1 / 40

Unit 7 Learning Objectives

Unit 7 Learning Objectives. How to Control Access to websites Authentication and Authorization Security and Access Control ( web.config ) ASP.NET Membership controls in code ( LoginView ) Using user information ( Page.User ). Authentication.

lilia
Download Presentation

Unit 7 Learning Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit 7 Learning Objectives • How to Control Access to websites • Authentication and Authorization • Security and Access Control (web.config) • ASP.NET Membership controls in code (LoginView) • Using user information (Page.User)

  2. Authentication • It determines that someone is who they say they are • It involves a username and password • Microsoft systems have two basic methods • Forms based authentication • What you typically see when you log into a website • Windows based authentication • What you see when you log into a computer

  3. Windows based authentication • What you see when you log into a computer • Forms based authentication • What you typically see when you log into a website

  4. Authorization • Permission to use a resource like a webpage or document • Authenticated uses do more than anonymous users • Authorization may be associated with Roles • Roles help assigning a group of users the same authority • Example: admin, staff or guest. • Access Rules determine who is authorized to use what.

  5. Authorization or Authentication?

  6. Access Rules are settings in web.config [ This access rule is for the access to the Register page Allows the user that belongs to the role of Admin Deny anonymous users, until they identify themselves [ Provides the authentication type (i.e. FORMS), and the place to login from

  7. Access Rule Example: Consider the Styles Folder • Access to styles is required for all users of a website. • Add a web configuration file to the Styles folderit should look like this • Starting on line 4, enter anauthorization section This says to allow all users access to the folder.

  8. Multiple Configurations C:\ASPPUB • Access is determined by uses the access rules closest to the page. • How many config files are seen? • In this case, the web.config file control access to the Finals folder.

  9. How to work with a user’s information Page.User control • User is a property of the Page object • User contains information about the user logged into your web page when one of ASP.NET’s implemented authentication methods are used Roles • Groupings of access privileges • Example: Manager, Admin, LowlyWorm, Guest, etc.

  10. How can Page.User be used for roles? • User has a method called IsInRole • IsInRole identifies whether the user belongs to a role • User.IsInRole("Admin") • if the current user a member of the Admin role, then apply 10% discount • User.IsInRole(“Guest") • is the current user a member of the Guest role? if ( User.IsInRole(“Admin”) ) TotalAmt=0.9*SubTotalAmt;

  11. L1 #1: ASP.NET security set-up in VWD • The default web site we created at the beginning of the quarter has many uses many of ASP.NET’s security features – we just have to turn the security on • So, let’s turn it on as the L1 for this unit • Open your ASPPubfolder in VWD • Select ASP.NET Configuration from the Website menu Go to L1 #11

  12. L1 #2 • You should see a web page that looks something like this, click the Security link • Then click the Use the security Setup Wizard link which will setup security and walk you through the creation of a user and access rules

  13. L1 #3 Select From the Internet for the Access Method (that means forms authentication) and press Next • Read the Welcome message and press Next

  14. L1 #4 Wizard Step 4 allows us to use roles. Click the Enable roles check box and then press Next • Wizard Step 3 has nothing for us to do so press Next

  15. L1 #5 Once the role is created you have the option of adding another role, deleting an existing role or moving to the next step. Press Next • In the next screen, type Admin in the New Role Name text box and press Add Role

  16. L1 #6 After the MIS3200 user is created click Continue and add a user with your last name and any password you would like. Then press Next • In Wizard Step 5 you create one or more users. Enter MIS3200 for the user name, testing! for the password, your email address and click Create User MIS3200 MIS3200@ohio.edu Be sure you enter the username and password exactly as listed or we won’t be able to grade your work!!

