- •Preface
- •Who Should Read This Book
- •Organization and Presentation
- •Contacting the Authors
- •Acknowledgments
- •Contents
- •Introduction
- •Why Microsoft .NET?
- •The Microsoft .NET Architecture
- •Internet Standards
- •The Evolution of ASP
- •The Benefits of ASP.NET
- •What Is .NET?
- •.NET Experiences
- •.NET Clients
- •.NET Services
- •.NET Servers
- •Review
- •Quiz Yourself
- •Installation Requirements
- •Installing ASP.NET and ADO.NET
- •Installing the .NET Framework SDK
- •Testing Your Installation
- •Support for .NET
- •Review
- •Quiz Yourself
- •Designing a Database
- •Normalization of Data
- •Security Considerations
- •Review
- •Quiz Yourself
- •Creating a Database
- •Creating SQL Server Tables
- •Creating a View
- •Creating a Stored Procedure
- •Creating a Trigger
- •Review
- •Quiz Yourself
- •INSERT Statements
- •DELETE Statements
- •UPDATE Statements
- •SELECT Statements
- •Review
- •Quiz Yourself
- •The XML Design Specs
- •The Structure of XML Documents
- •XML Syntax
- •XML and the .NET Framework
- •Review
- •Quiz Yourself
- •ASP.NET Events
- •Page Directives
- •Namespaces
- •Choosing a Language
- •Review
- •Quiz Yourself
- •Introducing HTML Controls
- •Using HTML controls
- •How HTML controls work
- •Intrinsic HTML controls
- •HTML Control Events
- •The Page_OnLoad event
- •Custom event handlers
- •Review
- •Quiz Yourself
- •Intrinsic Controls
- •Using intrinsic controls
- •Handling intrinsic Web control events
- •List Controls
- •Rich Controls
- •Review
- •Quiz Yourself
- •Creating a User Control
- •Adding User Control Properties
- •Writing Custom Control Methods
- •Implementing User Control Events
- •Review
- •Quiz Yourself
- •Common Aspects of Validation Controls
- •Display property
- •Type Property
- •Operator Property
- •Using Validation Controls
- •RequiredFieldValidator
- •RegularExpressionValidator
- •CompareValidator
- •RangeValidator
- •CustomValidator
- •ValidationSummaryx
- •Review
- •Quiz Yourself
- •Maintaining State Out of Process for Scalability
- •No More Cookies but Plenty of Milk!
- •Out of Process State Management
- •Review
- •Quiz Yourself
- •Introducing the Key Security Mechanisms
- •Web.config and Security
- •Special identities
- •Using request types to limit access
- •New Tricks for Forms-based Authentication
- •Using the Passport Authentication Provider
- •Review
- •Quiz Yourself
- •ASP.NET Updates to the ASP Response Model
- •Caching with ASP.NET
- •Page Output Caching
- •Absolute cache expiration
- •Sliding cache expiration
- •Fragment Caching
- •Page Data Caching
- •Expiration
- •File and Key Dependency and Scavenging
- •Review
- •Quiz Yourself
- •A Brief History of Microsoft Data Access
- •Differences between ADO and ADO.NET
- •Transmission formats
- •Connected versus disconnected datasets
- •COM marshaling versus text-based data transmission
- •Variant versus strongly typed data
- •Data schema
- •ADO.NET Managed Provider Versus SQL Managed Provider
- •Review
- •Quiz Yourself
- •Review
- •Quiz Yourself
- •Creating a Connection
- •Opening a Connection
- •Using Transactions
- •Review
- •Quiz Yourself
- •Building a Command
- •Connection property
- •CommandText property
- •CommandType property
- •CommandTimeout property
- •Appending parameters
- •Executing a Command
- •ExecuteNonQuery method
- •Prepare method
- •ExecuteReader method
- •Review
- •Quiz Yourself
- •Introducing DataReaders
- •Using DataReader Properties
- •Item property
- •FieldCount property
- •IsClosed property
- •RecordsAffected property
- •Using DataReader Methods
- •Read method
- •GetValue method
- •Get[Data Type] methods
- •GetOrdinal method
- •GetName method
- •Close method
- •Review
- •Quiz Yourself
- •Constructing a DataAdapter Object
- •SelectCommand property
- •UpdateCommand, DeleteCommand, and InsertCommand properties
- •Fill method
- •Update method
- •Dispose method
- •Using DataSet Objects
- •DataSetName property
- •CaseSensitive property
- •Review
- •Quiz Yourself
- •Constructing a DataSet
- •Tables property
- •TablesCollection Object
- •Count property
- •Item property
- •Contains method
- •CanRemove method
- •Remove method
- •Add method
- •DataTable Objects
- •CaseSensitive property
- •ChildRelations property
- •Columns property
- •Constraints property
- •DataSet property
- •DefaultView property
- •ParentRelations property
- •PrimaryKey property
- •Rows property
- •Dispose method
- •NewRow method
- •Review
- •Quiz Yourself
- •What Is Data Binding?
