module – deploying your site

Company Confidential

1

Module – Deploying Your Site

Objectives

• Web Application Security Overview• Working with Windows Based Authentication and

Securing Web site using Windows Based Authentication• Working with Forms Based Authentication and Securing

Web site using Forms Based Authentication• Overview of MS Passport Authentication• Securing a MS ASP.NET Web Application• Configuring an ASP.NET Web Application• Deploying an ASP.NET Web Application

Objectives (Cont…)

• Configuring, Optimizing and Deploying a MS ASP.NET Application

• Registering New Users• Permitting Users to Sign Out

Web Application Security Overview

• Website Security – – Preventing unauthorized users NOT to access the

portion of website or web store or web front Database.

– This has certainly become a seemingly important aspect for ecommerce based websites, where customers confidential data such as personal information, credit card information that would be stored in the Database need to be thoroughly secured.

– The security features of ASP.NET addresses the above, besides many other security issues, that are related.

Web Application Security Overview (Cont…)

• Microsoft’s ASP.NET, addresses these web security issues in combination with its Web server layer.

• Microsoft Internet Information Server (MS IIS), where the user’s identification viz names and passwords that can be authenticated using –– Windows Based Authentication– Forms Based Authentication– Microsoft Passport Authentication

Lets understand the scenario with the terms

Authentication and Authorization

Web Application Security Overview (Cont…)

Authentication versus Authorization• The terms Authentication and Authorization seems to be synonyms

for many of them, however they aren’t the same• The process of Authentication

– identifies the users of the system whereas • The Authorization defines

– the level of access the authenticated user has, to the systems and its resources.

Note: In many host-based systems and client/server systems, both

these Authentication and Authorization processes are performed by

the same physical hardware and, in some cases, the same software.

Working with Windows Based Authentication

• ASP.NET uses Windows authentication in combination with its Web server layer Microsoft Internet Information Services (IIS) authentication.

• This process can be performed by IIS using one of the following ways:– Basic – Digest or – Integrated Windows Authentication (default

mechanism)• Once the above process is complete, ASP.NET uses the

authenticated identity to authorize access.

Working with Windows Based Authentication (Cont…)

• To enable an authentication provider for an ASP.NET application, we need to create an entry for the application’s ‘web.config’ configuration file as follows:

– <authentication mode= "[Windows]"/>


• Click on Website menu and select ASP.net Configuration and click it


• You will see the following screen


• Click on security tab to create Users (for authentication) and Roles (to authorize an authenticated user)


• Select ‘From Internet Option’ if the application is hosted on Internet to facilitate users from Internet or Select ‘From a local network’ if the application is hosted on intranet.


• Users being ‘0’ initially, this is highlighted for your reference


• Creating role, you need to enable the option


• Existing roles being ‘0’ initially, this is highlighted for your reference

Registering New User (ASP.NET Web Administration Tool)

• Registering New Users –using ASP.NET Website Administration Tool

Registering New User (ASP.NET Web Administration Tool) (Cont…)

• Registering New Users –using ASP.NET Website Administration Tool (Cont…)

• User created Successfully

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Existing user is 1, highlighted for your reference


• Creation of new role that can be managed later


• Creating a New Role called ‘Power User’


• Power User created that can be managed later using the manage link


• Role is changed to 1 as a new role is defined and highlighted for your reference


• Users can be managed


• Initially all the users will be alphabetically arranged and a selection can be narrowed down if the number of users list grows

Working with Windows Based Authentication

• Adding a new item (Web form) in the solution explorer


• A new web form called login.aspx is about to get created


• A new web form called login.aspx is created and from the Login palette on the toolbox of the IDE, a login control is dragged and dropped on the web form (login.aspx)


• Highlight the login control and click on the tiny little arrow to open a diglog box as shoen below to format the control to have a naet look-n-feel


• Formatted login control on the login.aspx web form


• Usage of other login controls such as ‘login view’• On the default.aspx page, pull a login view control and

place it


• Usage of other login controls such as ‘login view’(Cont…)

• On the default.aspx page, pull a login view control and place it

• The login view control has the ability to show an anonymous user and a user who is already logged on


