Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | prerana-tokas |
View: | 223 times |
Download: | 0 times |
of 25
7/30/2019 ASP.net Session 17
1/25
Slide 1 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
In this session, you will learn to:
Implement accessibility
Identify the ASP.NET security process
Configure an ASP.NET Web application for security
Objectives
7/30/2019 ASP.net Session 17
2/25
Slide 2 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Accessibility:
Refers to the degree of ease with which an application can be
used by a variety of people.
Helps people having disabilities to work with the application easily.
Enables users to interact with the application more efficiently.
ASP.NET provides some guidelines that you should consider
while designing your Web application to achieve high
accessibility.
Implementing Accessibility
7/30/2019 ASP.net Session 17
3/25
Slide 3 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The features of a Web application that are used frequently
should have a high degree of accessibility.
Therefore, a developer should strictly follow the accessibility
guidelines while designing this feature.
The principles that should be followed while implementingaccessibility support in an application are:
Flexible user interface
Flexible input and output features
Simple and Intuitive
Fundamentals of Designing an Accessible Application
7/30/2019 ASP.net Session 17
4/25
Slide 4 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Some guidelines for implementing accessibility in an
application are:
Standardize font styles
Support keyboard navigation
Standardize the use of imagesStandardize the use of tables
Minimize the use of style sheets
Use controls properly
Accessibility Design Guidelines for the Web
7/30/2019 ASP.net Session 17
5/25
7/30/2019 ASP.net Session 17
6/25
Slide 6 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The ASP.NET security model:
Allows you to implement security in your Web applications.
Provides restricted levels of access to secure website
information from unauthorized access.
Helps in maintaining data integrity and confidentiality.
Introducing the ASP.NET Security Model
7/30/2019 ASP.net Session 17
7/25Slide 7 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The following figure displays the architecture of the
ASP.NET security model.
Introducing the ASP.NET Security Model (Contd.)
Web Clients
ASP.NET Applications
.NET Framework
Windows Operating System
IIS
7/30/2019 ASP.net Session 17
8/25Slide 8 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The working of the ASP.NET security model is described in
the following steps:
1. Internet Information Services (IIS) receives a request from a
Web client.
2. IIS attempts to authenticate the user.
3. If ASP.NET authenticates the user, it allows requests to the
specified Web page.
4. When the ASP.NET code requests resources, the operating
system performs its own security checks to verify that the
authenticated user is allowed access to the specified file and
directory.5. If access is granted, the requested resource is returned
through IIS.
Introducing the ASP.NET Security Model (Contd.)
7/30/2019 ASP.net Session 17
9/25Slide 9 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
IIS authenticates the user who has requested for the
application by using a specific type of authentication.
The type of authentication depends on how the security for
Web applications is configured on IIS.
You need to configure security on IIS to authenticate usersbefore they are permitted access to a Web application.
IIS provides the following types of authentication to control
access to your Web application:
Anonymous
BasicDigest
Integrated Windows
Configuring IIS for Implementing Security
7/30/2019 ASP.net Session 17
10/25Slide 10 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
ASP.NET uses its own security mechanism to authenticate
users.
To be able to use ASP.NET security mechanism, you need
to configure the security settings in the web.config file of the
Web application.
These security settings include configuring authentication,
authorization, and impersonation for accessing resources in
your application.
Configuring an ASP.NET Application for Security
7/30/2019 ASP.net Session 17
11/25Slide 11 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Authentication is the process of validating the identity of a
user before granting access to a restricted resource.
Authentication in a Web application can be configured byusing the element in the web.config
file.
The element specifies the
authentication type that is used by an application to
authenticate the user.
The authentication type can be specified by using the mode
attribute of the element.
Configuring Authentication
7/30/2019 ASP.net Session 17
12/25Slide 12 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The mode attribute can have the following values:
Windows: This mode specifies that the authentication is
performed by IIS by using basic, digest, or Integrated
Windows authentication.
Forms: This mode specifies that the user will be authenticated
by using form-based authentication method.
Passport: This mode specifies that the user will be
authenticated by using Microsoft Passport authentication
method.
None: This mode specifies that no authentication mechanism
is set and that any anonymous user can access the Webapplication.
Configuring Authentication (Contd.)
7/30/2019 ASP.net Session 17
13/25Slide 13 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Implementing Windows authentication:
To configure an ASP.NET Web application for Windows
authentication, you need to change the mode attribute of the element to Windows, as shown in the
following example:
Configuring Authentication (Contd.)
7/30/2019 ASP.net Session 17
14/25Slide 14 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Implementing Forms authentication:
To configure an ASP.NET Web application for Forms
authentication, you first need to change the mode attribute ofthe element to Forms, as shown in the
following code snippet:
If a user tries to access a restricted page without first logging
in, the user should be redirected to the login page.
