Developing Web Applications Using ASP.

NET
Objectives

In this session, you will learn to:

Implement accessibility Identify the ASP.NET security process Configure an ASP.NET Web application for security

Ver. 1.0

Slide 1 of 25

Developing Web Applications Using ASP.NET

Implementing Accessibility

Accessibility:
Refers to the degree of ease with which an application can be used by a variety of people. Helps people having disabilities to work with the application easily. Enables users to interact with the application more efficiently.

ASP.NET provides some guidelines that you should consider while designing your Web application to achieve high accessibility.

Ver. 1.0

Slide 2 of 25

Developing Web Applications Using ASP.NET

Fundamentals of Designing an Accessible Application

The features of a Web application that are used frequently should have a high degree of accessibility. Therefore, a developer should strictly follow the accessibility guidelines while designing this feature. The principles that should be followed while implementing accessibility support in an application are:
Flexible user interface Flexible input and output features Simple and Intuitive

Ver. 1.0

Slide 3 of 25

Developing Web Applications Using ASP.NET

Accessibility Design Guidelines for the Web

Some guidelines for implementing accessibility in an application are:

Standardize font styles Support keyboard navigation Standardize the use of images Standardize the use of tables Minimize the use of style sheets Use controls properly

Ver. 1.0

Slide 4 of 25

Developing Web Applications Using ASP.NET

Assistive Technologies Used for Accessibility of the Web

People with disabilities use various assistive technologies for accessing a Web application. Some assistive technologies used by the people with disabilities are:
Braille and refreshable Braille Scanning software Screen magnifiers Screen readers Visual notifier

Ver. 1.0

Slide 5 of 25

Developing Web Applications Using ASP.NET

Introducing the ASP.NET Security Model

The ASP.NET security model:

Allows you to implement security in your Web applications. Provides restricted levels of access to secure website information from unauthorized access. Helps in maintaining data integrity and confidentiality.

Ver. 1.0

Slide 6 of 25

Developing Web Applications Using ASP.NET

Introducing the ASP.NET Security Model (Contd.)

The following figure displays the architecture of the ASP.NET security model.
Web Clients

ASP.NET Applications

IIS

.NET Framework

Windows Operating System

Ver. 1.0

Slide 7 of 25

Developing Web Applications Using ASP.NET

Introducing the ASP.NET Security Model (Contd.)

The working of the ASP.NET security model is described in the following steps:
1. Internet Information Services (IIS) receives a request from a Web client. 2. IIS attempts to authenticate the user. 3. If ASP.NET authenticates the user, it allows requests to the specified Web page. 4. When the ASP.NET code requests resources, the operating system performs its own security checks to verify that the authenticated user is allowed access to the specified file and directory. 5. If access is granted, the requested resource is returned through IIS.

Ver. 1.0

Slide 8 of 25

Developing Web Applications Using ASP.NET

Configuring IIS for Implementing Security

IIS authenticates the user who has requested for the application by using a specific type of authentication. The type of authentication depends on how the security for Web applications is configured on IIS. You need to configure security on IIS to authenticate users before they are permitted access to a Web application. IIS provides the following types of authentication to control access to your Web application:
Anonymous Basic Digest Integrated Windows

Ver. 1.0

Slide 9 of 25

Developing Web Applications Using ASP.NET

Configuring an ASP.NET Application for Security

ASP.NET uses its own security mechanism to authenticate users. To be able to use ASP.NET security mechanism, you need to configure the security settings in the web.config file of the Web application. These security settings include configuring authentication, authorization, and impersonation for accessing resources in your application.

Ver. 1.0

Slide 10 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication

Authentication is the process of validating the identity of a user before granting access to a restricted resource. Authentication in a Web application can be configured by using the <authentication> element in the web.config file. The <authentication> element specifies the authentication type that is used by an application to authenticate the user. The authentication type can be specified by using the mode attribute of the <authentication> element.

Ver. 1.0

Slide 11 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication (Contd.)

The mode attribute can have the following values:

Windows: This mode specifies that the authentication is performed by IIS by using basic, digest, or Integrated Windows authentication. Forms: This mode specifies that the user will be authenticated by using form-based authentication method. Passport: This mode specifies that the user will be authenticated by using Microsoft Passport authentication method. None: This mode specifies that no authentication mechanism is set and that any anonymous user can access the Web application.

Ver. 1.0

Slide 12 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication (Contd.)

Implementing Windows authentication:

To configure an ASP.NET Web application for Windows authentication, you need to change the mode attribute of the <authentication> element to Windows, as shown in the following example:
<authentication mode="Windows" />

Ver. 1.0

Slide 13 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication (Contd.)

Implementing Forms authentication:

To configure an ASP.NET Web application for Forms authentication, you first need to change the mode attribute of the <authentication> element to Forms, as shown in the following code snippet: <authentication mode="Forms" />

If a user tries to access a restricted page without first logging in, the user should be redirected to the login page. You are required to specify the settings by using the <forms> element in the web.config file to redirect anonymous users to the login page.

