Security Concepts
Why is security important
So far, our web site is open to everyone. Any user can browse the pages of our site. Though this is not a problem for most of the pages, we certainly want restrictions on some pages. For example, the download page should be available to registered users only.
ASP.NET 2.0 provides a very effective yet simple to implement security model. In this chapter, we will learn how to use it. In the process, we will learn about the login controls and the Website Administration Tool (WAT).
ASP.NET 2.0 provides a basic level of security for our site by restricting access to all the code files and configuration files. Beyond that, it is up to the developer to decide the level of security for the site. We can restrict some pages and folders of the site or we can restrict the access of the entire site to a fixed group of users.
Before implementing the security, we need to understand two basic terms - authentication and authorization.
Authentication: this process determines the identity of a user. This is usually done by asking the user to enter a username and a password. For this, a login page or login window is created.
Authorization: after the user is authenticated, the process of authorization decides what actions the user can perform. For example, whether she can access certain pages or make changes to the database.
Let us now see how to use ASP.NET 2.0 tools to achieve security for our site. Before that, we need to decide which pages need to be protected from unauthorized access. In our web site, we want the Download page to be accessible only to the registered users and the BookManagement page to be accessed only by the administrators of the site. We have created the BookManagement page in a separate folder in our project. This was done intentionally as the visual security tools of ASP.NET 2.0 protect the pages in a specified folder. However, the Download page is not in a separate folder. So how do we protect it from unauthorized access? Simple, we will move the page in a separate folder. Let us do this now: -
1. Open the project.
2. In the solution explorer, right click on the project name and select New Folder option from the menu. A new folder will be added to the project. Give it a name. In our case, the name is `Protected'.
3. Drag the Download.aspx file in the solution explorer and drop it on the newly created folder. The page has now been moved inside this folder.
4. Right now, if we run our website and click on the Download link, we will get an error page. This is because the page has been moved from its original location and we have not modified our sitemap file.
5. Open the sitemap file (web.sitemap) from the solution explorer. Modify the url attribute from -
<siteMapNode url="~/Download.aspx" title="Downloads" description="Download Free Stuff" />
to
<siteMapNode url="~/protected/Download.aspx" title="Downloads" description="Download Free Stuff" />
6. Now the Download page should be visible while browsing the site. However, the icons for the download are missing. To fix them, select each image box by clicking on it, open the properties window and click on the button in the cell next to the Src property.
In the resulting dialog box, select the appropriate image and click on the OK button. This will restore the missing image.
Note: This exercise shows the importance of planning before we start on our project. With proper planning, we can avoid the wastage of time and effort.
With this, we are ready to implement some of the login controls of ASP.NET 2.0. We will use the master page to put some of the controls so that they are available on all the pages. Next, we will create a Login page and then use the Web site Administration Tool (WAT) to create some users for our site and assign roles to them'. Finally, we should create the user registration (Sign up) page.
Let us begin with some login controls that we will use on the master page.
LoginView Control: This control is used to display messages based on the user's login status. For example, when the user is not logged in, we can display a message like - `You are not logged in'. Similarly, if the user is logged in, we can display a message such as - `You are logged in'.
LoginStatus Control: This control displays a link for logging in or out. This is based on the user's login status. If the user is logged in, the control shows a link to log out and vice-versa.
LoginName Control: This control simply displays the name of the user who is logged in.
These controls are simple to implement yet they provide amazing functionalities and save a lot of coding time.
1. Open the project if not already open.
2. If the master page tab is not visible in the IDE, double click on its file name in the solution explorer to open it and switch to the design view.
3. We will add the login controls above the TreeView control. Drag the TreeView control downwards to make some room for the login controls.
4. Look for the LoginView control in the Login section of the toolbox. Drag the control and drop it on the page as shown in the figure:
5. As soon as the control is dropped on the page, its smart tag will open up, displaying a menu. In the Views drop down list, select AnonymousTemplate. Now, type a message inside the box for the users who are not logged in. This text can be formatted using the formatting toolbar.
6. Now open the smart tag menu again. In the Views drop down list, select the LoggedInTemplate option. This time, type a message for the users who are logged in.
7. Next, drag the LoginName control from the toolbox and drop it just below the LoginView control. Using the properties window, we can set the font and color of this control.
8. Finally, drag and drop the LoginStatus control below the LoginName control.
The steps required to add some login controls to the master page are done. However, we cannot test our site yet. We still need to create the login page.
1. Open the Login.aspx page from the solution explorer if it its tab is not available in the IDE.
2. Switch to the design view.
3. Delete the existing content (if any) inside the Content box.
4. From the Layout menu, select the Insert Table option. This will open up a dialog box. Select 3 rows and 3 columns for the table.
