Back to description
Before the first line of code you write for an... more
Before the first line of code you write for an .aspx page executes, both Internet Information Services (IIS) and ASP.NET have performed a fair amount of logic to establish the execution context for a HyperText Transfer Protocol (HTTP) request. IIS may have negotiated security credentials with your browser. IIS will have determined that ASP.NET should process the request and will perform a handoff of the request to ASP.NET. At that point, ASP.NET performs various one-time initializations as well as per-request initializations.
.aspx
This chapter will describe the initial phases of a Web request and will drill into the various security operations that occur during these phases. In this chapter, you will learn about the following steps that IIS carries out for a request:
* The initial request handling and processing performed both by the operating system layer and the ASP.NET Internet Server Application Programming Interface (ISAPI) filter
* How IIS handles static content requests versus dynamic ASP.NET content requests
* How the ASP.NET ISAPI filter transitions the request from the world of IIS into the ASP.NET world
Having an understanding of the more granular portions of request processing also sets the stage for future chapters that expand on some of the more important security processing that occurs during an ASP.NET request as well as the extensibility points available to you for modifying ASP.NET’s security behavior.
This book describes security behavior primarily for Windows Server 2003 running IIS6 and ASP.NET. Due to differences in capabilities between IIS5/5.1 and IIS6, some of what is described is not available or applicable when running on Windows 2000/XP. Differences in behavior between versions of IIS are noted in some cases.
... less
The previous chapter discussed the work that occurs before an ASP.NET request starts processing. This chapter describes security... more
The previous chapter discussed the work that occurs before an ASP.NET request starts processing. This chapter describes security related processing that occurs each time ASP.NET processes a request. As with starting up an application, per-request processing involves a handoff of security information from IIS to ASP.NET. A combination of the application’s configuration in IIS and the ASP.NET configuration for the application determines the security context that is initialized for each request.
After a request is running through the ASP.NET pipeline, the authentication and authorization options that have been configured for the application take affect. If a request passes authentication and authorization checks, there is still one last hurdle to clear: the HttpHandler that is assigned to process the request. Again, depending on the ASP.NET application’s configuration, a request may be rejected by the handler that serves the request.
HttpHandler
In this chapter, you will learn about:
* How the security identity in ASP.NET is set based on security information negotiated by IIS
* Security issues around the ASP.NET asynchronous programming model
* Authentication steps that occur in the HTTP pipeline
* Authorization processing in the HTTP pipeline
* How HTTP handlers control access to files
So far the previous topics have centered on various pieces of security information --encryption key material, security identities... more
So far the previous topics have centered on various pieces of security information --encryption key material, security identities, authentication and authorization, and so on. They dealt with security decisions that were tied to some concept of identity. The security identity may have been that of the browser user, or it may have been the identity of the running process.
A different aspect of ASP.NET security uses the .NET Framework code access security (CAS) functionality to secure the code that runs in an ASP.NET site. Although the concept of code having its own set of rights has been around since the first version of the .NET Framework, more often than not the actual use of CAS by developers has been limited. In large part, this has been due to the complexities of understanding just what CAS is as well as how to effectively use CAS with your code.
ASP.NET 1.1 substantially reduced the learning curve with CAS by introducing the concept of ASP.NET trust levels. In essence, an ASP.NET trust level defines the set of rights that you are willing to grant to an application’s code. This chapter thoroughly reviews the concept of ASP.NET trust levels, as well as new features in ASP.NET 2.0 around enforcement of trust levels.
You will learn about the following areas of ASP.NET trust levels:
* Configuring and working with ASP.NET trust levels
* What an ASP.NET trust level looks like
* How a trust level definition actually works
* Creating your own custom trust levels
* Details on frequently asked for trust level customizations
* A review of all of the permissions defined in ASP.NET trust policy files
* Advanced topics on writing code for partial trust environments
Many .NET Framework features depend on initialization information stored in various configuration files. ASP.NET especially... more
Many .NET Framework features depend on initialization information stored in various configuration files. ASP.NET especially is heavily dependent on configuration sections for defining the behavior of many aspects of the ASP.NET runtime. As a result the configuration information frequently contains sensitive information (usernames, passwords, connections strings, and so on). Configuration information can also directly affect the security settings enforced by certain features. As a result, configuration security is an important aspect of ensuring that a web application works as expected.
