C# ПІДРУЧНИКИ / c# / Premier Press - C# Professional Projects
.pdf
SECURING THE APPLICATION |
Chapter 25 |
569 |
|
|
|
|
|
able by IIS is automatically incorporated into your Web application.The authentication methods available with IIS are Anonymous authentication, Basic authentication, Integrated Windows authentication, and Digest authentication. Take a look at Table 25-1 to learn more about each of these methods.
Table 25-1 IIS Authentication Methods
Authentication Method |
Description |
Anonymous |
This type of authentication mechanism does not require a user |
|
to provide a user ID or password to browse through a Web |
|
application. In this mechanism, IIS uses a default log on name |
|
and password to request for resources from a Web application. |
|
Therefore, this is the least secure authentication medium avail- |
|
able for accessing Web site resources. |
Basic |
This type of authentication mechanism does not allow a user |
|
to access the resources of a Web application unless the user |
|
provides the user ID and password. However, this authentica- |
|
tion method has one drawback.The user’s password is trans- |
|
mitted over the Internet in an unencrypted form, making it |
|
vulnerable to hackers. |
Integrated Windows |
This type of authentication uses the “hashing to track the user ” |
|
mechanism. In this mechanism,a user need not specify a pass- |
|
word to be authenticated.The user is verified over the network |
|
by using the user ’s Windows account logon credentials.This |
|
mechanism is generally deployed for internal business process- |
|
es of organizations, where the users accessing the application |
|
are few. |
Digest |
This type of authentication mechanism, just like the Basic |
|
authentication mechanism, does not allow a user to access the |
|
resources of a Web application unless he or she provides the |
|
user ID and password.This mechanism ensures greater securi- |
|
ty than the Basic authentication method because the user’s |
|
password is sent over the Internet in an encr ypted form. |
|
|
SECURING THE APPLICATION |
Chapter 25 |
571 |
|
|
|
|
|
The corporate office and regional offices of SkyShark Airlines are connected on a LAN. Therefore, every user who accesses the Web application has a valid Windows account. Consequently, as the first level of authentication, you can make Windows authentication available on IIS. This ensures that anonymous users do not access the Web site. As the next level of security, you can enable form-based authentication for your ASP.NET application and validate users with their accounts in the dtUsers table of SQL Server before they can access the Web site resources.
Therefore, the SkyShark Airlines application has two levels of security. The first level of security is implemented by IIS. Users authenticated by IIS access the Web application and are then authenticated against the dtUsers table of the SQL Server database. When users are authenticated, their profile is also retrieved from the dtUsers table, which is used to grant access to Web pages. You can view the mechanism of granting permissions to users for accessing Web pages in Chapter 21, “Implementing the Business Logic.”
To restrict access to Web pages, the SkyShark Airlines application uses the Session variables usrRole and usrName. The code to initialize these variables is discussed in Chapter 21.
I will now discuss the steps to implement Windows authentication on IIS and Forms authentication on ASP.NET.
Enabling Authentication
in SkyShark Airlines
In the SkyShark Airlines application, you need to enable Windows authentication on the IIS Web server and Forms authentication for the SkyShark Airlines application. In this section, I list the steps to configure these two authentication modes for the SkyShark Airlines application.
Configuring IIS Authentication
To enable Windows authentication, you can use the IIS console. The steps to open the console and configure the application are given as follows:
1. Click on Start and point to Programs.
572Project 4 CREATING AN AIRLINE RESERVATION PORTAL
2.From the Programs menu, select Administrative Tools and then click on Internet Services Manager. The Internet Information Services window will open.
3.In the Internet Information Services window, double-click on Default Web Site to view a list of Web sites installed on the computer.
4.In Default Web Site, right-click on SkyShark and select Properties. The SkyShark Properties dialog box will appear.
5.Click on the Directory Security tab of the SkyShark Properties dialog box.This tab of the dialog box is shown in Figure 25-1.
FIGURE 25-1 Directory Security tab of the SkyShark Properties dialog box
6.In the SkyShark Properties dialog box, click on Edit in the Anonymous access and authentication control section.
7.In the Authentication Methods dialog box, clear the Anonymous access option and check the Integrated Windows authentication option, as shown in Figure 25-2.
SECURING THE APPLICATION |
Chapter 25 |
573 |
|
|
|
|
|
FIGURE 25-2 Enabling Integrated Windows authentication
8.Click on OK to close the Authentication Methods dialog box.The SkyShark Properties dialog box will reappear.
9.Click on OK to close the SkyShark Properties dialog box.
Your Web server is now configured for Windows authentication. Next, you need to configure the Web application to use Form authentication. In the next section, I will discuss Form authentication in ASP.NET.
Configuring Authentication in ASP.NET
To configure ASP.NET security, you need to specify a default logon page that is displayed to a user if the identity of the user is not validated. The default logon page for SkyShark Airlines is default.aspx. Therefore, if an unauthenticated user tries to navigate directly to a page of the Web application, the user will be directed to the default.aspx page.
ASP.NETprovides the System.Web.Security namespace that makes the necessary classes available for configuring authentication. To authenticate a user, you need
to use the FormsAuthentication class of the System.Web.Security namespace.
Some important functions of this class, which help you to authenticate users on your Web application, are listed in Table 25-2.
