Scribd
Upload
24 views23 pages

Developing Web Applications Using Microsoft Visual Studio 2008

The document discusses securing ASP.NET web applications using Windows-based authentication and forms-based authentication. It covers enabling different authentication methods in IIS and web.config, creating logon and registration pages, and reading user identity information. The lab scenario involves securing a sample benefits application using both authentication approaches.

Uploaded by

Guillermo Pardos Vázquez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
24 views23 pages

Developing Web Applications Using Microsoft Visual Studio 2008

The document discusses securing ASP.NET web applications using Windows-based authentication and forms-based authentication. It covers enabling different authentication methods in IIS and web.config, creating logon and registration pages, and reading user identity information. The lab scenario involves securing a sample benefits application using both authentication approaches.

Uploaded by

Guillermo Pardos Vázquez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 23

Developing Web Applications

Using
Microsoft® Visual
Studio® 2008
Module 16: Securing a Microsoft ASP.NET
Web Application
• Web Application Security Overview

• Windows-Based Authentication

• Forms-Based Authentication
Lesson: Web Application Security Overview
• Authentication vs. Authorization

• What Are the ASP.NET Authentication Methods?

• Comparing the ASP.NET Authentication Methods

• What Are the IIS Authentication Mechanisms?

• Demonstration: IIS Authentication Mechanisms

• What Is Secure Sockets Layer?


Authentication vs. Authorization
• Authentication:
 Accepts credentials from a user
 Validates the credentials

• Authorization:
 Given the authentication credentials supplied, determines the
right to access a resource
 Assign authorization by user name or by role
What Are the ASP.NET Authentication Methods?
• Windows-based authentication
 Relies on the Windows operating system and IIS
 User requests a secure Web page and the request goes
through IIS
 After credentials are verified by IIS, the secure Web page is
returned

• Forms-based authentication
 Unauthenticated requests are redirected to an HTML form
 User provides credentials and submits the HTML form
 After credentials are verified, an authentication cookie is
issued
Comparing the ASP.NET Authentication Methods

Method Advantages Disadvantages


 Uses existing
 Not appropriate
Windows
Windows- for
infrastructure
based most Internet
 Controls access to
Authentication applications
sensitive
information
 Good for Internet
Forms-based applications
 Based on cookies
Authentication  Supports all client
types
What Are the IIS Authentication Mechanisms?

Security
Mechanisms Mechanisms
Level
Anonymous None  No authentication occurs

 Client sends username and


Low password
(Medium as clear text
Basic
with SSL)  Can be encrypted by using SSL
 Part of the HTTP specification and
supported by most browsers
 Sends information as encoded hash
 Requires Internet Explorer 5, 6, or
Digest Medium
7
 Requires Active Directory

 Uses either NTLM or Kerberos


 Generally good for intranets, not
Integrated
Windows High Internet
 Does not work through most
Demonstration: IIS Authentication Mechanisms
• Open the Computer Management console

• Display the authentication methods for the deployed


Web site
What Is Secure Sockets Layer?
• SSL is a protocol that transmits data securely across a
network. SSL secures data by using:
 Data encryption:
• Ensures that the data sent is read only by a secure target
server
 Server authentication:
• Ensures that data is sent to the correct server
• Uses the server and client certificates
 Data integrity:
• Protects the integrity of the data
• Includes a message authentication code that detects
whether a message is altered
• SSL uses Hypertext Transfer Protocol Secure to retrieve an
ASP.NET Web page
Lesson: Windows-Based Authentication
• Enabling Windows-Based Authentication

• Reading User Information


Enabling Windows-Based Authentication

Configure IIS to use one or more of the following


11 authentication mechanisms:
• Basic, Digest, Integrated Windows security

22 Set Windows-based authentication in Web.config

<system.web>
<authentication mode="Windows" />
</system.web>

33 Set up authorization in Web.config

44 When users access the Web Form, IIS requests


logon information
Reading User Information
• After authentication, the Web server can read the user
identity

[Visual C#]
userLabel.Text = User.Identity.Name;
userTypeLabel.Text = User.Identity.AuthenticationType;
userAuthenticatedLabel.Text = User.Identity.IsAuthenticated;

[Visual Basic]
userLabel.Text = User.Identity.Name
userTypeLabel.Text = User.Identity.AuthenticationType
userAuthenticatedLabel.Text = User.Identity.IsAuthenticated
Lesson: Forms-Based Authentication
• Overview of Forms-Based Authentication

• Multimedia: Forms-Based Authentication

• Enabling Forms-Based Authentication

• Creating a Logon Page

• Demonstration: Forms-Based Authentication


Overview of Forms-Based Authentication

1 2
ASP.NET Forms
IIS authentication

Client requests page Not Authenticated


authenticated

Authorized
Username
6
Access denied Someone 4

Password Logon page


******* (users enter
their credentials)
Submit
Submit
Not
Authenticated 3
Authenticated

Authorized
Requested
7 secure
Authentication
cookie page
5
Multimedia: Forms-Based Authentication
Enabling Forms-Based Authentication

11 Configure IIS to use Anonymous authentication

22 Set Forms-based authentication in Web.config

<authentication mode="Forms" >


<forms name=".namesuffix"
loginUrl="login.aspx" />
</authentication>

33 Set up authorization

44 Build a logon Web Form


Creating a Logon Page
• ASP.NET login controls

• Creating a logon page

• Reading credentials from cookies


Demonstration: Forms-Based Authentication
• Examine authentication and authorization in web.config

• Examine the logon and register pages

• Run the demonstration


Lab: Securing a Microsoft ASP.NET Web Application
• Exercise 1: Securing Your Web Site by Using Windows-
Based Authentication
• Exercise 2: Securing Your Web Site by Using Forms-Based
Authentication
• Exercise 3: Registering New Users

Logon information

Virtual machine 2310C-LON-DEV-16


User name Student
Password Pa$$w0rd

Estimated time: 45 minutes


Lab Scenario

Master Page
Logon Page benefitsMaster.master
login.aspx
Benefits Lab Web
Home Page Application
ASPState
Default.aspx Page Header
header.ascx
Menu Component
Registration Benefits.cs or Benefits.vb
register.aspx TempDB
Web.
config

Life Insurance Retirement Medical Dentists


life.aspx retirement.aspx medical.aspx dental.aspx

Prospectus
prospectus.aspx Doctors User Control XML Web
LINQ to SQL doctors.aspx nameDate.ascx Service
Classes DentalService1.asmx
Doctors.dbml

Doctors Dentists
XML Files
Lab Review
Review Questions
• How can you deny access to anonymous users for certain
Web pages?
• How can you configure Forms-based authentication in the
web.config file?
• How can you build a logon form for a Web site?

• How can you enable users to register with a Web site?

• How can you enable users to sign out of a Web site?


Module Review and Takeaways
• Review Questions

• Best Practices

• Tools
Course Evaluation

You might also like