This chapter covers the following aspects of securing configuration information:
* Using the <location /> element
<location />
* Implementing granular inheritance control using the new “lock” attributes
* Setting access rights to read and modify configuration
* Implementing partial trust restrictions when using configuration
* Using the new protected configuration feature
Forms authentication is the most widely used authentication mechanism for Internet facing ASP.NET sites. The appeal of forms... more
Forms authentication is the most widely used authentication mechanism for Internet facing ASP.NET sites. The appeal of forms authentication is that sites with only a few pages and simple authentication requirements can make use of forms authentication, and complex sites can still rely on forms authentication for the basic handling of authenticating users. In ASP.NET 2.0, the core functionality of forms authentication remains the same, but some new security scenarios have been enabled and some security features have been added.
This chapter covers the following topics on ASP.NET 2.0 forms authentication:
* Reviewing how forms authentication works in the HTTP pipeline (most of this was covered in Chapter 2)
* Making changes to the behavior of persistent forms authentication tickets
* Securing the forms authentication payload
* Securing forms authentication cookies with HttpOnly and requireSSL
HttpOnly
requireSSL
* Using Cookieless support in forms authentication
Cookieless
* Using forms authentication across ASP.NET 1.1 and ASP.NET 2.0
* Leveraging the UserData property of FormsAuthenticationTicket
UserData
FormsAuthenticationTicket
* Passing forms authentication tickets between applications
* Enforcing a single login and preventing replayed tickets after logout
All of the great security features in ASP.NET don’t really help you when you look at your older classic ASP applications.... more
All of the great security features in ASP.NET don’t really help you when you look at your older classic ASP applications. Although forms authentication and URL authorization have been around since ASP.NET 1.0 days, these features haven’t been of any use in the ASP world. With the introduction of the Membership and Role Manager features in ASP.NET 2.0, you have even more authentication and authorization functionality built into ASP.NET. But again, it seems like that functionality is orphaned over in the ASP.NET world and never to made it over to the world of classic ASP.
Why attempt to bring the ASP.NET and classic ASP worlds together? In terms of sheer volume of code written, the majority of web applications out there are still running on classic ASP. Even if you surf around Microsoft’s own sites such as the MSDN online library and various links and subsites of www.microsoft.com, you still encounter a lot of classic ASP pages.
microsoft
In ASP.NET 2.0 a number of small changes were made in some admittedly esoteric aspects of the runtime to make it possible to more tightly integrate ASP.NET and classic ASP. These changes also rely on modifications made earlier to IIS 6 around handling for ISAPI extensions. Both of these changes taken together make it possible to wrap classic ASP sites inside of ASP.NET
This chapter covers the following topics:
* ISAPI extension mapping behavior in IIS 5
* Wildcard mappings in IIS 6 and how they work
* The DefaultHttpHandler in ASP.NET 2.0
DefaultHttpHandler
* Using the DefaultHttpHandler with ASP.NET and classic ASP
* Authenticating classic ASP using ASP.NET
* Adding roles from Role Manager for use in classic ASP
Session state probably doesn’t strike most people as having much of anything to do with security. However, some security-related... more
Session state probably doesn’t strike most people as having much of anything to do with security. However, some security-related design points are worth touching on when thinking about how session state is used in an application. In ASP.NET 2.0 some new functionality was added around securing cookieless sessions as well as locking down behavior in lower trust levels.
This chapter covers the following topics on ASP.NET 2.0 session state:
* Session state and the concept of a logon session
* How session data is partitioned across applications
* Cookie-based session IDs
* Cookieless sessions and Session ID regeneration
* Protecting against session state denial-of-service attacks
* Trust level restrictions when using session state
* Database security when using storing session state in SQL Server
* Securing the out of process state server
A good deal of writing a secure page depends on often discussed topics like input validation, handling malicious input, preventing... more
A good deal of writing a secure page depends on often discussed topics like input validation, handling malicious input, preventing SQL injection attacks, and so on. However, ASP.NET provides some lesser known configurable security features that add a degree of extra security to your pages. This chapter will review some security features for pages and compilation that have been around since ASP.NET 1.1, as well as new security features in 2.0.