• Usage of other login controls such as ‘login view’(Cont…)

• On the default.aspx page, pull a login view control and place it (Cont…)

• The login status control is a toggle control that toggles between login and log out (sign out)


• Usage of other login controls such as ‘user name’

• On the default.aspx page, pull a user name control and place it

• The username control has the ability to show a user who is already logged on


• Running the application by hitting the F5 function key


• About to get to run mode and display the web form


• Run mode of login.aspx


• Administrator is authenticated and the corresponding controls behave as per norms


• User ‘Administrator’ NOT authenticated as a password was wrongly supplied to test the application

Working with Forms Based Authentication

• In Forms Based Authentication– unauthenticated requests will be re-directed to a

HTML form using the client side redirection object.– If the user’s identity is authenticated, the process

issues an authentication ticket in a cookie that contains the credentials or a key to re-acquire the identity.

– All the requests hence forth are issued with the cookie in the request headers (that are authenticated) and will be authorized by an ASP.NET handler.

Registering a new user using Forms Based Authentication

• Create a new webform in the solution explorer and name it ‘createuser.aspx’

Working with Forms Based Authentication (Cont…)

• A control called createnewuserwizard is pulled from the login control pallete and placed on the webform called createuser.aspx


• Adding a hyperlink control on the login window


• Run mode of login.aspx to use the create new userwizard control


• Run mode of createuser.aspx to use the createnewuserwizard control for signing up a new user


• Corresponding entries are made


• New user called New Horizons is added successfully using Forms Based Authentication


• Users changed to 2


• You can see a user called New Horizons while you hit the manage link


• Click on the hyperlink alphabet to narrow down the search criteria


• Anonymous user logged in


• Trying to see if we can use this control, wrong password entered


• Login failed for the user New Horizons


• New Horizons user authenticated


• User New Horizons logged out


• Securing your website using Forms Based Authentication

• Create a ForgotPassword.aspx page in solution explorer


• Securing your website using Forms Based Authentication

• Pull a PasswordRecovery control to the form ForgotPassword.aspx


• Securing your website using Forms Based Authentication (Cont…)• Create a hyperlink called Forgot Password that can be linked to this

ForgotPassword.aspx page


• Securing your website using Forms Based Authentication (Cont…)

• Design mode of login.aspx page to test the Forgot Password link



• Run mode of login.aspx page to test the Forgot Password link



• Wrong password entered



• Wrong password entered and failed status



• Entering correct password



• Confirming the identity



• Confirming the identity –- Input wrong entry



• Confirming the identity -- Invalid answer



• Confirming the identity – Input Correct entry• This will lead to the ‘Password sent’ to the email at the

time of registration page



• Confirming the identity – Input Correct entry (Cont…)

• This will lead to the ‘Password sent’ to the email at the time of registration page

• Note: For this the FROM PROPERTY must be filled and SMTP email must be configured, if any of these is missing, it will go to a failure page as follows:



• Confirming the identity – Input Correct entry (Cont…)

Overview of Microsoft Passport Authentication

• Passport authentication– is a centralized authentication service provided

by Microsoft that offers a single signon* and core profile services for member sites.

– Microsoft .NET Passport, provides • a basic form with a graphical user interface (GUI) for

sign-up and login, • a database of user information, • authentication logic at the Web server, • Log-out functionality wrapped inside an easy-to-use

programmatic interface.

Overview of Microsoft Passport Authentication (Cont…)

• This Passport architecture is simple, where in which a single .NET Passport class named System.Web.Security.PassportIdentity wraps all authentication functionality.

• A Passport-enabled Web application developer need only instantiate the PassportIdentity class and use its methods to perform the complete authentication process.


• * Single Sign-onSingle sign-on is yet another good feature of Microsoft. This corporate hosts its passport service on their own servers and allows an integrated single sign on identity for all passport enabled accounts viz hotmail, msn.

• This means users with Passport-enabled accounts need to remember only one login password pair to access all partner sites.


• Permitting users to Sign-in using the form based login


• Permitting users to Sign-out


• Permitting users to Sign-in using the Login hyperlink

Thank You

Thank You

module – deploying your site

Documents