Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT533 Lectures Security. Reasons for Security Prevent access to areas of your Web server Record and store secure relevant user data Security Configuration.

Published byGladys Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "IT533 Lectures Security. Reasons for Security Prevent access to areas of your Web server Record and store secure relevant user data Security Configuration."— Presentation transcript:

1 IT533 Lectures Security

2 Reasons for Security Prevent access to areas of your Web server Record and store secure relevant user data Security Configuration tag in web.config file Authentication and Authorization

3 Security Authentication Who are you? Server must authenticate client Client should authenticate server Kerberos does Need a directory to store user accounts Windows: Active Directory Good for intranet and Internet usage

4 Security IIS Authentication Anonymous A single Windows account is used for all visitors Basic authentication Standard, commonly supported Password sent in clear text Integrated Windows Authentication NTLM Kerberos Client certificates Mapped to Windows account

5 Security ASP.NET Authentication Custom, forms-based authentication Easy to use, with cookie token tracking Enables custom login screen (no popup dialogs) Supports custom credential checks against database, exchange, etc. Passport module provided Exposes passport profile API

6 Security Authorization Now that I know who you are, here’s what you are allowed to do Grant and deny read/write/execute/etc. permission to users or groups of users IIS also provides coarse-grained control Read, write, run script, run executable, directory browsing, script access for virtual directories, directories and files

7 Security ASP.NET Authorization ASP.NET supports authorization using either users or roles Roles map users into logical groups Example: “User”, “Manager”, “VP”, etc. Provides nice developer/admin separation Developers can perform runtime role checks in code if (User.IsInRole(“Admin”) { }

8 Secure Books Application This example uses a technique known as forms authentication to protect a page so that only users known to the website can access it. Website visitors must log in before they are allowed to view the publications in the Books database. The first page that a user would typically request is Login.aspx.

9 Secure Books Database Application Fig. | Login.aspx page of the secure books database application.

10 Secure Books Database Application A first-time visitor must click the link below the Log In button to create a new user before logging in, which redirects the visitor to CreateNewUser.aspx.

11 Secure Books Database Application Fig. | Message displayed to indicate that a user account was created successfully After creating the account, the user is automatically logged in and shown a success message.

12 Secure Books Database Application Fig. | Books.aspx displaying books (default is all books). Clicking the Continue button on the confirmation page sends the user to Books.aspx, which provides a drop-down list of authors and a table containing the book titles in the books database.

13 Secure Books Database Application Fig. | Books.aspx displaying books by Dan. When the user chooses an author, a postback occurs, and the page is updated to display information about books written by the selected author.

14 Secure Books Database Application Fig. | Logging in using the Login control. Clicking the Click here to log out link logs the user out, then sends the user back to Login.aspx.

15 Secure Books Database Application Fig. | Error message displayed for an unsuccessful login attempt. If the user’s login attempt fails, an appropriate error message is displayed.

16 Secure Books Database Application We use a master page to achieve the common header. A master page defines common GUI elements that are inherited by each page in a set of content pages. Content pages inherit visual elements from master pages—this is known as visual inheritance.

17 Secure Books Database Application Creating the Secure Books Database Application Step 1: Creating the Website Create a new ASP.NET Web Site with a folder named Bug2Bug. Delete the IDE-generated Default.aspx file (and its corresponding code-behind file).

18 Secure Books Database Application Step 2: Setting Up the Website’s Folders Before building any of the pages in the website, we create folders to organize its contents. First, create an Images folder Add the bug2bug.png file to it.

19 Secure Books Database Application Step 3.1: Configuring the Application’s Security Settings Before we start we need to setup security DB on our SQL server by running the aspnet_regsql tool Make sure LocalSqlServer is pointing to your database server by modifying C:\Windows\Microsoft.NET\Framework\v4.0.30319\Conf ig\machine.config: <add name="LocalSqlServer" connectionString= "data source=.;Integrated Security=SSPI; AttachDBFilename=|DataDirectory|aspnetdb.mdf; User Instance=true” providerName="System.Data.SqlClient"/>

20 Secure Books Database Application Step 3.2: Configuring the Application’s Security Settings In this application, we want to ensure that only authenticated users are allowed to access Books.aspx to view the information in the database. By default, any visitor can view pages in the root directory. ASP.NET allows you to restrict access to particular folders of a website. Create a folder named Secure. Later, we create Books.aspx in this folder.

21 Secure Books Database Application Select Website > ASP.NET Configuration to open the Web Site Administration Tool in a web browser.

22 Secure Books Database Application Click either the Security link or the Security tab to open a web page in which you can set security options. Fig. | Security page of the Web Site Administration Tool. In the Users column, click Select authentication type.