The topics that will be covered include:
* Request validation and viewstate protection
* Options for securing page compilation
* Protecting against fraudulent postbacks
* Site navigation security
Many of the new features in ASP.NET 2.0, including the Membership and Role Manager features, are built using the provider... more
Many of the new features in ASP.NET 2.0, including the Membership and Role Manager features, are built using the provider model. The provider model is not just an architectural model limited to ASP.NET 2.0 features; the base classes are available for you to build your own provider-based features.
This chapter covers the theory and intent behind the provider model so that you have a good idea of the patterns used by provider-based features. You will be introduced to the base provider classes, the services they provide, and the general assumptions around the ASP.NET provider model. Last, you will see some examples of how you can create your own custom feature using the provider model.
This chapter will cover the following topics:
* Why have providers?
* Patterns found in the Provider model
* Core provider classes
* Building a provider-based feature
One of the unique aspects of ASP.NET 2.0 is that it introduces a number of powerful new application services that are built... more
One of the unique aspects of ASP.NET 2.0 is that it introduces a number of powerful new application services that are built using the provider model. Membership is one of the new services and addresses the common need that websites have for creating and managing users and their credentials. Although the Membership feature ships with a great deal of functionality right out of the box, it is also flexible enough for you to customize or extend many of the core aspects of the feature.
This chapter discusses the core classes of the Membership feature: The public static Membership class, the base MembershipProvider class, and the MembershipUser class all include functionality that is common regardless of the kind of providers used with the feature. You will see the various coding assumptions baked into the Membership feature for each of these classes. MembershipProvider is covered in detail so that you get a better idea about what needs to be implemented as well as the general behavior that ASP.NET expects from custom providers.
Membership
MembershipProvider
MembershipUser
Last, you gain some insight into miscellaneous design concepts and areas of the Membership feature. The idea of user uniqueness is covered along with guidance about how to create a custom hash algorithm for use by providers. You also see how you can use the Membership feature in applications other than ASP.NET websites.
* The Membership class
* The MembershipUser Class
* The MembershipProvider base class
* The “primary key” for membership
* Suypported environments
* Using custom Hash algorithms
The Membership feature comes with two different providers by default: one that works with SQL Server and one that works with... more
The Membership feature comes with two different providers by default: one that works with SQL Server and one that works with Active Directory. The subject of this chapter is the SQL-based provider. This provider is sort of the showcase provider for the Membership feature because it implements the full range of functionality exposed by the Membership API. It can be used by applications with only a handful of user accounts as well as very large sites with hundreds of thousands of user accounts. The provider can be used inside of ASP.NET applications as well as in non-ASP.NET applications. As with the parent Membership feature, SqlMembershipProvider can be used with Low trust and above--although when running it with Low trust you need to explicitly add SqlClientPermission for the provider to work.
SqlMembershipProvider
SqlClientPermission
This chapter will cover the following aspects of SqlMembershipProvider in detail:
* The common database schema used by all SQL-based providers in ASP.NET
* The database schema that supports SqlMembershipProvider
* Caveats to keep in mind when using SQL Server Express instead of SQL Server
* Security for the Membership database
* How to change password formats
* How to change the way that passwords are automatically generated
* How to use custom encryption
* How to enforce custom password strength rules
* How account lockout works with the provider
* How to extend the provider to implement auto-unlock behavior
* How to support multiple portal-style applications with a single provider
After covering these topics, you should have a good sense of how the provider works as well as how you can build extended functionality on top of the SQL provider without needing to write a custom provider from scratch.
The... more
The ActiveDirectoryMembershipProvider supports almost the entire set of functionality defined by the Membership API. You can create and manage users with either Active Directory (AD) or the standalone directory product Active Directory Application Mode (ADAM). Furthermore, you can use the provider in both ASP.NET and non-ASP.NET applications. Because the ActiveDirectoryMembershipProvider closely mirrors the SqlMembershipProvider in terms of functionality, the interesting parts of ActiveDirectoryMembershipProvider are how the provider works with the directory server and how certain Membership operations are mapped to AD and ADAM.
