Embed Size (px)
DESCRIPTION
Unit 7 Learning Objectives. How to Control Access to websites Authentication and Authorization Security and Access Control ( web.config ) ASP.NET Membership controls in code ( LoginView ) Using user information ( Page.User ). Authentication. - PowerPoint PPT Presentation
Citation preview
Unit 7 Learning Objectives
• How to Control Access to websites– Authentication and Authorization– Security and Access Control (web.config)– ASP.NET Membership controls in code (LoginView)– Using user information (Page.User)
Authentication
• It determines that someone is who they say they are• It involves a username and password• Microsoft systems have two basic methods– Forms based authentication
• What you typically see when you log into a website– Windows based authentication
• What you see when you log into a computer
Windows based authenticationWhat you see when you log into a computer
Forms based authenticationWhat you typically see when you log into a website
Authorization• Permission to use a resource like a webpage or document• Authenticated uses do more than anonymous users• Authorization may be associated with Roles – Roles help assigning a group of users the same authority– Example: admin, staff or guest.
• Access Rules determine who is authorized to use what.
Auth
oriza
tion
or A
uthe
ntica
tion?
Access Rules are settings in web.config
Deny anonymous users, until they identify themselves
Provides the authentication type (i.e. FORMS), and the place to login from [
Allows the user that belongs to the role of Admin[This access rule is for the access to the Register page
Access Rule Example: Consider the Styles Folder
• Access to styles is required for all users of a website.
• Add a web configuration file to the Styles folderit should look like this
• Starting on line 4, enter an authorization section
This says to allow all users access to the folder.
Multiple Configurations
• Access is determined by uses the access rules closest to the page.
• How many config files are seen?
• In this case, the web.config file control access to the Finals folder.
C:\ASPPUB
How to work with a user’s information
Page.User control• User is a property of the Page object• User contains information about the user logged into your
web page when one of ASP.NET’s implemented authentication methods are used
Roles• Groupings of access privileges• Example: Manager, Admin, LowlyWorm, Guest, etc.
How can Page.User be used for roles?
• User has a method called IsInRole• IsInRole identifies whether the user belongs to a role• User.IsInRole("Admin")– if the current user a member of the Admin role,
then apply 10% discount
• User.IsInRole(“Guest")– is the current user a member of the Guest role?
if ( User.IsInRole(“Admin”) )TotalAmt=0.9*SubTotalAmt;
L1 #1: ASP.NET security set-up in VWD
• The default web site we created at the beginning of the quarter has many uses many of ASP.NET’s security features – we just have to turn the security on
• So, let’s turn it on as the L1 for this unit1. Open your ASPPub
folder in VWD2. Select ASP.NET
Configuration from the Website menu
Go to L1 #11
L1 #23. You should see a web page that looks something like this,
click the Security link
4. Then click the Use the security Setup Wizard link which will setup security and walk you through the creation of a user and access rules
L1 #34. Read the Welcome
message and press Next5. Select From the Internet for
the Access Method (that means forms authentication) and press Next
L1 #46. Wizard Step 3 has nothing
for us to do so press Next
7. Wizard Step 4 allows us to use roles. Click the Enable roles check box and then press Next
L1 #58. In the next screen, type
Admin in the New Role Name text box and press Add Role
9. Once the role is created you have the option of adding another role, deleting an existing role or moving to the next step. Press Next
L1 #610. In Wizard Step 5 you create
one or more users. Enter MIS3200 for the user name, testing! for the password, your email address and click Create User
11. After the MIS3200 user is created click Continue and add a user with your last name and any password you would like. Then press Next
Be sure you enter the username and password exactly as listed or we won’t be able to grade your work!!
MIS3200
L1 #612. Wizard step 6 allows you to create Access Rules and apply them
to different folders
Look at the bottom of the screen. This shows the default access rule for the selected folder (ASPPub). This rule allows all users to access the folder.
