Step 4: Installing the Webs The final step is very straightforward, and depending on which sample set you are installing, it creates the virtual web mapping IIS to the directory containing the web content so you can access it via http://localhost/samplename. Creating Your Own CardSpace-Secured Web Now that the SDK setup scripts have configured your environment by installing the cer- tificates, registering the CAPICOM.dll, and editing your hosts file, you are ready to create your own CardSpace-secured web. Note that CardSpace-secured webs run on HTTPS, so you will create this application as an HTTP web application on IIS, not a file system site as you have been doing in earlier chapters in this book. Run Visual Studio (with administrative permissions on Vista) and select File ➤ New Web Site. You’ll get the New Web Site dialog (see Figure 10-11). Figure 10-11. Creating a new HTTP site C all the site Chapter10E xample1, as sho wn in Figure 10-11. The site will hav e a page , Default.aspx, that is used as the w elcome page , and will r edir ect to SignedIn.aspx when the user passes cr edentials and attempts to sign in. I n CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE244 9594CH10.qxd 1/22/08 12:12 PM Page 244 addition, it uses a set of helper classes in the Microsoft.IdentityModel.TokenProcesser namespace, which is implemented in the TokenProcessor.cs file that is part of the Win- dows SDK. We’ll take a closer look at it a little later in the chapter. Edit your Default.aspx page so that it looks like Listing 10-1. Listing 10-1. Default.aspx <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>CardSpace Secured Site</title> <object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /> </object> <script language="javascript"> function GoGetIt() { var xmltkn=document.getElementById("_xmltoken"); var thetextarea = document.getElementById("xmltoken"); thetextarea.value = xmltkn.value ; } </script> </head> <body> <form id="form1" method="post" action="SignedIn.aspx"> <div> <h1> Welcome to my Web Site</h1> This site is secured using Windows CardSpace. Please press the 'Use Card' button to retrieve your card and then click 'Sign In' CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE 245 9594CH10.qxd 1/22/08 12:12 PM Page 245 <br /> <br /> <button name="go" id="go" onclick="javascript:GoGetIt();"> Use Card!</button><br /> <br /> <br /> <button type="submit"> Sign in now!</button><br /> <br /> <input id="xmltoken" name="xmlToken" type="hidden" /> </div> </form> </body> </html> Running this page will give you the simple site that you saw earlier in this chapter. It is shown again in Figure 10-12. Figure 10-12. The CardSpace site Y ou ’ ll see that there are two buttons on here: Use Card!, which interfaces with Card- S pace to get a car d fr om the user; and “Sign in now!”, which passes the token from the user ’ s card to the SignIn.aspx page . Let ’s take a look back at the code and see how this hangs together . CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE246 9594CH10.qxd 1/22/08 12:12 PM Page 246 The Use Card! button is defined with this markup: <button name="go" id="go" onclick="javascript:GoGetIt();"> Use Card!</button> Upon clicking the button, the JavaScript function GoGetIt is invoked. Here’s the function: function GoGetIt() { var xmltkn=document.getElementById("_xmltoken"); var thetextarea = document.getElementById("xmltoken"); thetextarea.value = xmltkn.value ; } This script uses the element _xmltoken to get its value and load that into a var that will fill a text box on the page. The _xmltoken field is a CardSpace object, whose definition looks like this: <object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /> </object> This is how you use CardSpace on a page—by declaring an object of type application/x-informationcard and naming it. There are a number of properties sup- por ted b y this object, including the facility to specify the data that ’s required by the site. R emember the earlier example in which the last name , first name , and so on w er e r equir ed data fr om the site—it is the requiredClaims pr oper ty that dictates this . As y ou can see , it contains a list of the schemas of the r equir ed v alues . When y ou quer y its value pr oper ty , the object inv okes the C ardSpace client and allo ws y ou to specify a car d. S hould y ou specify and