Module 5: Securing Web Pages

Chia sẻ: Mai Phuong | Ngày: | Loại File: PDF | Số trang:78

Thêm vào BST

Báo xấu

143
lượt xem 18
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

This module explains how to secure the Web pages that compose a Web application through the use of Active Server Pages (ASP) and Microsoft® ASP.NET forms-based authentication. After completing this module, students will be able to implement forms-based authentication in both ASP and ASP.NET Web applications.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Module 5: Securing Web Pages

Module 5: Securing Web Pages Contents Overview 1 Lesson: ASP Forms-Based Authentication 2 Lesson: .NET Code Access and Role-Based Security 9 Lesson: Overview of ASP.NET Authentication Methods 16 Lesson: Working with Windows-Based Authentication in ASP.NET 30 Lesson: Working with ASP.NET Forms-Based Authentication 37 Review 55 Lab 5: Securing Web Pages 57
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Module 5: Securing Web Pages iii Instructor Notes Presentation: This module explains how to secure the Web pages that compose a Web 75 minutes application through the use of Active Server Pages (ASP) and Microsoft® ASP.NET forms-based authentication. After completing this module, students Lab: will be able to implement forms-based authentication in both ASP and 30 minutes ASP.NET Web applications. After completing this module, students will be able to: ! Implement forms-based authentication in an ASP Web application. ! Define the purpose of code access and role-based security in the Microsoft .NET Framework. ! Describe the different authentication methods that are supported by ASP.NET and explain how each method is configured. ! Implement Microsoft Windows®-based authentication in an ASP.NET Web application. ! Implement forms-based authentication in an ASP.NET Web application. Required materials To teach this module, you need the following materials: ! Microsoft PowerPoint® file 2300A_05.ppt ! Hypertext Markup Language (HTML) code sample file 2300A_05_code.htm ! HTML and Flash animation files: 2300A_05_A05_1662.htm and 2300A_05_A05_1662.swf ! HTML and Flash animation files: 2300A_05_A10_1663.htm and 2300A_05_A10_1663.swf
iv Module 5: Securing Web Pages Preparation tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the practices and lab. ! Visit the Microsoft MSDN® .NET Security page at http://msdn.microsoft.com/library/nhp/Default.asp?contentid=28001369. ! Read about Microsoft Passport at http://www.passport.com. ! Read the MSDN article, “.NET My Services and .NET Passport User Authentication Overview,” which is available at http://msdn.microsoft.com/ library/en-us/dndotnet/html//myservpassp.asp. ! Read the MSDN Magazine article, “An Overview of Security in the .NET Framework,” which is available at http://msdn.microsoft.com/library/en-us/ dnnetsec/html/netframesecover.asp. ! Read the MSDN article, “Secure Coding Guidelines for the .NET Framework,” which is available at http://msdn.microsoft.com/library/en-us/ dnnetsec/html/seccodeguide.asp. ! Read the MSDN Magazine article, “An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2,” which is available at http://msdn.microsoft.com/msdnmag/issues/02/05/ ASPSec2/aspsec2.asp. ! Read Module 6, “Code Access Security,” and Module 7, “Role-Based Security and Isolated Storage,” in Course 2350, Securing and Deploying Microsoft .NET Assemblies. ! Read the MSDN Magazine article, “Security in .NET: Enforce Code Access Rights with the Common Language Runtime,” which is available at http://msdn.microsoft.com/msdnmag/issues/01/02/CAS/CAS.asp.
Module 5: Securing Web Pages v How to Teach This Module This section contains information that will help you to teach this module. Lesson: ASP Forms-Based Authentication Overview of ASP Forms- It is possible that students will have an understanding of ASP forms-based Based Authentication authentication before coming to this class. If so, you can briefly review the content in this lesson and then move on to ASP.NET Windows-based and forms-based authentication. Creating an ASP Logon Mention that setting the Internet Information Services (IIS) authentication Page method to Anonymous access enables the authentication process to pass through IIS, where it is handled by the ASP logon page. At this point, the developer is responsible for making sure that the user is authenticated (by checking the user’s credentials) and authorized. Validating the Session The difference between authentication and authorization in an ASP Web page is Variable minimal. Authentication means that the Session variable that was set in the logon page exists. Authorization can be implemented by checking that the Session variable is set to a certain value. Instructor-Led Practice: Have the students access the unsecured and secured pages on the London Using Forms-Based computer in the 2300Demos/Mod05 folder. After the students access both the Authentication in an unsecured and secured pages, explain the code in the Logon.asp and ASP Web Application SecurePage.asp pages in the Mod05 folder of the 2300Demos Web application project: 1. In Microsoft Visual Studio® .NET, open the 2300Demos solution. 2. Open the Logon.asp page in the Mod05 folder of the 2300Demos project. If a password is entered, a Session variable is set. 3. Open the SecurePage.asp page. There is code at the top of the page that looks for a value in the Session variable. If the Session variable is not set, the page redirects the user to the logon page. 4. Open the UnsecurePage.asp page. This page does not have the code at the top of the page that checks for a value in the Session variable.
