Evjen c20.tex V2 - 01/28/2008 3:13pm Page 988 Chapter 20: ASP.NET AJAX Control Toolkit Figure 20-42 Finally, the properties of DataSource , DataSourceID ,and DataMember allow you to bind to this control from your code. NoBot Control The NoBot control works to determine how entities interact with your forms and to help you make sure that actual humans are working with your forms and some automated code isn’t working through your application. The NoBot control is illustrated in Listing 20-36. Listing 20-36: Using the NoBot control to limit a login form .ASPX < %@ Page Language="VB" AutoEventWireup="true" CodeFile="NoBot.aspx.vb" Inherits="NoBot" % > < %@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" % > 988 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 989 Chapter 20: ASP.NET AJAX Control Toolkit < html xmlns="http://www.w3.org/1999/xhtml" > < head runat="server" > < title > NoBot Control < /title > < /head > < body > < form id="form1" runat="server" > < div > < asp:ScriptManager ID="ScriptManager1" runat="server" > < /asp:ScriptManager > < cc1:NoBot ID="NoBot1" runat="server" CutoffMaximumInstances="3" CutoffWindowSeconds="15" ResponseMinimumDelaySeconds="10" OnGenerateChallengeAndResponse="NoBot1_GenerateChallengeAndResponse" / > < asp:Login ID="Login1" runat="server" > < /asp:Login > < asp:Label ID="Label1" runat="server" >< /asp:Label > < /div > < /form > < /body > < /html > The NoBot control has three important properties to be aware of w hen controlling how your forms are submitted. These properties include the CutoffMaximumInstances , CutoffWindowSeconds ,andthe ResponseMinimumDelaySeconds properties. The CutoffMaximumInstances is the number of times the end user is allowed to try to submit the form within the number of seconds specified by the CutoffWindowSeconds property. The ResponseMinimumDe- laySeconds property defines the minimum number of seconds the end user has to submit the form. If you know the form you are working with will take some time, then setting this property to a value (even if it is 5 seconds) will help stop submissions that are not made by humans. The OnGenerateChallengeAndResponse property allows you to define the server-side method that works with the challenge and allows you to provide a response based on the challenge. This property is used in Listing 20-36 and posts back to the user the status of the form submission. The code-behind for this page is represented in Listing 20-37. Listing 20-37: The code-behind page for the NoBot control’s OnGenerateChallengeAndResponse VB Imports System Imports AjaxControlToolkit Public partial Class NoBot Inherits System.Web.UI.Page Protected Sub NoBot1_GenerateChallengeAndResponse(ByVal sender As Object, _ ByVal void As AjaxControlToolkit.NoBotEventArgs) _ Handles NoBot1.GenerateChallengeAndResponse Continued 989 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 990 Chapter 20: ASP.NET AJAX Control Toolkit Dim state As NoBotState NoBot1.IsValid(state) Label1.Text = state.ToString() End Sub End Class C# using System; using AjaxControlToolkit; public partial class NoBot : System.Web.UI.Page { protected void NoBot1_GenerateChallengeAndResponse(object sender, AjaxControlToolkit.NoBotEventArgs e) { NoBotState state; NoBot1.IsValid(out state); Label1.Text = state.ToString(); } } Running this page and trying to submit the form before the ten-second minimum time results in an invalid submission. In addition, trying to submit the form more than three times within 15 seconds results in an invalid submission. PasswordStrength Control The PasswordStrength control allows you to check the contents of a password in a TextBox control and validate its strength. It will also then give a message to the end user about whether the strength is rea- sonable. A simple example of the PasswordStrength control is presented in Listing 20-38. Listing 20-38: Using the PasswordStrength control with a TextBox control < %@ Page Language="C#" % > < %@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" % > < html xmlns="http://www.w3.org/1999/xhtml" > < head runat="server" > < title > Password Strength Control < /title > < /head > < body > < form id="form1" runat="server" > < div > < asp:ScriptManager ID="ScriptManager1" runat="server" > 990 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 991 Chapter 20: ASP.NET AJAX Control Toolkit < /asp:ScriptManager > < cc1:PasswordStrength ID="PasswordStrength1" runat="server" TargetControlID="TextBox1" > < /cc1:PasswordStrength > < asp:TextBox ID="TextBox1" runat="server" >< /asp:TextBox > < /div > < /form > < /body > < /html > This simple page produces a single text box and when end users start typing in the text box, they will be notified on the strength of the submission as they type. This is illustrated in Figure 20-43. Figure 20-43 Some of the important properties to work with here include MinimumLowerCaseCharacters , Minimum- NumericCharacters , MinimumSymbolCharacters , MinimumUpperCaseCharacters ,and PreferredPass- wordLength . Rating Control The Rating control gives your end users the ability to view and set ratings (such as star ratings). You have control over the number of ratings, the look of the filled ratings, the look of the empty ratings, and more. Listing 20-39 shows you a page that shows a five-star rating system that gives end users the ability to set the rating themselves. Listing 20-39: A rating control that the end user can manipulate < %@ Page Language="C#" % > < %@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" % > < html xmlns="http://www.w3.org/1999/xhtml" > < head runat="server" > < title > Rating Control < /title > Continued 991 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 992 