Contents Overview 1 Lesson: ASP Forms-Based Authentication 2 Lesson: .NET Code Access and Role-Based Security 9 Lesson: Overview of ASP.NET Authentication Methods 16 Lesson: Working with Windows-Based Authentication in ASP.NET 30 Lesson: Working with ASP.NET Forms-Based Authentication 37 Review 55 Lab 5: Securing Web Pages 57 Module 5: Securing Web Pages Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 5: Securing Web Pages iii Instructor Notes This module explains how to secure the Web pages that compose a Web application through the use of Active Server Pages (ASP) and Microsoft ® ASP.NET forms-based authentication. After completing this module, students will be able to implement forms-based authentication in both ASP and ASP.NET Web applications. After completing this module, students will be able to: ! Implement forms-based authentication in an ASP Web application. ! Define the purpose of code access and role-based security in the Microsoft .NET Framework. ! Describe the different authentication methods that are supported by ASP.NET and explain how each method is configured. ! Implement Microsoft Windows ® -based authentication in an ASP.NET Web application. ! Implement forms-based authentication in an ASP.NET Web application. To teach this module, you need the following materials: ! Microsoft PowerPoint ® file 2300A_05.ppt ! Hypertext Markup Language (HTML) code sample file 2300A_05_code.htm ! HTML and Flash animation files: 2300A_05_A05_1662.htm and 2300A_05_A05_1662.swf ! HTML and Flash animation files: 2300A_05_A10_1663.htm and 2300A_05_A10_1663.swf Presentation: 75 minutes Lab: 30 minutes Required materials iv Module 5: Securing Web Pages To prepare for this module: ! Read all of the materials for this module. ! Complete the practices and lab. ! Visit the Microsoft MSDN ® .NET Security page at http://msdn.microsoft.com/library/nhp/Default.asp?contentid=28001369. ! Read about Microsoft Passport at http://www.passport.com. ! Read the MSDN article, “.NET My Services and .NET Passport User Authentication Overview,” which is available at http://msdn.microsoft.com/ library/en-us/dndotnet/html//myservpassp.asp. ! Read the MSDN Magazine article, “An Overview of Security in the .NET Framework,” which is available at http://msdn.microsoft.com/library/en-us/ dnnetsec/html/netframesecover.asp. ! Read the MSDN article, “Secure Coding Guidelines for the .NET Framework,” which is available at http://msdn.microsoft.com/library/en-us/ dnnetsec/html/seccodeguide.asp. ! Read the MSDN Magazine article, “An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS, Part 2,” which is available at http://msdn.microsoft.com/msdnmag/issues/02/05/ ASPSec2/aspsec2.asp. ! Read Module 6, “Code Access Security,” and Module 7, “Role-Based Security and Isolated Storage,” in Course 2350, Securing and Deploying Microsoft .NET Assemblies. ! Read the MSDN Magazine article, “Security in .NET: Enforce Code Access Rights with the Common Language Runtime,” which is available at http://msdn.microsoft.com/msdnmag/issues/01/02/CAS/CAS.asp. Preparation tasks Module 5: Securing Web Pages v How to Teach This Module This section contains information that will help you to teach this module. Lesson: ASP Forms-Based Authentication It is possible that students will have an understanding of ASP forms-based authentication before coming to this class. If so, you can briefly review the content in this lesson and then move on to ASP.NET Windows-based and forms-based authentication. Mention that setting the Internet Information Services (IIS) authentication method to Anonymous access enables the authentication process to pass through IIS, where it is handled by the ASP logon page. At this point, the developer is responsible for making sure that the user is authenticated (by checking the user’s credentials) and authorized. The difference between authentication and authorization in an ASP Web page is minimal. Authentication means that the Session variable that was set in the logon page exists. Authorization can be implemented by checking that the Session variable is set to a certain value. Have the students access the unsecured and secured pages on the London computer in the 2300Demos/Mod05 folder. After the students access both the unsecured and secured pages, explain the code in the Logon.asp and SecurePage.asp pages in the Mod05 folder of the 2300Demos Web application project: 1. In Microsoft Visual Studio ® .NET, open the 2300Demos solution. 2. Open the Logon.asp page in the Mod05 folder of the 2300Demos project. If a password is entered, a Session variable is set. 3. Open the SecurePage.asp page. There is code at the top of the page that looks for a value in the Session variable. If the Session variable is not set, the page redirects the user to the logon page. 4. Open the UnsecurePage.asp page. This page does not have the code at the top of the page that checks for a value in the Session variable. Overview of ASP Forms- Based Authentication Creating an ASP Logon Pa ge Validating the Session Variable Instructor-Led Practice: Using Forms-Based Authentication in an ASP Web Application vi Module 5: Securing Web Pages Lesson: .NET Code Access and Role-Based Security Microsoft .NET code access security is relevant mostly to Windows applications that run on a client computer. However, because code access security is a new feature of the Microsoft .NET Framework, it needs to be covered. Do not spend a lot of time on this material. Quickly explain that you can add attributes to the functions in your Web application to restrict its access to