ActiveDirectoryMembershipProvider
This chapter will cover the following aspects of ActiveDirectoryMembershipProvider in detail:
* How the provider works with different directory structures
* Provider configuration settings
* Notes on various pieces of provider functionality
* The ActiveDirectoryMembershipUser class
ActiveDirectoryMembershipUser
* Working with Active Directory
* Configuring ADAM to work with the provider
* Using the provider in partial trust
Role Manager is a new feature in ASP.NET 2.0 that provides the basic functionality necessary to create an... more
Role Manager is a new feature in ASP.NET 2.0 that provides the basic functionality necessary to create an IPrincipal-based object associated with roles. The motivation for the Role Manager feature is to make it easy for developers to associate users with roles and then perform role checks both declaratively and in code. The Role Manager feature is sometimes referred to as a companion feature to Membership because Role Manager can be used to provide authorization for users that have been authenticated using Membership. However, Role Manager can also be used as a standalone feature that integrates with other authentication mechanisms, including Windows authentication.
IPrincipal
As with the Membership feature, Role Manager can be used in non-ASP.NET environments such as the Winforms application and console applications, thus making it easier for developers to share a common set of authenticated users and role information across different client applications. This chapter will cover:
* The Role class
Role
* The RolePrincipal class
RolePrincipal
* The RoleManager model
RoleManager
* RoleProvider
RoleProvider
* WindowsTokenRoleProvider
WindowsTokenRoleProvider
Role Manager ships with a number of different providers in the Framework:... more
Role Manager ships with a number of different providers in the Framework: WindowsTokenRoleProvider, which was covered at the end of the previous chapter; SqlRoleProvider, which is the topic of this chapter; and AuthorizationStoreRoleProvider, which is discussed in the next chapter. SqlRoleProvider is already configured in machine.config as the default provider for the Role Manager feature. As with SqlMembershipProvider, SqlRoleProvider is the reference provider for the feature because it implements all of the functionality defined on the RoleProvider base class.
SqlRoleProvider
AuthorizationStoreRoleProvider
,
machine.config
This chapter will cover the following areas of the SqlRoleProvider:
* The database schema used by the SqlRoleProvider
* Database security and trust level requirements for the provider, including how to configure the provider for use in partially trusted non-ASP.NET environments
* Using the SqlRoleProvider with Windows-authenticated websites
* Extending the provider to support “run-with-limited-roles” scenarios
* Leveraging role data for authorization checks in the data layer
* Supporting multiple applications with a single provider
... more
AuthorizationStoreRoleProvider maps the functionality of the Role Manager feature onto the Authorization Manager (AzMan) authorization store that was first released as part of Windows Server 2003. The provider supports most of the RoleProvider functionality as well as handful of AzMan specific settings and behavior. Although AzMan itself has the concept of more granular permission checks that just role checks, AuthorizationStoreRoleProvider only exposes the role based functionality of AzMan.
In this chapter, will you will learn about the following aspects of the AuthorizationStoreRoleProvider:
* How the provider interacts with AzMan
* Role Manager functionality supported by the provider
* Working with a file-based policy store
* Working with an Active Directory AzMan policy store
* Using the ActiveDirectoryMembershipProvider and AuthorizationStoreRoleProvider together
Purchase Before purchasing this product, please be sure you have met all software and system requirements, and that you understand any limits placed upon its use.
Return Policy Wrox Chapters on Demand are non-returnable and non-refundable.
Reader Software Wrox Chapters on Demand are offered as PDFs, and they must be viewed using the Adobe Reader. If you do not have the Reader installed, it can be downloaded for free at Adobe.com.
Test Download As Wrox Chapters on Demand purchases are non-returnable, it is advisable that you test your system and software configurations with a free sample download before you place an order.
Usage Rights for a Wrox Chapter on Demand File Any Wrox Chapter on Demand product you purchase from this site will come with certain restrictions that allow Wiley to protect the copyrights of its products. After you purchase and download this title, you:
If you have any questions about these restrictions, you may contact Customer Care at (877) 762-2974 (8 a.m. - 5 p.m. EST, Monday - Friday). If you have any issues related to Technical Support, please contact us at 800-762-2974 (United States only) or 317-572-3994 (International) 8 a.m. - 8 p.m. EST, Monday - Friday).
Related Books
View Cart