vi Module 5: Securing Web Pages Lesson: .NET Code Access and Role-Based Security Microsoft .NET code access security is relevant mostly to Windows applications that run on a client computer. However, because code access security is a new feature of the Microsoft .NET Framework, it needs to be covered. Do not spend a lot of time on this material. Overview of Code Quickly explain that you can add attributes to the functions in your Web Access Security application to restrict its access to resources. This is beyond the scope of this course, and therefore, no examples are given. Overview of Role-Based Role-based security has been covered in earlier modules in this course and Security should not be a new term to students. This slide just introduces the Identity and Principal objects and how they relate to role-based security in a .NET Web application. Lesson: Overview of ASP.NET Authentication Methods In this lesson, briefly describe the .NET authentication methods and the Web.config file. Windows-based authentication and forms-based authentication are covered in more detail in the following lessons. Multimedia: ASP.NET This animation compares the three authentication methods that are supported by Authentication Methods ASP.NET, and it shows how the authentication methods differ, both from the client perspective and on the Web server. Comparing the ASP.NET Explain to students the advantages and disadvantages of each ASP.NET Authentication Methods authentication method. Ultimately, the Web client that will use the Web application will dictate which authentication method can be used. In most cases, forms-based authentication will have the most widespread support because Anonymous access is supported by all Web browsers. Configuring ASP.NET The Web.config file is mentioned briefly in Module 4, “Internet Information Web Applications Services Authentication,” in Course 2300, Developing Secure Web Applications. However, this topic provides an opportunity to explain Web.config files in more detail and show how the different Web.config files in the folder structure relate to one another. It is import for students to understand the hierarchy of Web.config files and their settings, and when settings in one Web.config file override those settings in another Web.config file. Authentication and When discussing the section, mention that this section can Authorization appear only in the Web.config file in the virtual root of a Web application. The Configuration Settings section can appear in Web.config files in subfolders. When in Web.config discussing the section, note how roles can be used to avoid specifying individual users in the Web.config file. Securing a Single Web Compare applying authorization settings for a single Web page with applying Page authorization settings for the entire Web application. Practice: Using This practice provides students with an opportunity to see how the authorization Web.config Files settings in multiple Web.config files interrelate.
Module 5: Securing Web Pages vii Lesson: Working with Windows-Based Authentication in ASP.NET How to Enable By default, the Web.config files in newly created Visual Studio .NET Web Windows-Based applications are configured to use Windows-based authentication. Note that this Authentication is the setting that is specified in the tag for new Visual Studio .NET Web applications. This is not the default behavior when the tag is not present, which is the equivalent of the None setting. Instructor-Led Practice: This is an instructor-led practice. You will start the practice by configuring the Using Windows-Based Web server on the London computer and showing the code in the Web pages. Authentication Then, students will access the pages in the http://London/2300Demos/Mod05 folder and answer the questions. Lesson: Working with ASP.NET Forms-Based Authentication Multimedia: Forms- This animation delves into ASP.NET forms-based authentication in more detail, Based Authentication explaining how ASP.NET authenticated and nonauthenticated requests are handled. Note that the animation uses the term “authentication cookie,” which can also be described as an “authentication ticket.” How to Enable Forms- Briefly mention creating a logon page here. Creating the logon page is covered Based Authentication in more detail in the next two topics. The When you authenticate a user through forms-based authentication, an FormsAuthentication authentication ticket is created and sent to the user. The authentication ticket Object can be either a persistent cookie, which lasts for 50 years by default, or an in-memory cookie. To create a persistent cookie that expires after a certain amount of time, you create the authentication cookie first, and then set a property of the cookie before sending it to the user. Show students the code to do this, which is located at the end of the topic. Creating a Logon Page The RedirectFromLoginPage method will redirect the user either to the originally requested page or to default.aspx. For example, the method will redirect to default.aspx if a user opens the logon page first. If there is no default.aspx page in your Web application, this could cause a “page not found” error. Therefore, you can check the page that RedirectFromLoginPage is going to redirect to, and if it is default.aspx, manually create the authentication ticket and redirect the user to an existing page in your Web application by using the Response.Redirect method. Show students the code to do this, which is located at the end of the topic. Using Role-Based Mention to students that you would not normally hard code the user names and Security with ASP.NET roles when defining roles. This information would typically come from a Forms-Based database. Authentication Show the code for the full Application_AuthenticateRequest event procedure and point out how the roles are only assigned if the user is authenticated (for example, is not anonymous) and is authenticated by using forms-based authentication. By using forms-based authentication, you can lower the overhead of using role-based security in a Web application.