5. We can type a short message inside the middle cell of the first row.
6. Drag and drop the Login control from the toolbox (Login section) in the middle cell of the second row.
As soon as the control is dropped on the page, the smart tag menu will open up. Use the Auto Format option to specify a style for the control -
Keeping the control selected, open the properties window. Click on the button in the cell next to the DestinationPageUrl property. This will open up a dialog box, showing all the files in our project. Select Default.aspx from this list. What this means is that after the successful login, user will be taken to the home page of our site.
That is it! We have added the login feature to our site without writing any code!
We can run the site now and view the login page. However, to test it, we need to create some users for our site through the use of the Web site Administration Tool (WAT).
The Web site Administration Tool is a very useful feature for site administration. We can use this tool to create users for our site and define what authority they have. This is where we will provide security to some of our pages.
We can start the WAT in two ways. First is to select the ASP.NET Configuration option from the Web site menu. The second method is to click on the ASP.NET Configuration Tool button in the solution explorer:
Whichever option we use, a web page will open up in our browser. The WAT is displayed in form of a web page:
Click on the link named Security. This will bring the page from where we can create users and define access rules for our site.
However, we need to check the authentication type for our site first. Click on the Select authentication type link here. On the next page, make sure that the From the internet option is selected. Click on the Done button.
What is authentication type?
In this page, the WAT is asking us how our users will connect to our site. Since our site will be on the internet for everyone, we have selected the first option. This is known as Form based authentication. The user enters a username and password. This information is verified using a database that stores the user data. However, if we want to develop a site that will be used by a selected group of users on a private local network (Intranet), we use the second option. In this situation, the user logs in using her Windows username and password. This is known as Windows authentication.
With the proper authentication type selected, we can now create users for our site. Click on the Create user link. On the next page, we need to provide some information about the user:
Remember that the password should have a minimum of 8 characters and one of the characters must be a non alpha-numeric one, such as the underscore (_) symbol.
After filling up the information here, click on the Create User button. The next page will display a message that the user creation has been successful. We can create more users by clicking on the Continue button.
Right now, we will not create any more users. Instead, we will return to the security page to create roles.
Roles are defined and assigned to multiple users under a group. Access rights will need to be specified for that role and all users in that role will receive the same access rights. For example, we can create a role named `Admin'. Next, we have to decide what areas of the website can be accessed by this type of user. Then we assign some users in this role. Now these users will have the access rights defined for the role `Admin'.
We will now create a role named `user'. All the registered members of our site will be under this role.
Click on the Security tab at the top of the page. Inside the page, click on the Create or Manage roles link. On the next page, we will get a text box for entering the name of the role we want to create.
Enter the role name (user) and click on the Add Role button. The newly added role will be displayed along with the links to delete it or manage it. If we click on the Manage link, we can assign users to this role. However, we will not do this now. Click on the Back button to get back to the main Security page.
We are now going to create the access rule that will protect our download page from non-members. To do this, click on the link - Create access rules. A new page will be displayed for creating access rules.
Here, we will first select the `Protected' folder by clicking on it. This is because the download page is stored inside this folder. Next, select the Anonymous users radio button in the section Rule applies to and Deny radio button in the Permission section. By doing so, we have specified that an anonymous user (non-member) will not have the access to the files inside the `Protected' folder. Users in other roles can access the page. Click on the OK button. We will now get a page that will display the rule we have just created. We can create more access rules according to our requirements. We can allow the role `user' to access the `Protected' folder. When all rules are defined, click on the `Done' button.
This is all that we need to do to protect the download page from non-members. However, we can create more access rules such as one that protects the BookManagement page from non-members and members (in the user role) as well. We can create another role, Administrator for example, and only the persons in this role can access the BookManagement page.
The last thing to do here is to put the user that we have created in the `user' role. To do this, on the main security page, click on the link - Manage users. This will display a page where we can search for specific users of our website and manage their details. It also shows a list of users. In our example, the name of the only user of our site - Jones - is displayed with the links - Edit user, Delete user and Edit roles.
Click on the Edit roles link. In the Roles section, a list of available roles will be displayed. To add the user to a specific role, check the box of that role. Click on the Back button.
Using the Website Administration Tool, we have created a user for our web site. We also created a role, defined the access right for our download page and assigned the user in a specific role. We can see how useful WAT is for managing the security of our web site. All this is done without writing any code at all.
However, it is not practical to add new users to our site using WAT. We will create a sign up page for user registration so that the user can fill up their information for registration by themselves.