23 Secure Books Database Application On the resulting page, select the radio button next to From the internet to indicate that the application will use forms authentication. Fig. | Choosing the type of authentication used by an ASP.NET web application Click the Done button to save this change.

24 Secure Books Database Application The Users column on the main page of the Web Site Administration Tool now provides links to create and manage users. Fig. | Main page of the Web Site Administration Tool after enabling forms While it is possible to create users through the Web Site Administration Tool, we do not do so here.

25 Secure Books Database Application Click the Create access rules link in the Access Rules column of the Web Site Administration Tool to view the Add New Access Rule page. Fig. | Add New Access Rule page used to configure directory access.

26 Secure Books Database Application This page is used to create an access rule—a rule that grants or denies access to a particular directory for a specific user or group of users. Click the Secure directory in the left column. Select Anonymous users in the middle column and Deny in the right column, and click OK. This rule indicates that anonymous users should be denied access to any pages in the Secure directory. By default, anonymous users who attempt to load a page in the Secure directory are redirected to the Login.aspx page.

27 Secure Books Database Application Step 4: Examining the Autogenerated web.config Files In an ASP.NET application, a page’s configuration settings are determined by the current directory’s web.config file. The web.config file in the root directory contains an authentication element specifying that the site uses forms authentication. The second web.config file, in the Secure folder, contains an authorization element that indicates who is authorized to access this folder over the web.

28 Secure Books Database Application The deny element inside the authorization element specifies the users to whom we wish to deny access. When the users attribute’s value is set to "?", all anonymous users are denied access to the folder.

29 Secure Books Database Application Step 5: Creating a Master Page The master page defines the elements we want to appear on each page. A master page is like a base class in a visual inheritance hierarchy. The master page contains placeholders for custom content created in each content page. To create a master page, right click the location of the website in the Solution Explorer and select Add New Item….

30 Secure Books Database Application Select Master Page and specify Bug2Bug.master as the file name. Master pages have the file-name extension.master and, like Web Forms, can optionally use a code-behind file to define additional functionality. Leave the box labeled Place code in a separate file unchecked and click Add to create the page.

31 Secure Books Database Application The IDE opens the master page in Source mode when the file is first created. Fig. | Master page in Source mode. The markup for a master page is almost identical to that of a Web Form.

32 Secure Books Database Application A master page contains a Master directive, which specifies that this file defines a master page using the indicated Language for any code. Code that would usually be placed in a code-behind file can be placed in a script element. Next, set the title of the page to Bug2Bug. The master page contains two ContentPlaceHolder controls for content that will be defined by a content page.

33 Secure Books Database Application At this point, you can edit the master page in Design mode as if it were an ASPX file. Fig. | Master page in Design mode. The ContentPlaceHolder control appears as a rectangle with a purple outline indicating the control ’ s type and ID. Using the Properties window, change the ID of this control to bodyContent.

34 Secure Books Database Application Place the cursor to the left of ContentPlaceHolder and select Table > Insert Table. In the Insert Table dialog, set Rows to 2 and Columns to 1. In the Layout section, specify a Cell padding of 0 and a Cell spacing of 0. Set both the width and height of the table to 100 percent. Make sure that the Size value in the Borders section is 0.

35 Secure Books Database Application Click OK to create a table that fills the page and contains two rows. Change the valign property of the bottom table cell to top and drag the ContentPlaceHolder into this cell. Set the Height of the top table cell to 130. Add an Image control named headerImage with its ImageUrl property set to the bug2bug.png file.

36 Secure Books Database Application Step 6: Creating a Content Page Right click the master page in the Solution Explorer and select Add Content Page. Rename the Default.aspx to CreateNewUser.aspx, then open it in Source mode. Fig. | Content page CreateNewUser.aspx in Source mode.

37 Secure Books Database Application The Page directive indicates the MasterPageFile that is used as a starting point for this new page ’ s design. The Title property specifies the title that will be displayed in the web browser ’ s title bar when the content page is loaded. This value, which we set to Create a New User, replaces the value (i.e., Bug2Bug ) set in the title element of the master page. Because CreateNewUser.aspx specifies Bug2Bug.master as the page ’ s MasterPageFile, it implicitly contains the contents of the master page.

38 Secure Books Database Application The content page contains Content controls, in which we will place page-specific content that will replace the master page ’ s ContentPlaceHolder s. The ContentPlaceHolderID property of the Content control identifies which ContentPlaceHolder the control should replace.

39 Secure Books Database Application The relationship between a content page and its master page is more evident in Design mode. Fig. | Content page CreateNewUser.aspx in Design mode. The gray-shaded region contains the contents of the master page Bug2Bug.master as they will appear in CreateNewUser.aspx.