viii Module 5: Securing Web Pages Instructor-Led Practice: This is an instructor-led practice. You will start the practice by configuring the Using ASP.NET Forms- Web server on the London computer and showing the code in the Web pages. Based Authentication Then, students will access the pages in the http://London/2300Demos/Mod05 folder and answer the questions. When students are redirected to the ASPXLogin.aspx page, show them that the Uniform Resource Locator (URL) contains the page ASPXSecurePage1.aspx, which is needed to redirect the user to the requested page, if the entered credentials are validated. Comparing ASP and This topic is a summary of the primary differences between ASP and ASP.NET ASP.NET Forms-Based forms-based authentication. The most significant difference is that developers Authentication must program most of the logic in an ASP Web application, while there are features in ASP.NET that will do some of this logic either automatically or through configuration settings. Lab 5: Securing Web Pages The TailspinToys Web application is both an Internet and an extranet Web application. Introduce the lab with a group brainstorming session about which Web pages need to be secured for the extranet part of the TailspinToys Web application and what would be the best way to secure them. The lab secures the following pages: ! In the ASP Web application, the extranet pages will be secured manually in the logon page by code that checks for a Session variable. ! In the ASP.NET Web application, the extranet pages will be placed in a new folder named Resellers and secured with a section in the Web.config file. At the end of the lab, reiterate how forms-based authentication was implemented in the two Web applications and why.
Module 5: Securing Web Pages ix Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. Lab Setup To complete this lab, students can either continue working in the Tailspin Toys Visual Studio .NET projects that they used in previous labs, or they can start with new files. To start with new files, students must complete the following steps. ! Create the Web applications for the ASP exercises 1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab05\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys. 2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab05\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin. ! Create the Web applications for the ASP.NET exercises 1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab05\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET. 2. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab05\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET. ! Configure the TailspinToysAdmin and TailspinToysAdmin.NET Web applications to use Integrated Windows authentication • Use IIS to turn off Anonymous access, leaving only Integrated Windows authentication, for the TailspinToysAdmin and TailspinToysAdmin.NET Web applications. Lab Results Performing the lab in this module causes the Resellers.aspx and OrderStatus.aspx pages to move into a Resellers folder in the TailspinToys.NET Web application.
Module 5: Securing Web Pages 1 Overview ! ASP Forms-Based Authentication ! .NET Code Access and Role-Based Security ! Overview of ASP.NET Authentication Methods ! Working with Windows-Based Authentication in ASP.NET ! Working with ASP.NET Forms-Based Authentication *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When forms-based authentication is used to secure Web pages, all user authentication is performed by the Web application and not by the Microsoft® Windows® operating system or by Internet Information Services (IIS) authentication. User names, passwords, and other information about the user are typically stored in either a database or the Active Directory® directory service. Forms-based authentication is often used for personalization, where content is customized for a known user. In this situation, identification is often the primary objective, rather than authentication, so it is enough to merely store the user name in a database and then use that user name to access the user’s personal information. In this module, you will learn how to implement forms-based authentication in both Active Server Pages (ASP) and Microsoft ASP.NET Web applications. Note The code samples in this module are provided in both Microsoft Visual Basic® .NET and C#. Objectives After completing this module, you will be able to: ! Implement forms-based authentication in an ASP Web application. ! Define the purpose of code access and role-based security in the Microsoft .NET Framework. ! Describe the different authentication methods that are supported by ASP.NET and explain how each method is configured. ! Implement Windows-based authentication in an ASP.NET Web application. ! Implement forms-based authentication in an ASP.NET Web application.