- •Binding to Arrays and Extended Object Types
- •Binding to Database Data
- •Binding to XML
- •TreeView Control
- •Implement the TreeView server control
- •Review
- •Quiz Yourself
- •DataGrid Control Basics
- •Binding a set of data to a DataGrid control
- •Formatting the output of a DataGrid control
- •Master/Detail Relationships with the DataGrid Control
- •Populating the Master control
- •Filtering the detail listing
- •Review
- •QUIZ YOURSELF
- •Updating Your Data
- •Handling the OnEditCommand Event
- •Handling the OnCancelCommand Event
- •Handling the OnUpdateCommand Event
- •Checking that the user input has been validated
- •Executing the update process
- •Deleting Data with the OnDeleteCommand Event
- •Sorting Columns with the DataGrid Control
- •Review
- •Quiz Yourself
- •What Is Data Shaping?
- •Why Shape Your Data?
- •DataSet Object
- •Shaping Data with the Relations Method
- •Review
- •Quiz Yourself
- •OLEDBError Object Description
- •OLEDBError Object Properties
- •OLEDBError Object Methods
- •OLEDBException Properties
- •Writing Errors to the Event Log
- •Review
- •Quiz Yourself
- •Introducing SOAP
- •Accessing Remote Data with SOAP
- •SOAP Discovery (DISCO)
- •Web Service Description Language (WSDL)
- •Using SOAP with ASP.NET
- •Review
- •Quiz Yourself
- •Developing a Web Service
- •Consuming a Web Service
- •Review
- •Quiz Yourself
- •ASP and ASP.NET Compatibility
- •Scripting language limitations
- •Rendering HTML page elements
- •Using script blocks
- •Syntax differences and language modifications
- •Running ASP Pages under Microsoft.NET
- •Using VB6 Components with ASP.NET
- •Review
- •Quiz Yourself
- •Preparing a Migration Path
- •ADO and ADO.NET Compatibility
- •Running ADO under ASP.NET
- •Early Binding ADO COM Objects in ASP.NET
- •Review
- •Quiz Yourself
- •Answers to Part Reviews
- •Friday Evening Review Answers
- •Saturday Morning Review Answers
- •Saturday Afternoon Review Answers
- •Saturday Evening Review Answers
- •Sunday Morning Review Answers
- •Sunday Afternoon Review Answers
- •What’s on the CD-ROM
- •System Requirements
- •Using the CD with Windows
- •What’s on the CD
- •The Software Directory
- •Troubleshooting
- •ADO.NET Class Descriptions
- •Coding Differences in ASP and ASP.NET
- •Retrieving a Table from a Database
- •Displaying a Table from a Database
- •Variable Declarations
- •Statements
- •Comments
- •Indexed Property Access
- •Using Arrays
- •Initializing Variables
- •If Statements
- •Case Statements
- •For Loops
- •While Loops
- •String Concatenation
- •Error Handling
- •Conversion of Variable Types
- •Index
124 |
Saturday Afternoon |
super user, power user, administrator or anonymous is defined by the application and given access to execute certain files, run certain functions or add/update/delete certain data.