MIS3200
L1 #713. To create a new rule – Select the folder the rule applies to (ASPPub)– Select who the rule applies to (Anonymous)– Select which permission you want (Deny)– Finally, press Add This Rule
The diagram show a rule to deny anonymous users access to the ASPPub folder. The top of the diagram shows you how to set it up and the bottom shows the finished rule.
This rule will prevent any unauthenticated (i.e. anonymous) user from getting to any page, image or other resource in your ASPPub folder
MIS3200
L1 #814. We will just have one access
rule for now so press Next15. Basic security setup is now
complete so press Finish
16. You should now see a screen you saw before but this time listing users and roles.
17. You can edit users, roles and access rules from here
L1 #918. Close the Web Site Administration Tool19. Click the Run button to run your MIS portfolio page20. What happened? Did you get something like this?
L1 #10
• Your access rule prohibits you, and everyone else, from using any page in ASPPub so your default.aspx didn’t load
• But something did load? What page is it? Check the URL
• The one standard exception to the “you can’t use anything” rule is a special page called login.aspx that was created as a part of default settings. It contains a Login control.
• This serves as the page that any unauthorized access is redirected to
L1 #1121. Go back to your login page and enter your user name and
password (MIS3200 and testing!)22. You should see your normal default.aspx page23. Close the page and return to VWD24. Open up your web.config file– Security settings are stored here so DO NOT delete it!– Some of the important settings are:
Access rules
Authentication mode and location of the login page [
Next: Opening access in closed areas
L1 #1225. Close web.config26. Open Login.aspx in the Account folder.
It should look like this
L1 #13• Compare the page shown on slide L1 #12 with that on L1 #9.
Are they the same page?• If they are, why do that look so different?• They are the same page, so what happened?• The page you see on L1 #12 is formatted with style sheets• The page on L1#9 is the same page so it is formatted with the
same style sheets, but what happened?
L1 #14: Opening specific folders• When you deny anonymous users access to a folder you deny
them access to everything in the folder, including style sheets, images, documents and web pages
• Lets fix this problem27. Right click on the Styles folder28. Select Add New Item…29. Select Web Configuration File
It is okay to have more than one web.config file as long as they are organized
L1 #1530. Open the web.config file in the Styles folder
it should look like this
31. Starting on line 4, enter anauthorization section
This says to allow all users access to these folders. If a web site has more than one set of access control rules it uses the rules closest to the page. So in this case, the web.config in the Styles folder will its control access.
L1 #1632. Save the web.config file33. Repeat the process and create another web.config file in
the Images folder34. After you save your work, try running web.config again.
You should get something like this…
L1 #1735. Before you login in, notice two things on this page
1. Look at the upper right-hand portion of the page, you should see: That is actually a special .NET control called LoginStatus. LoginStatus provides an anonymous user with a link for logging in and an authenticated user with the link for logging out (see next page)
2. Look at the page URL– Does the circled portion look familiar?– It is a QueryString that tells the login page where to redirect you after you login. The
destination depends of what page you tried to access at the time you were redirected to the login page
36. Login using MIS3200 and testing!
Note: Steps 37 through 44 are informational only and do not require any changes to your L1. However, you will do these steps, take screenshots and submit them, as a part of the L1.
L1 #1837. Look at the top right side of the page again
a) This is the LoginStatus control again. Notice that it has a different appearance now that we are logged in
b) This is another control called LoginName this simply displays the current users login name.
38. Notice that the message on the previous page didn’t include the Welcome
a) Both messages are contained in a control called LoginViewb) LoginView allows you to display one thing to an anonymous user and
something different to an authenticated userc) It is even possible to display different content based on roles assigned to the
user
Welcome MIS3200! [Log Out ]
L1 #1939. Close the page and open your master file,
Site.master in design view40. Look at the top right of the page
a) You show see the LoginStatus controland a LoginView called HeadLoginView
41. Click on HeadLoginView and clickits button to open the smartmenu. Notice that you are currently looking at the AnonymousTemplate
42. Right-click on Log_In and look at the properties
a) Notice that this is a LoginStatus control named HeadLoginStatus
b) Also notice the HRef property that says where to find the login page
L1 #2043. Click the menu button next to
AnonymousTemplate and select the LoggedInTemplate
44. You should now see the LoggedInTemplate with both a LoginStatus and LoginName control
– You can change anything you want in either template. The templates will expand to contain whatever you need.
