132 |
Saturday Afternoon |
Using the Passport Authentication Provider
Passport authentication is a service supported by Microsoft that provides a centralized authentication service for single sign-on and core profile services. Using Passport authentication is not mandatory, but the benefits of using such a service are apparent when you look at the number of Internet users handled by the Microsoft HotMail or MSN Service. These users already have profiles established as part of these services; and you can use this data for your own public Web sites. Additionally it simplifies users’ experience with your site, in that they do not need to go through a second registration process, but instead use an existing profile. Should a new visitor not have a Passport profile, the service provides methods to register the user for a new Passport userid.
The PassportAuthenticationModule provider supplies a wrapper around the Passport Software Development Kit (SDK) for ASP.NET applications. It requires installation of the Passport SDK and provides Passport authentication services and profile information from an IIdentity-derived class called PassportIdentity. This provides an interface to
the Passport profile information as well as methods to encrypt and decrypt Passport authentication tickets.
The general process for implementing Passport authentication in an ASP.NET application is as follows:
1.Establish a PREP Passport Account. In order to test the SDK you will need to create a PREP Passport Account that effectively creates a testing account for development purposes. This can be done at https://current-register.passporttest.com/
2.Download, install, and configure the Passport SDK. It can be found at http://www.passport.com/devinfo/Start_Goals.asp. When installing, be sure to select the installation options for Development/Testing unless you are planning on implementing a production environment. This option will install a sample application of AdventureWorks that utilizes the Passport Authentication Scheme. However this version utilizes standard ASP rather than the ASP.NET Passport approach.
3.Create a new PREP Site ID by following the instructions at http://siteservices. passport.com/
4.Create a virtual directory on your default Web site to store the Web.config and login.aspx files discussed below.
5.Make sure that your site has access to the Internet. The passport service operates by using the public site http://current-login.passporttest.com.
6.Create a Web.config file and set up Passport as the authentication as shown in the following example.
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<authentication mode=”Passport”> <passport redirectUrl=”login.aspx”> </passport>
</authentication>
<authorization> <deny users=”*”>
Session 13—Authentication and Authorization |
133 |
</deny>
</authorization>
<sessionState mode=”InProc” cookieless=”false” timeout=”20”/> </system.Web>
</configuration>
1. @NL:Next you will need to create a basic login.aspx file which the user will be sent to by default when they first request a file from your site, as shown in the following example:
<%@ Page Language=”vb” %>
<%@ Import Namespace=”System.Web”%>
<%@ Import Namespace=”System.Web.SessionState”%> <%@ Import Namespace=”System.Web.Security”%> <%@ Import Namespace=”System.Web.HttpUtility”%> <SCRIPT LANGUAGE=”VB” RUNAT=”SERVER”>
Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs)
Dim oPassport As Web.Security.PassportIdentity
Dim sReturnURL As String
Dim sLogoURL As String
Dim sAuthURL As String
‘Create a new PassportIdentity object oPassport = New Web.Security.passportidentity
‘Dynamically generate the ReturnURL as this page
sReturnURL = Server.URLEncode(“http://” & Request.ServerVariables(“SERVER_NAME”) & Request.ServerVariables(“SCRIPT_NAME”))
‘Establish the PassportIdentity.LogoURL
slogourl = opassport.LogoTag2(sReturnURL, 3600, True, Nothing, 1033, True, Nothing, Nothing, True)
‘Determine the users Authenticated Status If oPassport.IsAuthenticated() Then
Response.Write(“<H3>You are Authenticated, Click Below To SignOut, Note that unless you have a valid Passport Contract with Microsoft, SignOut functionality may not work properly.</H3>”)
Else
Response.Write(“<H3>You are Not Authenticated, Click Below To Login.</H3>”) End If
‘Dynamically display the appropriate Passport Login or Logout Logo Response.Write(sLogoURL)
END SUB </SCRIPT> <HTML>
<BODY>
</BODY>
</HTML>
In this example, we are using PassportIdentity to do all of the authentication labor. First we create a variable sReturnURL, which describes what URL that Passport should redirect the user to after a successful login or logout. We then use the sReturnURL to create the string variable slogourl using the PassportIdentity.LogoTag2() method, which will dynamically display a login or logout graphic depending on the status of the user’s session.
134 |
Saturday Afternoon |
To determine if a user is in fact already authenticated we use the PassportIdentity. IsAuthenticated property, which returns True if a user is authenticated or False otherwise. Depending upon the user’s state, we display a message indicating if they are logged on or not. If they are logged in, then the passport service will automatically create the Passport sign-out hyperlink, otherwise we insert the string of html stored in the slogourl value, creating a dynamic hyperlink to the Passport sign-in page.
REVIEW
In this session, we reviewed how to handle simple forms-based authentication, as well as how to implement basic Passport authentication. The forms-based examples show how to use a database to look up a user’s credentials. The passport example shows how to use
a Web service to validate authentication. You should continue exploring authorization and impersonation to add further granular security capabilities to your end solution.
QUIZ YOURSELF
1.What security and privacy issues are associated with using Passport authentication? (See “Introducing the Key Security Mechanisms.”)
2.Provide an example Web.config file that only allows POST requests from the user John in domain corporate. (See “Web.config and Security.”)
3.What alternatives are there to using a database to look up user credentials? (See “New Tricks for Forms-based Authentication.”)
S E S S I O N
14
ASP.NET Caching
Session Checklist
Implementing Page Output Caching
Using Fragment Caching
Caching Data Objects
In ASP.NET there have been tremendous improvements in providing a framework that scales much better than previous versions of ASP. Caching is another area where Microsoft has gone to great lengths to provide ASP.NET developers control over their
application performance and scalability.
What is caching? Caching improves overall system performance by storing frequently accessed or computationally expensive data in memory. Once a page or piece of data has been compiled and delivered, it is stored in memory. Subsequent requests access the cache rather than reinitiating the process that originally created it.
Caching is one of three state management approaches you can use in ASP.NET.
Session state is used to store data, such as personalization data, that you want available to the user each time a page is accessed. You need to be efficient about using this approach, however, as the session information isn’t shared across users.
Application state is used to store data that needs to be available to the entire application. The approach and methods for application state are the same as for session state, however the visibility of data is global across all application users.
In caching, we are able to make any object or piece of data globally available to all users and have robust methods for optimizing how long this data is stored and what dependencies affect the optimal delivery of the data.
In this session, we will first cover how you can implement caching using the same Response object properties and methods that were available in ASP. Then, we will cover how ASP.NET implements page and data output caching to improve the scalability and responsiveness of your applications.