Impersonation is when an application assumes the user’s identity as the request is passed to the application from IIS. Then, access is granted or denied based on the impersonated identity. So, we could establish two accounts in the application called genericUser and superUser, we could then selectively have incoming Web clients run as one of these accounts depending upon the rules established during authorization for each specific user.
Web.config and Security
There are two types of XML configuration files used by ASP.NET, they are called machine.config and Web.config. The format of these files and elements that they can contain are the same, however the machine.config file provides the default configuration for all applications and directories, while the Web.config file allows you to modify these defaults for a specific application or virtual directory. The machine.config is a located at:
[install drive]:\WINNT\Microsoft.NET\Framework\[ASP.NET Version Number]\CONFIG
and there is only one copy of this file per Webserver, whereas there may be dozens of Web.config files for various applications and subdirectories.
You can establish the conditions for access to a particular directory or application, by modifying the <system.Web> section in your application’s Web.config file. The conditions you set in the Web.config file will apply to the directory, which contains it, as well as all of its associated sub directories.
Within the Web.config file the <system.Web> section establishes the security profile for the application or directories overseen by it. The general syntax for the security section of the Web.config file is illustrated in Listing 13-1:
Listing 13-1 General syntax for the security section of the Web.config file
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<location path=”[Path of specific file to which system.Web applies]”> <system.Web>
<authentication mode=”[Windows/Forms/Passport/None]”>
<forms name=”[name]” loginUrl=”[url]” protection=”[All, None, Encryption, Validation]” timeout=”[time in minutes]” path=”[path]” >
<credentials passwordFormat=”[Clear, SHA1, MD5]”> <user name=”[UserName]” password=”[password]”/>
</credentials>
</forms>
<Passport redirecturl=”internal” /> </authentication>
<authorization>
<allow users=”[comma separated list of users]” roles=”[comma separated list of roles]” verb=”[GET, POST, HEAD]”/>
<deny users=”[comma separated list of users]” roles=”[comma separated list of roles]” verb=”[GET, POST, HEAD]”/>
</authorization>
<identity impersonate=”[true/false]” name=”[Domain\Username to operate under]” password=”[password of Domain\UserName]”/>
Session 13—Authentication and Authorization |
125 |
</identity>
<system.Web>
</location>
</configuration>
Note
Note the use of camel-casing throughout the Web.config and machine. config file where the first letter of the first word is always lower-case and the first letter of the subsequent word is upper-case, as in “configSections”. This is important because the entire file is case sensitive, and errors in case will create application errors.
The default and optional values for these elements are shown in Table 13-1.