40 Secure Books Database Application Step 7: Adding a CreateUserWizard Control to a Content Page CreateNewUser.aspx is the page in our website that allows first-time visitors to create user accounts. To provide this functionality, we use a CreateUserWizard control. Place the cursor inside the Content control in Design mode and double click CreateUserWizard in the Toolbox to add it to the page.

41 Secure Books Database Application Open the CreateUserWizard Tasks smart-tag menu and click Auto Format. Select the Professional color scheme. When the user clicks the Create User button, ASP.NET verifies that all the form ’ s requirements were fulfilled and attempts to create the user account. If an error occurs, the CreateUserWizard displays a message below the form. If the account is created successfully, the form is replaced by a confirmation message and a button that allows the user to continue.

42 Outline a)b) c) CreateNewUser.aspx (3 of 3) Fig. | CreateNewUser.aspx page that provides a user registration form. (Part 3 of 3.)

43 Secure Books Database Application Step 8: Creating a Login Page Add another content page named Login.aspx and set its title to Login. In Design mode, drag a Login control to the page ’ s Content control. Open the Auto Format dialog from the Login Tasks smart-tag menu and set the control ’ s color scheme to Professional. Set the Login control ’ s CreateUserUrl property to CreateNewUser.aspx by clicking the ellipsis to the right of this property in the Properties window.

44 Secure Books Database Application Then set the CreateUserText property to Click here to create a new user. Finally, change the value of the Login control ’ s DisplayRememberMe property to False to require sure that users log in each time they visit the site.

45 Secure Books Database Application The Login control encapsulates the details of logging a user into a web application. If the user successfully authenticates, the browser is redirected to the page specified by the Login control ’ s DestinationPageUrl property. If the user ’ s identity cannot be confirmed, the Login control displays an error message, and the user can attempt to log in again.

46 Outline Create a Login control with a number of properties, including the ones we set using the Properties window. Fig. | Login.aspx content page using a Login control. (Part 1 of 2.) Figure presents the completed Login.aspx page.

47 Outline a)b) Login.aspx (2 of 2) Fig. | Login.aspx content page using a Login control. (Part 2 of 2.) Create a Login control with a number of properties, including the ones we set using the Properties window.

48 Secure Books Database Application As in CreateNewUser.aspx, the Page directive indicates that this content page inherits content from Bug2Bug.master. All of the functionality related to actually logging the user in or displaying error messages is completely hidden from you. When a user enters login information, ASP.NET authenticates the user and sends an encrypted cookie with information about the authenticated user. Encrypted data is data translated into a code that only the sender and receiver can understand — thereby keeping it private. The encrypted cookie contains a string username and a bool value that specifies whether this cookie should persist beyond the current session.

49 Secure Books Database Application Step 9: Creating a Content Page That Only Authenticated Users Can Access To create Books.aspx, right click the Secure folder in the Solution Explorer and select Add New Item.... Select Web Form and specify the file name Books.aspx. Change the Page directive ’ s Title property to Book Information.

50 Secure Books Database Application Step 10: Customizing the Secure Page Open Books.aspx in Design mode. In the Content control, type Welcome followed by a comma and a space. Drag a LoginName control from the Toolbox onto the page. When this page executes on the server, the control will be replaced by the current username. In Source mode, type an exclamation point ( ! ) directly after the LoginName control (with no spaces in between).

51 Secure Books Database Application A LoginStatus control renders on a web page in one of two ways If the user is not authenticated, the control displays a hyperlink with the text Login. If the user is authenticated, the control displays a hyperlink with the text Logout.

52 Secure Books Database Application Add a LoginStatus control to the page by dragging it from the Toolbox onto the page. The LoginStatus Tasks smart-tag menu allows you switch between the control ’ s Views. Select the Logged In view to see the Logout link. Modify the control ’ s LogoutText property to Click here to log out. Set the LogoutAction property to RedirectToLoginPage.

53 Secure Books Database Application Step 11: Connecting the CreateUserWizard and Login Controls to the Secure Page Open CreateNewUser.aspx in Design mode and set the CreateUserWizard control ’ s ContinueDestinationPageUrl property to Books.aspx. Open Login.aspx and select Books.aspx as the DestinationPageUrl of the Login control. Run the web application.

54 Secure Books Database Application Step 12: Creating a SQL DataSource on the Books Database

55 Secure Books Database Application Step 13: Adding a DropDownList Containing Authors ’ First and Last Names Open Books.aspx in Design mode, then add the text Author: and a DropDownList named authorsDropDownList in the page ’ s Content control. Add a Sql DataSource object below the DropDownList named authorsSqlDataSource. In the DropDownList Tasks smart-tag menu, click Choose Data Source... to start the Data Source Configuration Wizard.