– You can create new templates and associate them with roles by clicking the EditRoleGroups link
– You can go directly to the Web Site Configuration Tool (slide L1 #2) by clicking AdministerWebsite
L1 #21 – What to turn in
45. Open your U6L3 page and click the Run button in Web Developer, you should be prompted with the login screen – capture this screenshot which shows the URL and the login prompt (the entire page)
46. Using the username and password we created (MIS3200 and testing!), login - capture the screenshot that shows your U6L3 was allowed to run after successfully logging in (the entire page again)
47. Submit both of these screenshots by attaching them to the Unit 7 L1 dropbox
ASP.NET Login controls• You have already seen five ASP.NET Login controls
– CreateUserWizard – used by the Web Site Configuration Tool– Login – used on Login.aspx– LoginName – used in Site.master– LoginStatus– used in Site.master– LoginView– used in Site.master
• There are only two other controls– ChangePassword – allows a user to change a password after
answering a question– PasswordRecovery – changes the user’s password and sends
the new to the user via email
Login controls found in the Toolbox
PasswordRecovery requires access to an mail server which we don’t have in the labs
L21. Open ASPPub2. Open ASP.NET Configuration (L1 slide #5)3. Click Security4. Click Manage Users5. Select your MIS3200 user and click Edit roles6. Click the check box next to the Admin role (this puts the MIS3200 user into
the Admin role)7. Close the Web Site Administration Tool8. Open Web.config in the Account folder9. Examine lines 4-1010. Change <allow users=“*” /> on line 7 to
<allow roles=“Admin” />
11. Change <deny users=“?” /> on line 13 to <deny users=“*” />
12. Save the changes
L2 #213. Add the following, starting on line 11 to allow anonymous users
access to Login.aspx
14. Run your default.aspx (directly under ASPPub)15. Login as MIS320016. Try to go to ASPPub/Account/Register.aspx (in the URL bar,
change ASPPub/Default.aspx to ASPPub/Account/Register.aspx)17. You should be on the Create a New Account page18. Now click Log_Out and then log in with your other user name
which did not have the Admin role (your last name)
Why do we have to do this?
L2 #319. Try to go to ASPPub/Account/Register.aspx again20.What happens? Why?
• At the present time everyone will have to login to see any of your ASPPub portfolio – not a very useful portfolio so lets allow everyone into ASPPub but restrict access to the MIS3200 folder
L2 #421. Open the Web Site Administration Tool22. Select Security23. Select Manage access rules24. Delete the Deny anonymous rule25. Select the MIS3200 folder26. Click Add new access rule27. Create a rule to deny anonymous users28. Click Done and close the page29. You should now have a new Web.config in your MIS3200
folder (you may have to click Refresh to see it)
L2 #5• Now try to run your default.aspx page
(i.e. your main MIS Portfolio page)• Can you get in?
– Capture the screenshot that shows your portfolio page was allowed to run• If so, what happens when you click the MIS3200 link?
(do not login)– Capture this screenshot which shows the URL and the login prompt
• What happens when you try to go to Register.aspx?– Capture this screenshot which shows the URL and error message
L2 #6 – What to turn in29. Submit all three screenshots requested by the previous slide
by attaching them to the Unit 7 L2 dropbox
Problems?You may run into various problems when working with the security wizard. After making the users, if your pages no longer run and you see the word “login” in the URL without the “.aspx” following it, you likely clicked on something wrong in the L1 which added the following to your web.config file:
If you see these lines, delete them to correct the issue.