Chapter 20: ASP.NET AJAX Control Toolkit < style type="text/css" > .ratingStar { font-size: 0pt; width: 13px; height: 12px; margin: 0px; padding: 0px; cursor: pointer; display: block; background-repeat: no-repeat; } .filledRatingStar { background-image: url(Images/FilledStar.png); } .emptyRatingStar { background-image: url(Images/EmptyStar.png); } .savedRatingStar { background-image: url(Images/SavedStar.png); } < /style > < /head > < body > < form id="form1" runat="server" > < div > < asp:ScriptManager ID="ScriptManager1" runat="server" > < /asp:ScriptManager > < cc1:Rating ID="Rating1" runat="server" StarCssClass="ratingStar" WaitingStarCssClass="savedRatingStar" FilledStarCssClass="filledRatingStar" EmptyStarCssClass="emptyRatingStar" > < /cc1:Rating > < /div > < /form > < /body > < /html > Here, the Rating control uses a number of CSS classes to define its look and feel in various states. In addition to the CSS class properties ( StarCssClass , WaitingStarCssClass , FilledStarCssClass ,and EmptyCssClass ), you can also specify rating alignments, the number of rating items (the default is 5 ), the width, the current rating, and more. T he code presented in Listing 20-39 produces the results shown in Figure 20-44. Figure 20-44 992 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 993 Chapter 20: ASP.NET AJAX Control Toolkit TabContainer Control Tabs are another great way to control a page that has a lot of content to present. The T abContainer control can contain one or more TabPanel controls that provide you with a set of tabs that show content one tab at a time. You are able to control the width and the height o f the panels and to specify whether there are scrollbars as well. Each TabPanel control has < HeaderTemplate > and < ContentTemplate > subelement that you can define. Listing 20-40 shows an example of a TabContainer control with three TabPanel controls. Listing 20-40: Showing three tabs in a TabContainer control < %@ Page Language="C#" % > < %@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" % > < html xmlns="http://www.w3.org/1999/xhtml" > < head runat="server" > < title > TabContainer Control < /title > < /head > < body > < form id="form1" runat="server" > < div > < asp:ScriptManager ID="ScriptManager1" runat="server" > < /asp:ScriptManager > < cc1:TabContainer ID="TabContainer1" runat="server" Height="300px" > < cc1:TabPanel runat="server" > < HeaderTemplate > Tab 1 < /HeaderTemplate > < ContentTemplate > Here is some tab one content. < /ContentTemplate > < /cc1:TabPanel > < cc1:TabPanel runat="server" > < HeaderTemplate > Tab 2 < /HeaderTemplate > < ContentTemplate > Here is some tab two content. < /ContentTemplate > < /cc1:TabPanel > < cc1:TabPanel runat="server" > < HeaderTemplate > Tab 3 < /HeaderTemplate > < ContentTemplate > Here is some tab three content. < /ContentTemplate > < /cc1:TabPanel > < /cc1:TabContainer > < /div > < /form > < /body > < /html > The result of this simple page is presented in Figure 20-45. 993 Evjen c20.tex V2 - 01/28/2008 3:13pm Page 994 Chapter 20: ASP.NET AJAX Control Toolkit Figure 20-45 Summary As you can see, there are a ton of new controls at your disposal. The best thing about this is that this is a community effort along with Microsoft and the list of available ASP.NET AJAX controls is only going to grow over time. This chapter looked at the lot of the new ASP.NET AJAX controls and how to use them in your ASP.NET applications. Remember to visit the CodePlex page for these controls often and take advantage of the newest offerings out there. 994 Evjen c21.tex V2 - 01/28/2008 3:15pm Page 995 Security Not every page that you build with ASP.NET is meant to be open and accessible to everyone on the Internet. Sometimes, you want to build pages or sections o f an application that are accessible to only a select group of your choosing. For this reason, you need the security measures explained in this chapter. They can help protect the data behind your applications and the applications themselves from fraudulent use. Security is a very wide-reaching term. During every step of the application-building process, you must, without a doubt, be aware of how mischievous end users might attempt to bypass your lockout measures. You must take steps to ensure that no one can take over the application or gain access to its resources. Whether it involves working with basic server controls or accessing databases, you should be thinking through the level of security you want to employ to protect yourself. How security is applied to your applications is truly a measured process. For instance, a single ASP.NET page on the Internet, open to public access, has different security requirements than does an ASP.NET application that is available to only selected individuals because it deals with confidential information such as credit card numbers or medical information. The first step is to apply the appropriate level of security for the task at hand. Because you can take so many different actions to protect your applications and the resources, you have to decide for yourself which of these measures to employ. This chapter looks at some of the possibilities for protecting your applications. Notice that security is discussed throughout this book. In addition, a couple chapters focus on specific security frameworks provided by ASP.NET 3.5 that are not discussed in this chapter. Chapters 15 and 16 discuss ASP.NET’s membership and role management frameworks, as well as the personalization features in this version. These topics are aspects of security that can make it even easier for you to build safe applications. Although these new security frameworks are provided with this latest release of