Ver. 1.0

Slide 14 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication (Contd.)
The <forms> element has the following four attributes:
name loginUrl protection timeout path

Ver. 1.0

Slide 15 of 25

Developing Web Applications Using ASP.NET

Configuring Authentication (Contd.)

After configuring the Web application for forms authentication, you are required to add users to the ASP.NET membership management service by using the following methods:
Using the <credentials> element in the web.config file Using the Membership API Using the CreateUserWizard Server Control provided by ASP.NET Using the ASP.NET Website Administration Tool (WAT)

Let us see how to create users by using the CreateUserWizard Server control
Let us see how to create users by using the Web Site Administrator Tool

Ver. 1.0

Slide 16 of 25

Developing Web Applications Using ASP.NET

Configuring Authorization

Authorization is the process of verifying whether an authenticated user has the privilege to access a requested resource. You need to grant different permissions to different users to provide accessibility to the Web pages in your website. In ASP.NET, you can provide authorization by using the role management service, which enables you to:
1. Create roles. 2. Assign users to each role. 3. Restrict user access based on roles.

Ver. 1.0

Slide 17 of 25

Developing Web Applications Using ASP.NET

Configuring Authorization (Contd.)

To use role-based authorization in your Web application, you need to enable it by using the <roleManager> element in the web.config file, as shown in the following example:
<configuration> <system.web> <roleManager enabled="true" /> ... </system.web> ... </configuration>

Ver. 1.0

Slide 18 of 25

Developing Web Applications Using ASP.NET

Configuring Authorization (Contd.)

After you have enabled the role management service, you need to create roles, such as Users, Administrator, and Guest. ASP.NET provides you with the Roles class to help you create roles. The various methods of the Roles class are explained in the following table.
Methods CreateRole DeleteCookie DeleteRole FindUsersInRole GetRolesForUser Description Adds a new role to the data source. Deletes the cookie where role names are cached. Removes a role from the data source. Gets a list of users in a specified role where the user name contains the specified user name to match. Gets a list of the roles that a user is in.

Let us see how to create roles and assign users to roles by using Web Site Administrator tool
Ver. 1.0

Slide 19 of 25

Developing Web Applications Using ASP.NET

Configuring Impersonation

When a user requests an ASP.NET application, the request goes to IIS. IIS authenticates the user and forwards the request to ASP.NET. If ASP.NET impersonation is disabled, irrespective of the user who has logged on, the ASP.NET application will be executed by using a fixed machine-specific account. In Windows XP, this account is automatically created by ASP.NET and is named as ASPNET.

Ver. 1.0

Slide 20 of 25

Developing Web Applications Using ASP.NET

Configuring Impersonation (Contd.)

Impersonation is the process of executing code under the authenticated user identity and not under the ASPNET account. Impersonation involves the following steps:
1. When a request from a remote client is received, IIS carries out authentication. If the client is authenticated, it passes the request to the ASP.NET application. 2. The application impersonates the client and uses the authentication given by IIS to access the restricted resources. 3. If authorized to access resources, the ASP.NET application returns the requested resources to the client through IIS.

Ver. 1.0

Slide 21 of 25

Developing Web Applications Using ASP.NET

Activity 12.1: Implementing Forms Authentication

Problem Statement:
You need to create a login page for the users of the MusicMania website. This login page should use Forms authentication. The login page should display two text boxes for entering the username and password, respectively. To log on, the users are required to enter the username and password in the respective text boxes and click the Login button. The user credentials should be verified with the entries made in the web.config file. Once the user is authenticated, he/she should be redirected to the Welcome page that displays a welcome message to the user. However, if the user fails authentication, a message should be displayed to the user on the login page indicating that the authentication process has failed.

Ver. 1.0

Slide 22 of 25

Developing Web Applications Using ASP.NET

Activity 12.1: Implementing Forms Authentication (Contd.)

Solution:
To implement Forms authentication in the website, you need to perform the following steps:
1. 2. 3. 4. Add a new Web page. Design the new Web page. Modify the Home page. Verify the application.

Ver. 1.0

Slide 23 of 25

Developing Web Applications Using ASP.NET

Summary

In this session, you learned that:

The ASP.NET security model provides restricted levels of access to secure website information from unauthorized access. IIS provides the following different types of authentication to control access to your Web application:
Anonymous Basic Digest Integrated Windows

Authentication is the process of validating the identity of a user before granting access to a restricted resource. Authentication in a Web application can be configured by using the <authentication> element in the web.config file.

Ver. 1.0

Slide 24 of 25

Developing Web Applications Using ASP.NET

Summary (Contd.)
The <authentication> element specifies the authentication type that is used by an application to authenticate the user. The authentication type can be specified by using the mode attribute of the <authentication> element. The mode attribute can have the following values:
Windows Forms Passport None

Authorization is the process of verifying whether an authenticated user has the privilege to access a requested resource. Impersonation is the process of executing code under the authenticated user identity and not under the ASPNET account.

Ver. 1.0

Slide 25 of 25