  17. L1 #6 Look at the bottom of the screen. This shows the default access rule for the selected folder (ASPPub). This rule allows all users to access the folder. • Wizard step 6 allows you to create Access Rules and apply them to different folders MIS3200

  18. L1 #7 The diagram show a rule to deny anonymous users access to the ASPPub folder. The top of the diagram shows you how to set it up and the bottom shows the finished rule. • To create a new rule • Select the folder the rule applies to (ASPPub) • Select who the rule applies to (Anonymous) • Select which permission you want (Deny) • Finally, press Add This Rule This rule will prevent any unauthenticated (i.e. anonymous) user from getting to any page, image or other resource in your ASPPub folder MIS3200

  19. L1 #8 You should now see a screen you saw before but this time listing users and roles. You can edit users, roles and access rules from here • We will just have one access rule for now so press Next • Basic security setup is now complete so press Finish

  20. L1 #9 • Close the Web Site Administration Tool • Click the Run button to run your MIS portfolio page • What happened? Did you get something like this?

  21. L1 #10 • Your access rule prohibits you, and everyone else, from using any page in ASPPub so your default.aspx didn’t load • But something did load? What page is it? Check the URL • The one standard exception to the “you can’t use anything” rule is a special page called login.aspx that was created as a part of default settings. It contains a Login control. • This serves as the page that any unauthorized access is redirected to

  22. L1 #11 • Go back to your login page and enter your user name and password (MIS3200 and testing!) • You should see your normal default.aspx page • Close the page and return to VWD • Open up your web.config file • Security settings are stored here so DO NOT delete it! • Some of the important settings are: Access rules [ Authentication mode and location of the login page Next: Opening access in closed areas 

  23. L1 #12 • Close web.config • Open Login.aspx in the Account folder. It should look like this

  24. L1 #13 • Compare the page shown on slide L1 #12 with that on L1 #9. Are they the same page? • If they are, why do that look so different? • They are the same page, so what happened? • The page you see on L1 #12 is formatted with style sheets • The page on L1#9 is the same page so it is formatted with the same style sheets, but what happened?

  25. L1 #14: Opening specific folders • When you deny anonymous users access to a folder you deny them access to everything in the folder, including style sheets, images, documents and web pages • Lets fix this problem • Right click on the Styles folder • Select Add New Item… • Select Web Configuration File It is okay to have more than one web.config file as long as they are organized

  26. L1 #15 • Open the web.config file in the Styles folderit should look like this • Starting on line 4, enter anauthorization section This says to allow all users access to these folders. If a web site has more than one set of access control rules it uses the rules closest to the page. So in this case, the web.config in the Styles folder will its control access.

  27. L1 #16 • Save the web.config file • Repeat the process and create another web.config file in the Images folder • After you save your work, try running web.config again. You should get something like this…

  28. L1 #17 • Before you login in, notice two things on this page • Look at the upper right-hand portion of the page, you should see: That is actually a special .NET control called LoginStatus. LoginStatus provides an anonymous user with a link for logging in and an authenticated user with the link for logging out (see next page) • Look at the page URL • Does the circled portion look familiar? • It is a QueryString that tells the login page where to redirect you after you login. The destination depends of what page you tried to access at the time you were redirected to the login page • Login using MIS3200 and testing!Note: Steps 37 through 44 are informational only and do not require any changes to your L1. However, you will do these steps, take screenshots and submit them, as a part of the L1.

  29. L1 #18 Welcome MIS3200! [Log Out ] • Look at the top right side of the page again • This is the LoginStatus control again. Notice that it has a different appearance now that we are logged in • This is another control called LoginName this simply displays the current users login name. • Notice that the message on the previous page didn’t include the Welcome • Both messages are contained in a control called LoginView • LoginView allows you to display one thing to an anonymous user and something different to an authenticated user • It is even possible to display different content based on roles assigned to the user

  30. L1 #19 • Close the page and open your master file,Site.master in design view • Look at the top right of the page • You show see the LoginStatus controland a LoginView called HeadLoginView • Click on HeadLoginView and click its button to open the smart menu. Notice that you are currently looking at the AnonymousTemplate • Right-click on Log_In and look at the properties • Notice that this is a LoginStatus control named HeadLoginStatus • Also notice the HRef property that says where to find the login page