Table 13-1 Default and Optional Values for Security Section of Web.config
Element and Default Value |
Optional Values |
Comment |
<location path=””> |
Any string that represents |
If you include a location tag in |
|
a valid path to a file |
then the settings contained in |
|
|
the <system.Web> section fol- |
|
|
lowing this tag will only apply to |
|
|
the specific file path named in |
|
|
the path property. This tag is |
|
|
optional and should typically |
|
|
only be used for files not sup- |
|
|
ported by ASP.NET. |
|
|
|
<authentication mode= |
Forms, Passport, None |
The authentication mode cannot |
”Windows”> |
|
be set at a level below the |
|
|
application root directory. |
|
|
|
<forms name=”.ASPXAUTH”> |
Any string for storing |
You can use any string you like |
|
the cookie |
for the cookie name. |
|
|
|
<forms login Url= |
Any valid absolute or |
If the mode is set to Forms, and |
”login.aspx”> |
relative URL |
if the request does not have a |
|
|
valid cookie, this is the URL to |
|
|
which the request is directed for |
|
|
a forms-based login. |
|
|
|
<forms protection= |
All, None, Encryption |
The value within the cookie can |
”None”> |
and Validation |
by encrypted or sent in plain |
|
|
text. For sites that only use |
|
|
forms authentication to identify |
|
|
a user and not for security pur- |
|
|
poses, then the default None is |
|
|
just fine. |
|
|
|
Continued
126 |
Saturday Afternoon |
Table 13-1 |
|
Continued |
Element and Default Value |
Optional Values |
Comment |
<forms path=”/”> |
Any valid string |
Specifies the path value of the |
|
|
cookie. Cookies are only visible |
|
|
to the path and server that sets |
|
|
the cookie. |
|
|
|
<credentials |
Clear, MD5 |
Tells ASP.NET the password |
passwordFormat=”sha1”> |
|
format used to decrypt the pass- |
|
|
word value of the user attribute. |
|
|
Note that just setting this value |
|
|
does not automatically encrypt |
|
|
the password value, instead it is |
|
|
the developers responsibility to |
|
|
add the password value in an |
|
|
encrypted format. |
|
|
|
<Passport redirecturl= |
Any valid URL that |
The authentication mode must |
”internal”> |
provides a login |
equal “Passport” for this to |
|
validation |
apply. When the requested page |
|
|
requires authentication and |
|
|
the user has not signed on |
|
|
with Passport, then the user |
|
|
will be redirected to the supplied |
|
|
“redirecturl”. |
|
|
|
<user name=””> |
Any valid user name |
For example use the value |
|
as string |
“jsmith”. |
|
|
|
<user password=””> |
Any valid password |
For example use the value |
|
as string |
“jsmithspassword”. |
|
|
|
<allow users=”*”> |
Any comma-delimited |
By default the special character * |
|
list of users |
indicates that all users are |
|
|
allowed; alternatively, ? indicates |
|
|
that anonymous users are |
|
|
allowed. |
|
|
|
<allow roles= > |
Any comma-delimited |
The special character * indicates |
|
list of roles |
that all roles are allowed. |
|
|
|
<deny users=””> |
Any comma-delimited |
Special characters * for all users |
|
list of users |
and ? for anonymous user can be |
|
|
used. |
|
|
|
Session 13—Authentication and Authorization |
127 |
Element and Default Value |
Optional Values |
Comment |
<deny roles=””> |
Any comma-delimited |
The special character * for all |
|
list of roles |
roles can be used. |
|
|
|
<identity impersonate= |
True |
With impersonation set to |
”false”> |
|
“True”, the usernames and |
|
|
passwords will be compared |
|
|
against valid NT User Groups |
|
|
to determine access based upon |
|
|
NTFS Access Control Lists. |
|
|
|
Note
The ASP.NET Configuration System only applies to ASP.NET Resources, which are those items handled by the xspisapi.dll. By default items not handled by this DLL, such as TXT, HTML, GIF, JPEG, and ASP files, are not secured by the Web.config. To secure these items use the IIS admin tool to register these files, or use the <location> tag to specify a specific file or directory.
The following example grants access to Tony, while denying it to Jason and anonymous users:
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<authorization>
<allow users=”Tony” /> <deny users=”Jason” /> <deny users=”?” />
</authorization>
<system.Web>
</configuration>
Next we’ll look at how users and roles may refer to multiple entities using a commaseparated list:
<allow users=”Tony, Jason, DomainName\tcaudill” />
As you can see, the domain account (DomainName\tcaudill) must include both the domain and user name combination.
Special identities
In addition to identity names, there are two special identities: *, which refers to all identities, and ?, which refers to the anonymous identity. So, to allow Jason and deny all other users you could set the configuration section as shown in the following code sample:
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<authorization>
<allow users=”Jason” />