56 Secure Books Database Application Select authorssqlDataSource from the Select a data source drop-down list in the first screen of the wizard. Set Name as the data field to display and AuthorID as the data field to use as the value. Click OK to bind the DropDownList to the specified data. The last step in configuring the DropDownList on Books.aspx is to set the control ’ s AutoPostBack property to True. This property indicates that a postback occurs each time the user selects an item. This causes the page ’ s GridView to display new data.

57 Secure Books Database Application Step 14: Creating a GridView to Display the Selected Author ’ s Books Add a GridView named booksGridView below the other controls in the page ’ s Content control. To bind the GridView to data from the Books database, create a SqlDataSource named booksSqlDataSource beneath the GridView. Select booksSqlDataSource from the Choose Data Source drop-down list in the GridView Tasks smart-tag menu.

58 Secure Books Database Application To add more Columns to the GridView, select Edit Columns... from the GridView Tasks smart-tag menu to initiate the Fields dialog.

59 59 Secure Books Database Application Uncheck the Auto-generate fields box to indicate that you ’ ll manually define the fields to display. Create BoundField s with HeaderText s ISBN, Title, Edition Number, and Copyright. For each BoundField except for Edition Number, the SortExpression and DataField properties should match the HeaderText. For Edition Number, the SortExpression and DataField should be EditionNumber — the name of the field in the database. The SortExpression specifies the data field to sort by when the user chooses to sort by the column.

60 60 Secure Books Database Application Now that the GridView is tied to a data source, we modify several of the control ’ s properties to adjust its appearance and behavior. Set the GridView ’ s CellPadding property to 5, set the BackColor of the AlternatingRowStyle to LightYellow, and set the BackColor of the HeaderStyle to LightGreen. Change the Width of the control to 600px to ensure that long data values don ’ t wrap to multiple lines.

61 61 Secure Books Database Application In the GridView Tasks smart-tag menu, check Enable Sorting. This changes the column headings in the GridView into links that allow users to sort the GridView using the sort expressions specified by each column. Finally, in the GridView Tasks smart-tag menu, check Enable Paging. This causes the GridView to split across multiple pages. The user can click the numbered links at the bottom of the GridView control to display a different page of data. GridView ’ s PageSize property determines the number of entries per page. Set the PageSize property to 4 using the Properties window.

62 62 Secure Books Database Application Figure displays the completed Books.aspx file in Design mode. Fig. | Completed Books.aspx in Design mode.

Download ppt "IT533 Lectures Security. Reasons for Security Prevent access to areas of your Web server Record and store secure relevant user data Security Configuration."

Similar presentations

Chapter 3 – Web Design Tables & Page Layout

Chapter 3 – Web Design Tables & Page Layout
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Working with Tables for Page Design – Lesson 41 Working with Tables for Page Design Lesson 4.

Working with Tables for Page Design – Lesson 41 Working with Tables for Page Design Lesson 4.
Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
KompoZer. This is what KompoZer will look like with a blank document open. As you can see, there are a lot of icons for beginning users. But don't be.

KompoZer. This is what KompoZer will look like with a blank document open. As you can see, there are a lot of icons for beginning users. But don't be.
IT533 Lectures Validation Controls, User Controls, Master Pages.

IT533 Lectures Validation Controls, User Controls, Master Pages.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
XP New Perspectives on Microsoft Access 2002 Tutorial 61 Microsoft Access 2002 Tutorial 6 – Creating Custom Reports.

XP New Perspectives on Microsoft Access 2002 Tutorial 61 Microsoft Access 2002 Tutorial 6 – Creating Custom Reports.
User Controls, Master Pages, GridView. Content User Controls Styles, Themes, Master Pages Working with Data GridView Muzaffer DOĞAN - Anadolu University2.

User Controls, Master Pages, GridView. Content User Controls Styles, Themes, Master Pages Working with Data GridView Muzaffer DOĞAN - Anadolu University2.
Chapter 9 Customizing Data with Web Controls. ASP.NET 2.0, Third Edition2.

Chapter 9 Customizing Data with Web Controls. ASP.NET 2.0, Third Edition2.
Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.

Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Creating Web Page Forms

Creating Web Page Forms
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Tutorial: Introduction to ASP.NET Internet Technologies and Web Application 4 th February 2010.

Tutorial: Introduction to ASP.NET Internet Technologies and Web Application 4 th February 2010.

Similar presentations

Ads by Google