  31. L1 #20 • Click the menu button next to AnonymousTemplate and select the LoggedInTemplate • You should now see the LoggedInTemplate with both a LoginStatus and LoginNamecontrol • You can change anything you want in either template. The templates will expand to contain whatever you need. • You can create new templates and associate them with roles by clicking the EditRoleGroups link • You can go directly to the Web Site Configuration Tool (slide L1 #2) by clicking AdministerWebsite

  32. L1 #21 – What to turn in • Open your U6L3 page and click the Run button in Web Developer, you should be prompted with the login screen – capture this screenshot which shows the URL and the login prompt (the entire page) • Using the username and password we created (MIS3200 and testing!), login - capture the screenshot that shows your U6L3 was allowed to run after successfully logging in(the entire page again) • Submit both of these screenshots by attaching them to the Unit 7 L1 dropbox

  33. ASP.NET Login controls • You have already seen five ASP.NET Login controls • CreateUserWizard – used by the Web Site Configuration Tool • Login – used on Login.aspx • LoginName – used in Site.master • LoginStatus– used in Site.master • LoginView– used in Site.master • There are only two other controls • ChangePassword – allows a user to change a password after answering a question • PasswordRecovery – changes the user’s password and sends the new to the user via email Login controls found in the Toolbox PasswordRecovery requires access to an mail server which we don’t have in the labs

  34. L2 • Open ASPPub • Open ASP.NET Configuration (L1 slide #5) • Click Security • Click Manage Users • Select your MIS3200 user and click Edit roles • Click the check box next to the Admin role (this puts the MIS3200 user into the Admin role) • Close the Web Site Administration Tool • Open Web.config in the Account folder • Examine lines 4-10 • Change <allow users=“*” /> on line 7 to <allow roles=“Admin” /> • Change <deny users=“?” /> on line 13 to <deny users=“*” /> • Save the changes

  35. L2 #2 • Add the following, starting on line 11 to allow anonymous users access to Login.aspx • Run your default.aspx (directly under ASPPub) • Login as MIS3200 • Try to go to ASPPub/Account/Register.aspx (in the URL bar, change ASPPub/Default.aspx to ASPPub/Account/Register.aspx) • You should be on the Create a New Account page • Now click Log_Out and then log in with your other user name which did not have the Admin role (your last name) Why do we have to do this?

  36. L2 #3 • Try to go to ASPPub/Account/Register.aspxagain • What happens? Why? • At the present time everyone will have to login to see any of your ASPPub portfolio – not a very useful portfolio so lets allow everyone into ASPPub but restrict access to the MIS3200 folder

  37. L2 #4 • Open the Web Site Administration Tool • Select Security • Select Manage access rules • Delete the Deny anonymous rule • Select the MIS3200 folder • Click Add new access rule • Create a rule to deny anonymous users • Click Done and close the page • You should now have a new Web.config in your MIS3200 folder (you may have to click Refresh to see it)

  38. L2 #5 • Now try to run your default.aspx page (i.e. your main MIS Portfolio page) • Can you get in? • Capture the screenshot that shows your portfolio page was allowed to run • If so, what happens when you click the MIS3200 link? (do not login) • Capture this screenshot which shows the URL and the login prompt • What happens when you try to go to Register.aspx? • Capture this screenshot which shows the URL and error message

  39. L2 #6 – What to turn in • Submit all three screenshots requested by the previous slide by attaching them to the Unit 7 L2 dropbox

  40. Problems? You may run into various problems when working with the security wizard. After making the users, if your pages no longer run and you see the word “login” in the URL without the “.aspx” following it, you likely clicked on something wrong in the L1 which added the following to your web.config file: If you see these lines, delete them to correct the issue.

More Related