2 Module 5: Securing Web Pages Lesson: ASP Forms-Based Authentication ! Overview of ASP Forms-Based Authentication ! Creating an ASP Logon Page ! Validating the Session Variable ! Instructor-Led Practice: Using Forms-Based Authentication in an ASP Web Application *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction ASP forms-based authentication is based on a custom logon page that you create. Any unauthenticated users are directed to this form for authentication before they are allowed access to protected Web pages. In this lesson, you will learn how ASP forms-based authentication works and how to implement it. Lesson objectives After completing this lesson, you will be able to: ! Describe how ASP forms-based authentication works. ! Create an ASP logon page that creates a Session variable for authenticated users. ! Validate a Session variable.
Module 5: Securing Web Pages 3 Overview of ASP Forms-Based Authentication Check for Session IIS IIS Session Session Variable Variable Variable Not Authenticated Client Requests Page Redirect to Logon Page Authenticated Username: Authorized Someone Password: ******** Submit Not Authenticated Authenticated Return Return Secure Secure Access Denied Set Session Variable Page Page 1 1 2 2 3 Authorized *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction ASP forms-based authentication uses Session variables to keep track of whether a user is authenticated or not authenticated. User access to protected Web pages is granted or denied based on the values that are contained in these Session variables. How ASP authenticates ASP forms-based authentication follows these steps when authenticating users: users 1. A client generates a request for a protected ASP Web page. 2. The IIS authentication mode is set to Anonymous access, so the request passes directly through IIS to ASP. 3. The protected Web page checks whether a valid Session variable is attached to the client’s request. If there is no Session variable attached to the request: a. The protected Web page redirects the client to a logon page, where the user then enters the required credentials, usually a user name and a password. b. The application code in the logon page checks the credentials to confirm their authenticity, usually against the credentials that are stored in a database or in Active Directory. If the user is authenticated, the logon page creates a Session variable that contains the information about the user. c. If authentication fails, the request is returned with an Access Denied message. If a valid Session variable is attached to the request, the user has been authenticated to use the page and access is then granted to the requested secure page.
4 Module 5: Securing Web Pages Steps to implementing To implement forms-based authentication in your ASP Web applications, you ASP forms-based must: authentication 1. Set the IIS authentication mode to Anonymous authentication. 2. Create a logon page that verifies the user’s credentials and creates a Session variable for the authenticated user. 3. Add code to each protected Web page that verifies the existence of a valid Session variable and that then either redirects the user to the requested Web page if the Session variable is valid, or redirects the user to the logon page if the Session variable does not exist. Limitations of ASP ASP forms-based authentication relies on the maintenance of session state to forms-based determine the identity of the user. After forms-based authentication is authentication implemented, the secured Web pages cannot be accessed by the user unless a specific Session variable is set. If this Session variable is not set, your ASP code redirects the user to a logon page. To maintain session state in ASP pages, the user must have cookies enabled on his or her browser. Therefore, forms-based authentication will work only for those users who have cookies enabled on their computers.
Module 5: Securing Web Pages 5 Creating an ASP Logon Page ! Verify user credentials ! Create a Session variable If (bLogonSuccessful) Then If (bLogonSuccessful) Then sID = 'read from database sID = 'read from database Session("ID") = sID Session("ID") = sID End If End If ! Redirect to a secure page Response.Redirect "SecurePage.asp" Response.Redirect "SecurePage.asp" *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction After your Web server is configured to use Anonymous authentication, you can create a logon page that verifies user credentials and creates a Session variable for the authenticated user. Verifying user To verify a user’s credentials, you need to create a logon page that checks user credentials credentials against the credentials that are in a database or in Active Directory. If the user’s credentials are not valid, the logon page returns an Access Denied message to the user. Note For more information about accessing Microsoft SQL Server™ data securely from ASP pages, see Module 7, “Securing Microsoft SQL Server,” in Course 2300, Developing Secure Web Applications. Creating a Session If the user’s credentials are valid, the user is authenticated, and you can then variable create a Session variable with some personal information about the user, such as the user name. The Session object stores the information that is needed for a particular user session. Variables that are stored in the Session object are not discarded when the user moves between pages in the Web application; instead, these variables persist for the entire user session. The IIS Web server automatically creates a Session object when a Web page from the Web application is requested by a user who does not already have a session. The Web server destroys the Session object when the user’s session expires or is abandoned. Important Session state (or the ability of a Web application to retain user information across Web page requests) is maintained only for browsers that support cookies and that have cookies enabled.