574 |
Project 4 |
CREATING AN AIRLINE RESERVATION PORTAL |
||
|
|
|
|
|
|
|
Table 25-2 Methods of the FormsAuthentication Class |
||
|
|
|
|
|
|
|
Method |
Description |
|
|
|
|
|
|
|
|
Authenticate |
The Authenticate method validates usernames and passwords |
|
|
|
|
|
against those specified in the data store. |
|
|
GetAuthCookie |
The GetAuthCookie method creates an authentication cookie for |
|
|
|
|
|
an authenticated user. The cookie can be used for identifying |
|
|
|
|
authenticated users. |
|
|
RedirectFromLoginPage |
After validating a user, the RedirectFromLoginPage method redi- |
|
|
|
|
|
rects a user to the requested page. |
|
|
RenewTicketIfOld |
The RenewTicketIfOld method renews/revalidates the authentica- |
|
|
|
|
|
tion ticket of a user after it is no longer valid. |
|
|
SignOut |
The SignOut method is used for logging a user off from the Web |
|
|
|
|
|
application. |
|
|
|
|
|
To implement Forms authentication, you need to change the <authentication> and <authorization> elements of the Web.Config file. By default, when you create a new application, authentication is not enabled in your application, as specified by the following line of code in the Web.Config file:
<authentication mode=”None”/>
To enable Forms authentication on your Web site, change the <authentication> property as follows:
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”.ASPXFORMSAUTH”/> </authentication>
<authorization>
<deny users=”?” /> </authorization>
In the preceding code snippet, I have changed the authentication mode to Forms by changing the mode attribute of the <authentication> element.
When the authentication mode is set to Forms, the Web application issues a cookie to an authenticated user. You need to specify the suffix of the cookie by using the
SECURING THE APPLICATION |
Chapter 25 |
575 |
|
|
|
|
|
name attribute of the <forms> element. You also need to specify the name of the logon form, where an unauthenticated user is redirected. In the preceding code snippet, I have specified the name of the logon form as default.aspx, which is the logon form for SkyShark Airlines, and the suffix of the cookies is specified as
.ASPXFORMSAUTH.
TIP
ASP.NET uses the * and ? user types to control access to Web site resources. The * user type represents all users and the ? user type represents anonymous users.
After enabling Forms authentication, you need to prevent Web application access to anonymous users.The <deny users=”?”/> statement uses the ? user type to prevent access to anonymous users.
After enabling custom authentication for SkyShark Airlines, you can modify the code of the default.aspx form so that an authentication ticket can be issued to the user after the user’s credentials are validated. To issue authentication tickets, the
FormsAuthentication class provides the GetAuthCookie and RedirectFromLoginPage
methods. The difference in the two methods is that the GetAuthCookie method generates an authentication ticket but does not redirect the user to the page requested initially. However, the RedirectFromLoginPage method authenticates the user and then redirects the user to the page requested initially.
For the SkyShark Airlines application, you need to use the GetAuthCookie method to generate the authentication ticket. You cannot use the RedirectFromLoginPage method because you have implemented a custom solution based on Session state variables. These variables redirect the user to Web forms depending upon the role of the users. For example, if you implement the RedirectFromLoginPage method, when a line-of-business executive requests the ManageUsers.aspx page, which should be accessible to network administrators only, the RedirectFromLoginPage method will authenticate and redirect him to the ManageUsers.aspx page. This should not be the case.
The GetAuthCookie method uses two parameters to generate the authentication ticket, the username and the state of the cookie (persistent or not). To generate
576 Project 4 CREATING AN AIRLINE RESERVATION PORTAL
the authentication ticket for the user by using the GetAuthCookie method, add a reference to the System.Web.Security namespace in the default.aspx page and call the GetAuthCookie method of the FormsAuthentication class. The code snippet where you need to make the change is given as follows, and the changes made appear in bold format.
if (Role==”Disabled”)
{
lblMessage.Text=”Your account has been disabled. Please contact the network administrator.”;
return;
}
FormsAuthentication.GetAuthCookie(username,false); switch(Role)
{
case “Admin”:
After you have issued an authentication ticket to the user, you need to remove the ticket when the user logs off from the Web site. To remove the authentication ticket, use the SignOut method of the FormsAuthentication class in the Logoff.aspx form.The code for the Load event of the form, which implements the log off functionality, is given as follows:
private void Page_Load(object sender, System.EventArgs e)
{
Session.RemoveAll();
FormsAuthentication.SignOut();
}
When the user logs off from the Web site, the authentication ticket for the user is removed and the user has restricted access to the Web site.
Securing SQL Server
Although not directly in the purview of ASP.NET, you need to secure the SkyShark Airlines databases to ensure that the security aspects of the Web application are taken care of. In this section, I briefly describe the authentication process of SQL Server to help you secure SQL Server by using the optimal authentication mode.
SECURING THE APPLICATION |
Chapter 25 |
577 |
|
|
|
|
|
To access the resources on SQL Server 2000, you pass through two security stages. The first security stage is the authentication stage. In this stage, you need to enter a valid logon ID and password. After you pass this stage, you are connected to an instance of SQL Server 2000. The next stage is the authorization stage. In this stage, the exact permissions to be granted to a user to access different databases are decided. The user needs to have an account in each of the databases to which the user wants to connect and access resources. This stage also enables you to determine the extent of activities that a user can perform on a specified database. SQL Server 2000 uses two authentication modes:
Windows Authentication mode. The Windows Authentication mode enables you to connect to the SQL Server by using the Windows 2000 domain user account.
Mixed Authentication mode. The Mixed Authentication mode enables you to connect to the SQL Server either by using Windows authentication or by using SQL Server ID-based authentication. If either of the logon credentials is valid, you are able to connect to an instance of SQL Server 2000.
To configure the authentication mode on SQL Server, follow these steps:
1.Open SQL Server Enterprise Manager.
2.Right-click on the name of the SQL Server on which you want to configure authentication and select Properties. The SQL Ser ver Properties (Configure) dialog box will appear.
3.Click on the Security tab. The Security tab of the SQL Server Properties (Configure) dialog box is shown in Figure 25-3.
4.Select the authentication mode that you want to select from the Security section of the SQL Server Properties (Configure) dialog box and click on OK.