ASP.NET, you can still build your own measures as you did in the previous versions of ASP.NET. This chapter discusses how to do so. Evjen c21.tex V2 - 01/28/2008 3:15pm Page 996 Chapter 21: Security An important aspect of security is how you handle the authentication and authorization for accessing resources in your applications. Before you begin working through some of the authentication/ authorization possibilities in ASP.NET, you should know exactly what we mean b y those two terms. Authentication and Authorization As discussed in Chapter 16, authentication is the process that determines the identity of a user. After a user has been authenticated, a developer can determine if the identified user has authorization to proceed. It is impossible to give an entity authorization if no authentication process has been applied. Authorization is the process of determining whether an authenticated user is permitted access to any part of an application, access to specific points of an application, or access only to specified datasets that the application provides. Authenticating and authorizing users and groups enable you to customize a site based on user types or preferences. Applying Authentication Measures ASP.NET provides many different types of authentication measures to use within your applications, including basic authentication, digest authentication, forms authentication, Passport, and Integrated Windows authentication. Y ou also can develop your own authentication methods. You should never authorize access to resources you mean to be secure if you have not applied an authentication process to the requests for the resources. The different authentication modes are established through settings that can be applied to the appli- cation’s web.config file or in conjunction with the application server’s Internet Information Services (IIS) instance. ASP.NET is configured through a series of .config files on the application server. These are XML-based files that enable you to easily change how ASP.NET behaves. This is an ideal way to work with the configuration settings you require. ASP.NET configuration files are applied in a hierarchal manner. The .NET Framework provides a server-level configuration file called the machine.config file, which can b e found at C: \ Windows \ Microsoft.NET \ Framework \ v2.0.50727 \ CONFIG . The folder contains the machine.config file. This file provides ASP.NET application settings at a server-level, meaning that the settings are applied to each and every ASP.NET application that resides on the particular server. A web.config file is another XML-based configuration file that resides in the root of the Web applica- tion. The settings applied in the web.config file override the same settings applied in the higher-level machine.config file. You can even nest the web.config files so that the main a pplication web.config file is located in the root directory of your application, b ut additional web.config files reside in some of the application’s subdirectories (see Figure 21-1). The web.config files contained in any of the subdirectories supersede the root directory’s web.config file. Therefore, any settings applied through a subdirectory’s web.config file change whatever was set in the application’s main web.config file. In many of the examples in this chapter, you use the web.config file to apply the authentication and authorization mechanics you want in your applications. You also can work with IIS to apply settings directly to your applications. 996 Evjen c21.tex V2 - 01/28/2008 3:15pm Page 997 Chapter 21: Security Figure 21-1 IIS is the Web server that handles all the incoming HTTP requests that come into the server. You must modify IIS to perform as you want. IIS hands a request to the ASP.NET engine only if the page has a specific file extension (for example, .aspx ). In this chapter, you will work with IIS 7.0, as well. The < authentication > Node You use the < authentication > node in the application’s web.config file to set the type of authentication your ASP.NET application requires: < system.web > < authentication mode="Windows|Forms|Passport|None" > < /authentication > < /system.web > The < authentication > node uses the mode attribute to set the form of authentication that is to be used. Options include Windows , Forms , Passport ,and None . Each option is explained in the following table. Provider Description Windows Windows authentication is used together with IIS authentication. Authentication is performed by IIS in the following ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access. This is the default setting. Forms Requests that are not authenticated are redirected to an HTML form using HTTP client-side redirection. The user provides his login information and submits the form. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Passport A centralized authentication service provided by Microsoft that offers single login and core profile services for member sites. This mode of authentication was de-emphasized by Microsoft at the end of 2004. None No authentication mode is in place with this setting. 997 . book. In addition, a couple chapters focus on specific security frameworks provided by ASP. NET 3. 5 that are not discussed in this chapter. Chapters 15 and 16 discuss ASP. NET s membership and role. in Listing 20 -36 . Listing 20 -36 : Using the NoBot control to limit a login form .ASPX < %@ Page Language="VB" AutoEventWireup="true" CodeFile="NoBot.aspx.vb" Inherits="NoBot". form before the ten-second minimum time results in an invalid submission. In addition, trying to submit the form more than three times within 15 seconds results in an invalid submission. PasswordStrength