send a card, the value will become the token associated with that car d; other wise it will be null. The J av aScript code then loads the v alue of the token into the hidden text field xmltoken. N ext, when the user clicks “ S ign in no w!” they are in fact invoking a standard HTML for m whose action is the SignedIn.aspx page , and one of whose elements is the hidden text field. This causes the token to be submitted to SignedIn.aspx fr om wher e it can be parsed. CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE 247 9594CH10.qxd 1/22/08 12:12 PM Page 247 If you don’t have this page already, add a new web form to your project and call it SignedIn.aspx. Listing 10-2 shows the code for this page. Listing 10-2. SignedIn.aspx <%@ Page Language="C#" Debug="true" ValidateRequest="false" %> <%@ Import Namespace="System.IdentityModel.Claims" %> <%@ Import Namespace="Microsoft.IdentityModel.TokenProcessor" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script runat="server"> protected void ShowError(string text) { fields.Visible = false; errors.Visible = true; errtext.Text = text; } protected void Page_Load(object sender, EventArgs e) { string xmlToken; xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) { ShowError("Token presented was null"); } else { Token token= new Token(xmlToken); givenname.Text = token.Claims[ClaimTypes.GivenName]; surname.Text = token.Claims[ClaimTypes.Surname]; email.Text = token.Claims[ClaimTypes.Email]; } } </script> CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE248 9594CH10.qxd 1/22/08 12:12 PM Page 248 <html xmlns="http://www.w3.org/1999/xhtml" > <head id="Head1" runat="server"> <title>Login Page</title> </head> <body> <form id="form1" runat="server"> <div runat="server" id="fields"> <h1> Welcome to my Site!</h1> Thank you for signing in: &nbsp; <asp:Label ID="givenname" runat="server" Text="" ForeColor="Red"></asp:Label> <asp:Label ID="surname" runat="server" Text="" ForeColor="Red"></asp:Label><br /> <br /> <br/> Email Address: <asp:Label ID="email" runat="server" Text="" ForeColor="Blue"></asp:Label><br/> </div> <div runat="server" id="errors" visible="false"> Error:<asp:Label ID="errtext" runat="server" Text=""></asp:Label><br/> </div> </form> </body> </html> When this page loads, it takes the xmlToken value off the request parameters. This value was passed in as a hidden form field by the Default.aspx page, and if a card was assigned by the user, it will contain the token associated with that card. It creates an instance of the Token class from this value. This class is implemented in the SDK TokenProcessor.cs class, so make sure you have included it in your solution within the App_Code folder. It provides a collection of the metadata associated with the token (such as name or e-mail address) as a text collection. The page then pulls the values of the First Name, Last Name, and Email Address claims and assigns them to the Text property of the associated ASP.NET label controls. Then, when the page renders, the labels get filled with the values from the card, received via the token and exposed via the claims. You can see the result in Figure 10-13. CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE 249 9594CH10.qxd 1/22/08 12:12 PM Page 249 Figure 10-13. Rendering the data from the card on the site As you can see, this example demonstrated that CardSpace is very easy to use once your site is set up to use HTTPS. At the heart of accessing and decrypting the information is the Token class, which is part of the Microsoft.IdentityModel.TokenProcessor name- space, which is supplied by the SDK (not a default part of .NET 3.0). Exploring the TokenProcessor API The TokenProcessor API provides a single class, Token, that is used to parse token infor- mation received from a card. It provides the following properties: IdentityClaims: This r eturns a System.IdentityModel.Claims.ClaimSet collection, which contains all the claim objects in the token. Claims: This returns a ClaimTextCollection, which is a read-only string collection of the claims in the token. IssuerIdentityClaim: This returns a System.IdentityModel.Claims.Claim object with the issuer’s identity claim (which is typically the private key of the issuer of a card). AuthorizationContext: This is the System.IdentityModel.Policy.AuthorizationContext value that is returned when all the