Build Your Own ASP.NET 3.5 Website Using C# & VB (100 page)

582

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

What Does Your Project Need?

Don’t take these security settings as recommendations for your own projects. These

kinds of decisions need to be taken seriously, and the choices you make should

relate directly to the specific needs of your project.

Using Regular Expressions

Advanced programmers can make use of an additional setting,

passwordStrengthRegularExpression, which can be used to describe complex

rules that ensure password strength.

After you make this change in
Web.config
, start the ASP.NET Web Site Configuration

Tool again and add another user named
cristian
with the password
cristian
;

assign this user the
Users
role.7 As
Figure 13.14 illustrates, the fields for specifying

a security question and answer no longer appear in the form.

Figure 13.14. Creating a user

7 Feel free to use another username and password combination that matches the new password strength requirements—the purpose of this exercise is to see for yourself that the new settings are in place. Licensed to [email protected]

Security and User Authentication

583

Securing Your Web Application

Now we have two roles, and two users (admin and cristian), but we still need to

secure the application. You should have restricted access to the app earlier in this

chapter by modifying
Web.config
like this:

Dorknozzle\VB\11_web.config
(excerpt)

If you haven’t already done so, you can add this code now, or use Visual Web Developer to add it for you. Open the ASP.NET Web Site Administration Tool, click the
Security
tab, and click
Create access rules
. Create a new access rule for the
Dorknozzle
directory, as shown in
Figure 13.15
, to
Deny
all
Anonymous users
. Figure 13.15. No anonymous users can access Dorknozzle!

Licensed to [email protected]

584

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Check the options indicated in Figure 13.15 and click
OK
. If you look at your updated
Web.config
file, you’ll see the new authorization element that denies anonymous

access.

Creating Access Rules Using the Administration Tool

Note that, while it’s useful, this tool can be misleading. When you add a new access

rule using the ASP.NET Web Site Administration Tool, the new rule is added to

Web.config
—even if it existed before! If you used the tool multiple times in the

previous example, you could end up with repetitions like this:

Also, keep in mind that the new rules you add using the tool are appended to the

bottom of the list. This is important because these rules are applied in sequence!

For example, adding a new rule that allows anonymous users doesn’t change the

line created previously. Instead, it creates a new entry:

As these rules are processed in sequence, all anonymous users would be rejected

even after we added the new rule. The tool isn’t smart enough to detect such logical contradictions, so you must be careful with your rule-setting. Before moving on, make sure your authorization element looks like this:

Dorknozzle\VB\11_web.config
(excerpt)

Licensed to [email protected]

Security and User Authentication

585

At this point, no unauthenticated users can access your application. Since this is

an intranet application that’s supposed to be accessed only by Dorknozzle’s employees, this security requirement makes sense. However, we’d like to impose more severe security restrictions to the
AdminTools.aspx

file, which is supposed to be accessed only by administrators. Unfortunately, the

ASP.NET Web Site Application Configuration tool can’t help you set permissions

for individual files in your project, so you’ll either need to place all admin-related

functionality into a separate folder (which would allow you to continue using the

tool to configure security options), or modify
Web.config
by hand.

You can set individual access rules for files using the location element, which can

contain a system.web sub-element, which, in turn, can contain settings customized

for the location. Add this code to your
Web.config
file:

Dorknozzle\VB\12_web.config
(excerpt)

Now, administrators are allowed to access
AdminTools.aspx
, as this rule comes first

under the authorization element. If you switched the order of the allow and deny

elements,
no one
would be allowed to access
AdminTools.aspx
.

Licensed to [email protected]

586

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Now your site is accessible only to authenticated users, with the exception of the

Administration page, which is accessible only to users in the Administrator role.

Now we just need to let users log in into the system.

Using the ASP.NET Login Controls

As we mentioned earlier in this chapter, ASP.NET delivers a range of very useful

controls for managing users on your site:

Login

This control displays a login form that contains a
User Name
text box, a
Password

text box, a
Remember me next time
checkbox, and a
Log In
button. It’s integrated with the membership API, and performs the login functionality without requiring

you to write any code. The layout is customizable through templates and multiple properties.

LoginStatus

This is a simple yet useful control that displays a
Login
link if the user isn’t

logged in; otherwise, it displays a
Logout
link. Again, this control requires no

additional coding in order to work with your application’s membership data.

LoginView

This control contains templates that display different data depending on

whether or not the user is logged in. It can also display different templates for

authenticated users depending on their roles.

LoginName

This control displays the name of the logged-in user.

PasswordRecovery

If the user has provided an email address and a secret question and answer

during registration, this control will use them to recover the user’s password.

ChangePassword

This control displays a form that requests the user’s existing password and a

new password, and includes the functionality to change the user’s password

automatically, without requiring you to write additional code.

CreateUserWizard

This control displays a wizard for creating a new user account.

Licensed to [email protected]

Security and User Authentication

587

Let’s see a few of these controls in action in our own application. In the following

pages, we’ll undertake these tasks:

1. Use a Login control in the
Login.aspx
page to give users a means of logging in to

our application.

2. Use LoginStatus and LoginView controls to display
Login
and
Logout
links, and ensure that the
Admin Tools
link is displayed only to site administrators.

Authenticating Users

Earlier in this chapter, we created a web form based on the
Dorknozzle.master
master

page, called
Login.aspx
. Remove the existing controls from the form’s

ContentPlaceHolder, and also remove the LoginUser method from the code-behind

file.

Using the ASP.NET login controls, we can easily make the authentication work. If

you’re using Visual Web Developer, simply drag a Login control from the
Login

section of the Toolbox to just below the
Login
header in
Login.aspx
. If you’d prefer to add the control manually, here’s the code:

Dorknozzle\VB\13_Login.aspx
(excerpt)

ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">

Login

If you switch to
Design
view, you should see a display like the one depicted in
Fig-

ure 13.16.

Licensed to [email protected]