ASP.net Session 17

7/30/2019 ASP.net Session 17

1/25

Slide 1 of 25Ver. 1.0

Developing Web Applications Using ASP.NET

In this session, you will learn to:

Implement accessibility

Identify the ASP.NET security process

Configure an ASP.NET Web application for security

Objectives


2/25



Accessibility:

Refers to the degree of ease with which an application can be

used by a variety of people.

Helps people having disabilities to work with the application easily.

Enables users to interact with the application more efficiently.

ASP.NET provides some guidelines that you should consider

while designing your Web application to achieve high

accessibility.

Implementing Accessibility


3/25



The features of a Web application that are used frequently

should have a high degree of accessibility.

Therefore, a developer should strictly follow the accessibility

guidelines while designing this feature.

The principles that should be followed while implementingaccessibility support in an application are:

Flexible user interface

Flexible input and output features

Simple and Intuitive

Fundamentals of Designing an Accessible Application


4/25



Some guidelines for implementing accessibility in an

application are:

Standardize font styles

Support keyboard navigation

Standardize the use of imagesStandardize the use of tables

Minimize the use of style sheets

Use controls properly

Accessibility Design Guidelines for the Web


5/25


6/25



The ASP.NET security model:

Allows you to implement security in your Web applications.

Provides restricted levels of access to secure website

information from unauthorized access.

Helps in maintaining data integrity and confidentiality.

Introducing the ASP.NET Security Model


7/25Slide 7 of 25Ver. 1.0


The following figure displays the architecture of the

ASP.NET security model.

Introducing the ASP.NET Security Model (Contd.)

Web Clients

ASP.NET Applications

.NET Framework

Windows Operating System

IIS




The working of the ASP.NET security model is described in

the following steps:

1. Internet Information Services (IIS) receives a request from a

Web client.

2. IIS attempts to authenticate the user.

3. If ASP.NET authenticates the user, it allows requests to the

specified Web page.

4. When the ASP.NET code requests resources, the operating

system performs its own security checks to verify that the

authenticated user is allowed access to the specified file and

directory.5. If access is granted, the requested resource is returned

through IIS.

Introducing the ASP.NET Security Model (Contd.)




IIS authenticates the user who has requested for the

application by using a specific type of authentication.

The type of authentication depends on how the security for

Web applications is configured on IIS.

You need to configure security on IIS to authenticate usersbefore they are permitted access to a Web application.

IIS provides the following types of authentication to control

access to your Web application:

Anonymous

BasicDigest

Integrated Windows

Configuring IIS for Implementing Security


10/25Slide 10 of 25Ver. 1.0


ASP.NET uses its own security mechanism to authenticate

users.

To be able to use ASP.NET security mechanism, you need

to configure the security settings in the web.config file of the

Web application.

These security settings include configuring authentication,

authorization, and impersonation for accessing resources in

your application.

Configuring an ASP.NET Application for Security


11/25Slide 11 of 25Ver. 1.0


Authentication is the process of validating the identity of a

user before granting access to a restricted resource.

Authentication in a Web application can be configured byusing the element in the web.config

file.

The element specifies the

authentication type that is used by an application to

authenticate the user.

The authentication type can be specified by using the mode

attribute of the element.

Configuring Authentication


12/25Slide 12 of 25Ver. 1.0


The mode attribute can have the following values:

Windows: This mode specifies that the authentication is

performed by IIS by using basic, digest, or Integrated

Windows authentication.

Forms: This mode specifies that the user will be authenticated

by using form-based authentication method.

Passport: This mode specifies that the user will be

authenticated by using Microsoft Passport authentication

method.

None: This mode specifies that no authentication mechanism

is set and that any anonymous user can access the Webapplication.

Configuring Authentication (Contd.)


13/25Slide 13 of 25Ver. 1.0


Implementing Windows authentication:

To configure an ASP.NET Web application for Windows

authentication, you need to change the mode attribute of the element to Windows, as shown in the

following example:



14/25Slide 14 of 25Ver. 1.0


Implementing Forms authentication:

To configure an ASP.NET Web application for Forms

authentication, you first need to change the mode attribute ofthe element to Forms, as shown in the

following code snippet:

If a user tries to access a restricted page without first logging

in, the user should be redirected to the login page.