policies are evaluated by the System.ServiceModel. ServiceAuthorizationManager. This is used when handling tokens with WCF. UniqueID: This gets the UniqueID (IdentityClaim) of this token. CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE250 9594CH10.qxd 1/22/08 12:12 PM Page 250 The earlier example used the Claims property to pull the desired claims from the token and set the value of some label controls to their values like this: T oken token= new Token(xmlToken); g ivenname.Text = token.Claims[ClaimTypes.GivenName]; surname.Text = token.Claims[ClaimTypes.Surname]; email.Text = token.Claims[ClaimTypes.Email]; Summary As security is becoming more and more of a necessity as opposed to a luxury when deal- ing with the Web, it is essential to make users’ experiences with security as friendly as possible, while still protecting them from malicious web sites. CardSpace fills this void by providing an easy-to-use and attractive way of storing your personal information securely and digitally, and an easy means to send it to a web site that requests it. It is designed to be a long-term replacement for passwords, and can effectively form a client-based single sign-on for all of your favorite sites. In this chapter, you explored CardSpace and how it looks from the user’s point of view. You then went into putting together a development environment where you can host your own sites that accept CardSpace credentials. As part of this exercise, you looked briefly at site certificates and how they prevent domain spoofing. You then went into the process of building your own CardSpace-enabled site, looking at how to embed the CardSpace object on your pages and process it, taking user credentials and using them to customize the site for the end user. Finally, you took a tour of a helper class that is provided by the SDK and that imple- ments the token in an easily manageable way. I hope this was a good taste of what you can do with CardSpace to make your users’ lives a lot easier. There’s a lot more information that you can drill into—and a great resource for this is the Windows SDK documentation. In the next chapter, we’ll get back onto the traditional web development route— looking at the technology that effectively gave birth to Web 2.0—Asynchronous JavaScript and XML, also known as Ajax. CHAPTER 10 ■ .NET 3.0: PROGRAMMING WITH CARDSPACE 251 9594CH10.qxd 1/22/08 12:12 PM Page 251 9594CH10.qxd 1/22/08 12:12 PM Page 252 Ajax Applications and Empowering the Web User Experience Ajax (Asynchronous J avaScript and XML) has become a major value proposition in the Web development industry. Indeed, 2006 was often called the “year of Ajax” because no matter where you turned, it seemed every software vendor was pushing their Ajax toolkit, Ajax sessions at conferences were filled to the rafters, and everybody wanted to use it on their web site. But Ajax has been around a lot longer than this—it’s just that it seemed to hit critical mass in that year. In this chapter, you ’ll look at what Ajax is at its core—no toolkits, no value-adds or complexities, just a good look at the technology underpinning the whole Ajax phenome- non. You’ll start with a history of where it came from, an analysis of why it evolved, a good look at its architecture, and some hands-on experience in building some simple Ajax interactions using good old-fashioned JavaScript and HTML. After that, the next few chapters will look at the AJA X extensions for ASP.NET and how these can empower your Ajax development experience by bringing the productivity of the server-side paradigm of ASP.NET and a suite of new JavaScript libraries to bear. A Brief History of Ajax The ter m A jax was coined b y Jesse James Garrett, and made its first public appearance in early 2005. A t its heart is the ability to make web applications more responsive and more competitiv e with desktop applications. One part of this is to remove the need for the typi- cal full page refresh that occurs when the user wants to see some new content on a page. F or example, consider a page like MSN MoneyCentral (shown in Figure 11-1). 253 CHAPTER 11 9594CH11.qxd 1/22/08 10:48 AM Page 253 [...]