6 Module 5: Securing Web Pages You can store information in the Session object by assigning a value to a named entry in that object. The following example assigns the user ID, which is retrieved from a database, to the entry "ID" in the Session object: If (bLogonSuccessful) Then sID = 'read from database Session("ID") = sID End If After a Session variable is set, you can access the information that is in the Session object from other pages in the Web application by reading the value from the Session variable. The following example uses the user's ID to read order information from the database: Redirect to a secure After the user has been authenticated, you can redirect the user from the logon page page to the requested secure page, as shown in the following example: Response.Redirect "SecurePage.asp"
Module 5: Securing Web Pages 7 Validating the Session Variable ! Authentication " Verify the Session variable and redirect the client to the logon page if the Session variable is not valid ! Authorization " After the user is authenticated, determine whether he or she is authorized to view the requested Web page *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To implement ASP forms-based authentication, you need to determine which Web pages in your Web application require secure access. You then must add code to each secure page to verify the existence of a Session variable. If the Session variable does not exist, the user is not authenticated. You then redirect the user to the logon page, as shown in the following example: Note You should protect the logon page by using Secure Sockets Layer (SSL) and use a full path to the logon page by using Hypertext Transfer Protocol Secure (HTTPS); for example, https://server/site/private/login.asp. You will learn more about SSL in Module 8, “Protecting Communication Privacy and Data Integrity,” in Course 2300, Developing Secure Web Applications. Authorization You can implement authorization in an ASP Web page by using Session variables. In each secured page of the Web application, you must verify that a Session variable is set to a certain value. If the Session variable is set, the user is then authorized to view the page. For example, a second Session variable, Role, can be set in the logon page. The Role Session variable is set to the user's role in the Web application. When the user accesses a secured page, the Role Session variable is checked to determine whether the user has the proper authorization to view the page. The following example secures a Web page for only users in the Admin role:
8 Module 5: Securing Web Pages Instructor-Led Practice: Using Forms-Based Authentication in an ASP Web Application ! Instructor will: " Secure an ASP Web application by using forms-based authentication ! Students will: " Try to view unsecured and secured Web pages ! Time: " 5 minutes *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this instructor-led practice, you will see how to implement forms-based authentication in an ASP Web application. ! Access the secured ASP Web application 1. In Microsoft Internet Explorer, browse to the http://London/2300Demos/ Mod05/UnsecurePage.asp page. What happens? You can access the page. ____________________________________________________________ 2. Click SecurePage to browse to the SecurePage.asp page. What happens? You are redirected to the Logon.asp page. ____________________________________________________________ 3. Enter any nonblank strings for the user name and password, and then click Log On. 4. Click SecurePage to browse to the SecurePage.asp page again. What happens? You can now access the page. ____________________________________________________________
Module 5: Securing Web Pages 9 Lesson: .NET Code Access and Role-Based Security ! Overview of Code Access Security ! Overview of Role-Based Security *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The.NET Framework provides technologies that can be used for securing managed code (or code assemblies.) These technologies include code access security and role-based security, both of which are implemented by using a common infrastructure that is supplied by the common language runtime. The common language runtime allows code to perform only those operations that the code has permission to perform. The runtime uses objects that are called permissions to enforce restrictions on managed code. There are three kinds of permissions, each with a specific purpose: ! Code access permissions. These permissions represent access to a protected resource or the ability to perform a protected operation. ! Identity permissions. These permissions indicate that code has the credentials that support a particular kind of identity. ! Role-based security permissions. These permissions provide a mechanism that is used for discovering whether a user (or the agent acting on the user's behalf) has a particular identity or is a member of a specified role. Although developing secure code assemblies can be an important role in developing secure Web applications, secure code assemblies are beyond the scope of this course. This lesson provides a brief overview of code access security and role-based security, and it explains how these technologies can be used to secure code assemblies in your Web applications. Later in this module, you will also learn how you can integrate role-based security with ASP.NET forms-based authentication. Note For more information about developing secure assemblies by using the .NET Framework, see Course 2350, Securing and Deploying Microsoft .NET Assemblies.
10 Module 5: Securing Web Pages Lesson objectives After completing this lesson, you will be able to: ! Define the purpose of code access security in the .NET Framework. ! Define the purpose of role-based security in the .NET Framework.