You are required to specify the settings by using the

element in the web.config file to redirect anonymous users to

the login page.



15/25Slide 15 of 25Ver. 1.0


The element has the following four attributes:

name

loginUrl

protection

timeout

path



16/25Slide 16 of 25Ver. 1.0


After configuring the Web application for forms

authentication, you are required to add users to the

ASP.NET membership management service by using the

following methods:

Using the element in the web.config file

Using the Membership API

Using the CreateUserWizard Server Control provided by

ASP.NET

Using the ASP.NET Website Administration Tool (WAT)


Let us see how to create users by using theCreateUserWizard Server control

Let us see how to create users by using the Web Site

Administrator Tool


17/25Slide 17 of 25Ver. 1.0


Authorization is the process of verifying whether an

authenticated user has the privilege to access a requested

resource.

You need to grant different permissions to different users to

provide accessibility to the Web pages in your website.

In ASP.NET, you can provide authorization by using the role

management service, which enables you to:

1. Create roles.

2. Assign users to each role.

3. Restrict user access based on roles.

Configuring Authorization


18/25Slide 18 of 25Ver. 1.0


To use role-based authorization in your Web application,you need to enable it by using the

element in the web.config file, as shown in the following

example:

...

...

Configuring Authorization (Contd.)


19/25Slide 19 of 25Ver. 1.0


After you have enabled the role management service, you

need to create roles, such as Users, Administrator, and

Guest.

ASP.NET provides you with the Roles class to help you

create roles.

The various methods of the Roles class are explained in

the following table.

Configuring Authorization (Contd.)

Methods Descr ip t ion

CreateRole Adds a new role to the data source.

DeleteCookie Deletes the cookie where role names are cached.

DeleteRole Removes a role from the data source.

FindUsersInRole Gets a list of users in a specified role where the user name

contains the specified user name to match.

GetRolesForUser Gets a list of the roles that a user is in.

Let us see how to create roles and assign users to roles

by using Web Site Administrator tool


20/25


21/25Slide 21 of 25Ver. 1.0


Impersonation is the process of executing code under the

authenticated user identity and not under the ASPNET

account.

Impersonation involves the following steps:

1. When a request from a remote client is received, IIS carriesout authentication. If the client is authenticated, it passes the

request to the ASP.NET application.

2. The application impersonates the client and uses the

authentication given by IIS to access the restricted resources.

3. If authorized to access resources, the ASP.NET application

returns the requested resources to the client through IIS.

Configuring Impersonation (Contd.)


22/25Slide 22 of 25Ver. 1.0


Problem Statement:

You need to create a login page for the users of the MusicMania

website. This login page should use Forms authentication. The

login page should display two text boxes for entering the

username and password, respectively. To log on, the users are

required to enter the username and password in the respectivetext boxes and click the Login button. The user credentials

should be verified with the entries made in the web.config file.

Once the user is authenticated, he/she should be redirected to

the Welcome page that displays a welcome message to the

user. However, if the user fails authentication, a message

should be displayed to the user on the login page indicating thatthe authentication process has failed.

Activity 12.1: Implementing Forms Authentication


23/25



Solution:

To implement Forms authentication in the website, you need

to perform the following steps:

1. Add a new Web page.

2. Design the new Web page.

3. Modify the Home page.

4. Verify the application.

Activity 12.1: Implementing Forms Authentication (Contd.)


24/25



In this session, you learned that:

The ASP.NET security model provides restricted levels of

access to secure website information from unauthorized

access.

IIS provides the following different types of authentication to

control access to your Web application:Anonymous

Basic

Digest

Integrated Windows

Authentication is the process of validating the identity of a userbefore granting access to a restricted resource.

Authentication in a Web application can be configured by usingthe element in the web.config file.

Summary


25/25


The element specifies the authentication

type that is used by an application to authenticate the user.

The authentication type can be specified by using the modeattribute of the element.

The mode attribute can have the following values:

Windows

Forms

Passport

None

Authorization is the process of verifying whether an

authenticated user has the privilege to access a requestedresource.

Impersonation is the process of executing code under the

authenticated user identity and not under the ASPNET

account.

Summary (Contd.)

Date post:	14-Apr-2018
Category:	Documents
Upload:	prerana-tokas
View:	223 times
Download:	0 times

ASP.net Session 17

Documents