... nX and nY, and multiplies them out, writing the response back to the output buffer You’ll take these results and load them into the answer field when you write the Ajax UI layer This is why you removed all the markup from the page earlier, as you do not want to write out unnecessary HTML tags from this service (such as and ) To create the Ajax UI, add a new HTML page to the solution and. .. The logical place and time to do this is when the page loads and renders To do this, add a block to the page and add an initAJAX function to it It should look like this: var ajaxRequest function initAJAX() { try { ajaxRequest = new XMLHttpRequest(); 261 9594CH11.qxd 262 1/22/08 10:48 AM Page 262 CHAPTER 11 s AJAX APPLICATIONS AND EMPOWERING THE WEB USER EXPERIENCE... into another major technique used by Ajax programmers: forward caching This technique is used by applications such as mapping applications to allow users to get what seems to be instant access to data Applications using this technique are smart enough to download and cache data that would likely be requested next When 277 9594CH11.qxd 278 1/22/08 10:48 AM Page 278 CHAPTER 11 s AJAX APPLICATIONS AND. .. 10:48 AM Page 260 CHAPTER 11 s AJAX APPLICATIONS AND EMPOWERING THE WEB USER EXPERIENCE The first thing you’ll do is split the application into two pages: the page that runs on the server and provides the calculation, and the page that provides the UI and calls the first page To add the server page, add a new ASP.NET Web Forms page to your project, and call it MultiplyAJAXServer.aspx In Source view,... System.Data; System.Configuration; System.Collections; System .Web. Configuration; System .Web; System .Web. Security; System .Web. UI; System .Web. UI.WebControls; System .Web. UI.WebControls.WebParts; System .Web. UI.HtmlControls; System.IO; System.Drawing; System.Drawing.Imaging; System.Data.SqlClient; Now that you are ready to start coding, the first step will be to handle the input parameter This page will be called... the next phase of the Web, built around services that allowed users, not just web developers, to be contributors of information Effective collaboration from novice users requires an enhanced experience, and Ajax was there to provide it As such, in developer terms, Ajax is pretty synonymous with Web 2.0 In the next section, we’ll take a look at getting started with Ajax programming and some of the neat... THE WEB USER EXPERIENCE the user actually requests it, the browser just pulls it out of the cache and displays it—far more quickly than if it were called from the server That wraps up this introduction to Ajax In the next few chapters, you’ll look into the toolkit from Microsoft that allows you to easily and rapidly develop Ajax applications using a server-side paradigm: the AJAX extensions for ASP.NET, ... s AJAX APPLICATIONS AND EMPOWERING THE WEB USER EXPERIENCE ajaxRequest.open("GET", theURL); ajaxRequest.onreadystatechange = handleUpdate; ajaxRequest.send(); } function handleUpdate() { alert(ajaxRequest.readyState); var ansDiv = document.getElementById("ans"); if(ajaxRequest.readyState == 4) { ansDiv.innerHTML = ajaxRequest.responseText; } } First... You’ll NET page that uses postbacks, and then you’ll see see how it will work in a typical ASP how it works with Ajax, and how just using Ajax can make the user experience better Simple Ajax and ASP.NET Example Create a new ASP NET web form called MultiplyNumbers using Visual Studio (or Visual Web Developer Express) Drag a couple of text boxes, a button, and three labels to it Arrange them so that your... onclick="DoNext();" /> 271 9594CH11.qxd 272 1/22/08 10:48 AM Page 272 CHAPTER 11 s AJAX APPLICATIONS AND EMPOWERING THE WEB USER EXPERIENCE Next, add a tag to the head of your page, and add the following var declarations to it They aren’t part of a function within the tag, so they are common to all functions var var var var var ajaxRequest cachedAjaxRequest currentPic = 100; . uses postbacks , and then y ou’ll see ho w it wor ks with Ajax, and ho w just using Ajax can make the user exper ience better . Simple Ajax and ASP. NET Example Create a new ASP. NET web form called. Claims property to pull the desired claims from the token and set the value of some label controls to their values like this: T oken token= new Token(xmlToken); g ivenname.Text = token.Claims[ClaimTypes.GivenName]; surname.Text. xmlToken; xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) { ShowError("Token presented was null"); } else { Token token= new Token(xmlToken); givenname.Text