IIS and including the Web.Config file, you can create a highly secure environment for your application. Consider the case of the SkyShark Airlines application.
SECURING THE APPLICATION |
Chapter 25 |
571 |
|
|
|
|
|
The corporate office and regional offices of SkyShark Airlines are connected on a LAN. Therefore, every user who accesses the Web application has a valid Windows account. Consequently, as the first level of authentication, you can make Windows authentication available on IIS. This ensures that anonymous users do not access the Web site. As the next level of security, you can enable form-based authentication for your ASP.NET application and validate users with their accounts in the dtUsers table of SQL Server before they can access the Web site resources.
Therefore, the SkyShark Airlines application has two levels of security. The first level of security is implemented by IIS. Users authenticated by IIS access the Web application and are then authenticated against the dtUsers table of the SQL Server database. When users are authenticated, their profile is also retrieved from the dtUsers table, which is used to grant access to Web pages. You can view the mechanism of granting permissions to users for accessing Web pages in Chapter 21, “Implementing the Business Logic.”
To restrict access to Web pages, the SkyShark Airlines application uses the Session variables usrRole and usrName. The code to initialize these variables is discussed in Chapter 21.
I will now discuss the steps to implement Windows authentication on IIS and Forms authentication on ASP.NET.
Enabling Authentication
in SkyShark Airlines
In the SkyShark Airlines application, you need to enable Windows authentication on the IIS Web server and Forms authentication for the SkyShark Airlines application. In this section, I list the steps to configure these two authentication modes for the SkyShark Airlines application.
Configuring IIS Authentication
To enable Windows authentication, you can use the IIS console. The steps to open the console and configure the application are given as follows:
1. Click on Start and point to Programs.
572Project 4 CREATING AN AIRLINE RESERVATION PORTAL
2.From the Programs menu, select Administrative Tools and then click on Internet Services Manager. The Internet Information Services window will open.
3.In the Internet Information Services window, double-click on Default Web Site to view a list of Web sites installed on the computer.
4.In Default Web Site, right-click on SkyShark and select Properties. The SkyShark Properties dialog box will appear.
5.Click on the Directory Security tab of the SkyShark Properties dialog box.This tab of the dialog box is shown in Figure 25-1.
FIGURE 25-1 Directory Security tab of the SkyShark Properties dialog box
6.In the SkyShark Properties dialog box, click on Edit in the Anonymous access and authentication control section.
7.In the Authentication Methods dialog box, clear the Anonymous access option and check the Integrated Windows authentication option, as shown in Figure 25-2.
SECURING THE APPLICATION |
Chapter 25 |
573 |
|
|
|
|
|
FIGURE 25-2 Enabling Integrated Windows authentication
8.Click on OK to close the Authentication Methods dialog box.The SkyShark Properties dialog box will reappear.
9.Click on OK to close the SkyShark Properties dialog box.
Your Web server is now configured for Windows authentication. Next, you need to configure the Web application to use Form authentication. In the next section, I will discuss Form authentication in ASP.NET.
Configuring Authentication in ASP.NET
To configure ASP.NET security, you need to specify a default logon page that is displayed to a user if the identity of the user is not validated. The default logon page for SkyShark Airlines is default.aspx. Therefore, if an unauthenticated user tries to navigate directly to a page of the Web application, the user will be directed to the default.aspx page.
ASP.NETprovides the System.Web.Security namespace that makes the necessary classes available for configuring authentication. To authenticate a user, you need
to use the FormsAuthentication class of the System.Web.Security namespace.
Some important functions of this class, which help you to authenticate users on your Web application, are listed in Table 25-2.
574 |
Project 4 |
CREATING AN AIRLINE RESERVATION PORTAL |
||
|
|
|
|
|
|
|
Table 25-2 Methods of the FormsAuthentication Class |
||
|
|
|
|
|
|
|
Method |
Description |
|
|
|
|
|
|
|
|
Authenticate |
The Authenticate method validates usernames and passwords |
|
|
|
|
|
against those specified in the data store. |
|
|
GetAuthCookie |
The GetAuthCookie method creates an authentication cookie for |
|
|
|
|
|
an authenticated user. The cookie can be used for identifying |
|
|
|
|
authenticated users. |
|
|
RedirectFromLoginPage |
After validating a user, the RedirectFromLoginPage method redi- |
|
|
|
|
|
rects a user to the requested page. |
|
|
RenewTicketIfOld |
The RenewTicketIfOld method renews/revalidates the authentica- |
|
|
|
|
|
tion ticket of a user after it is no longer valid. |
|
|
SignOut |
The SignOut method is used for logging a user off from the Web |
|
|
|
|
|
application. |
|
|
|
|
|
To implement Forms authentication, you need to change the <authentication> and <authorization> elements of the Web.Config file. By default, when you create a new application, authentication is not enabled in your application, as specified by the following line of code in the Web.Config file:
<authentication mode=”None”/>
To enable Forms authentication on your Web site, change the <authentication> property as follows:
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”.ASPXFORMSAUTH”/> </authentication>
<authorization>
<deny users=”?” /> </authorization>
In the preceding code snippet, I have changed the authentication mode to Forms by changing the mode attribute of the <authentication> element.
When the authentication mode is set to Forms, the Web application issues a cookie to an authenticated user. You need to specify the suffix of the cookie by using the
SECURING THE APPLICATION |
Chapter 25 |
575 |
|
|
|
|
|
name attribute of the <forms> element. You also need to specify the name of the logon form, where an unauthenticated user is redirected. In the preceding code snippet, I have specified the name of the logon form as default.aspx, which is the logon form for SkyShark Airlines, and the suffix of the cookies is specified as
.ASPXFORMSAUTH.
TIP
ASP.NET uses the * and ? user types to control access to Web site resources. The * user type represents all users and the ? user type represents anonymous users.
After enabling Forms authentication, you need to prevent Web application access to anonymous users.The <deny users=”?”/> statement uses the ? user type to prevent access to anonymous users.
After enabling custom authentication for SkyShark Airlines, you can modify the code of the default.aspx form so that an authentication ticket can be issued to the user after the user’s credentials are validated. To issue authentication tickets, the
FormsAuthentication class provides the GetAuthCookie and RedirectFromLoginPage
methods. The difference in the two methods is that the GetAuthCookie method generates an authentication ticket but does not redirect the user to the page requested initially. However, the RedirectFromLoginPage method authenticates the user and then redirects the user to the page requested initially.
For the SkyShark Airlines application, you need to use the GetAuthCookie method to generate the authentication ticket. You cannot use the RedirectFromLoginPage method because you have implemented a custom solution based on Session state variables. These variables redirect the user to Web forms depending upon the role of the users. For example, if you implement the RedirectFromLoginPage method, when a line-of-business executive requests the ManageUsers.aspx page, which should be accessible to network administrators only, the RedirectFromLoginPage method will authenticate and redirect him to the ManageUsers.aspx page. This should not be the case.
The GetAuthCookie method uses two parameters to generate the authentication ticket, the username and the state of the cookie (persistent or not). To generate