You are required to specify the settings by using the
element in the web.config file to redirect anonymous users to
the login page.
Configuring Authentication (Contd.)
7/30/2019 ASP.net Session 17
15/25Slide 15 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
The element has the following four attributes:
name
loginUrl
protection
timeout
path
Configuring Authentication (Contd.)
7/30/2019 ASP.net Session 17
16/25Slide 16 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
After configuring the Web application for forms
authentication, you are required to add users to the
ASP.NET membership management service by using the
following methods:
Using the element in the web.config file
Using the Membership API
Using the CreateUserWizard Server Control provided by
ASP.NET
Using the ASP.NET Website Administration Tool (WAT)
Configuring Authentication (Contd.)
Let us see how to create users by using theCreateUserWizard Server control
Let us see how to create users by using the Web Site
Administrator Tool
7/30/2019 ASP.net Session 17
17/25Slide 17 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Authorization is the process of verifying whether an
authenticated user has the privilege to access a requested
resource.
You need to grant different permissions to different users to
provide accessibility to the Web pages in your website.
In ASP.NET, you can provide authorization by using the role
management service, which enables you to:
1. Create roles.
2. Assign users to each role.
3. Restrict user access based on roles.
Configuring Authorization
7/30/2019 ASP.net Session 17
18/25Slide 18 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
To use role-based authorization in your Web application,you need to enable it by using the
element in the web.config file, as shown in the following
example:
...
...
Configuring Authorization (Contd.)
7/30/2019 ASP.net Session 17
19/25Slide 19 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
After you have enabled the role management service, you
need to create roles, such as Users, Administrator, and
Guest.
ASP.NET provides you with the Roles class to help you
create roles.
The various methods of the Roles class are explained in
the following table.
Configuring Authorization (Contd.)
Methods Descr ip t ion
CreateRole Adds a new role to the data source.
DeleteCookie Deletes the cookie where role names are cached.
DeleteRole Removes a role from the data source.
FindUsersInRole Gets a list of users in a specified role where the user name
contains the specified user name to match.
GetRolesForUser Gets a list of the roles that a user is in.
Let us see how to create roles and assign users to roles
by using Web Site Administrator tool
7/30/2019 ASP.net Session 17
20/25
7/30/2019 ASP.net Session 17
21/25Slide 21 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Impersonation is the process of executing code under the
authenticated user identity and not under the ASPNET
account.
Impersonation involves the following steps:
1. When a request from a remote client is received, IIS carriesout authentication. If the client is authenticated, it passes the
request to the ASP.NET application.
2. The application impersonates the client and uses the
authentication given by IIS to access the restricted resources.
3. If authorized to access resources, the ASP.NET application
returns the requested resources to the client through IIS.
Configuring Impersonation (Contd.)
7/30/2019 ASP.net Session 17
22/25Slide 22 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Problem Statement:
You need to create a login page for the users of the MusicMania
website. This login page should use Forms authentication. The
login page should display two text boxes for entering the
username and password, respectively. To log on, the users are
required to enter the username and password in the respectivetext boxes and click the Login button. The user credentials
should be verified with the entries made in the web.config file.
Once the user is authenticated, he/she should be redirected to
the Welcome page that displays a welcome message to the
user. However, if the user fails authentication, a message
should be displayed to the user on the login page indicating thatthe authentication process has failed.
Activity 12.1: Implementing Forms Authentication
7/30/2019 ASP.net Session 17
23/25
Slide 23 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
Solution:
To implement Forms authentication in the website, you need
to perform the following steps:
1. Add a new Web page.
2. Design the new Web page.
3. Modify the Home page.
4. Verify the application.
Activity 12.1: Implementing Forms Authentication (Contd.)
7/30/2019 ASP.net Session 17
24/25
Slide 24 of 25Ver. 1.0
Developing Web Applications Using ASP.NET
In this session, you learned that:
The ASP.NET security model provides restricted levels of
access to secure website information from unauthorized
access.
IIS provides the following different types of authentication to
control access to your Web application:Anonymous
Basic
Digest
Integrated Windows
Authentication is the process of validating the identity of a userbefore granting access to a restricted resource.
Authentication in a Web application can be configured by usingthe element in the web.config file.
Summary
7/30/2019 ASP.net Session 17
25/25
Developing Web Applications Using ASP.NET
The element specifies the authentication
type that is used by an application to authenticate the user.
The authentication type can be specified by using the modeattribute of the element.
The mode attribute can have the following values:
Windows
Forms
Passport
None
Authorization is the process of verifying whether an
authenticated user has the privilege to access a requestedresource.
Impersonation is the process of executing code under the
authenticated user identity and not under the ASPNET
account.
Summary (Contd.)