resources. This is beyond the scope of this course, and therefore, no examples are given. Role-based security has been covered in earlier modules in this course and should not be a new term to students. This slide just introduces the Identity and Principal objects and how they relate to role-based security in a .NET Web application. Lesson: Overview of ASP.NET Authentication Methods In this lesson, briefly describe the .NET authentication methods and the Web.config file. Windows-based authentication and forms-based authentication are covered in more detail in the following lessons. This animation compares the three authentication methods that are supported by ASP.NET, and it shows how the authentication methods differ, both from the client perspective and on the Web server. Explain to students the advantages and disadvantages of each ASP.NET authentication method. Ultimately, the Web client that will use the Web application will dictate which authentication method can be used. In most cases, forms-based authentication will have the most widespread support because Anonymous access is supported by all Web browsers. The Web.config file is mentioned briefly in Module 4, “Internet Information Services Authentication,” in Course 2300, Developing Secure Web Applications. However, this topic provides an opportunity to explain Web.config files in more detail and show how the different Web.config files in the folder structure relate to one another. It is import for students to understand the hierarchy of Web.config files and their settings, and when settings in one Web.config file override those settings in another Web.config file. When discussing the <authentication> section, mention that this section can appear only in the Web.config file in the virtual root of a Web application. The <authorization> section can appear in Web.config files in subfolders. When discussing the <authorization> section, note how roles can be used to avoid specifying individual users in the Web.config file. Compare applying authorization settings for a single Web page with applying authorization settings for the entire Web application. This practice provides students with an opportunity to see how the authorization settings in multiple Web.config files interrelate. Overview of Code Access Security Overview of Role-Based Securit y Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods Configuring ASP.NET Web Applications Authentication and Authorization Configuration Settings in Web.config Securing a Single Web Pa ge Practice: Using Web.config Files Module 5: Securing Web Pages vii Lesson: Working with Windows-Based Authentication in ASP.NET By default, the Web.config files in newly created Visual Studio .NET Web applications are configured to use Windows-based authentication. Note that this is the setting that is specified in the <authentication> tag for new Visual Studio .NET Web applications. This is not the default behavior when the <authentication> tag is not present, which is the equivalent of the None setting. This is an instructor-led practice. You will start the practice by configuring the Web server on the London computer and showing the code in the Web pages. Then, students will access the pages in the http://London/2300Demos/Mod05 folder and answer the questions. Lesson: Working with ASP.NET Forms-Based Authentication This animation delves into ASP.NET forms-based authentication in more detail, explaining how ASP.NET authenticated and nonauthenticated requests are handled. Note that the animation uses the term “authentication cookie,” which can also be described as an “authentication ticket.” Briefly mention creating a logon page here. Creating the logon page is covered in more detail in the next two topics. When you authenticate a user through forms-based authentication, an authentication ticket is created and sent to the user. The authentication ticket can be either a persistent cookie, which lasts for 50 years by default, or an in-memory cookie. To create a persistent cookie that expires after a certain amount of time, you create the authentication cookie first, and then set a property of the cookie before sending it to the user. Show students the code to do this, which is located at the end of the topic. The RedirectFromLoginPage method will redirect the user either to the originally requested page or to default.aspx. For example, the method will redirect to default.aspx if a user opens the logon page first. If there is no default.aspx page in your Web application, this could cause a “page not found” error. Therefore, you can check the page that RedirectFromLoginPage is going to redirect to, and if it is default.aspx, manually create the authentication ticket and redirect the user to an existing page in your Web application by using the Response.Redirect method. Show students the code to do this, which is located at the end of the topic. Mention to students that you would not normally hard code the user names and roles when defining roles. This information would typically come from a database. Show the code for the full Application_AuthenticateRequest event procedure and point out how the roles are only assigned if the user is authenticated (for example, is not anonymous) and is authenticated by using forms-based authentication. By using forms-based authentication, you can lower the overhead of using role-based security in a Web application. How to Enable Windows-Based Authentication Instructor-Led Practice: Using Windows-Based Authentication Multimedia: Forms- Based Authentication How to Enable Forms- Based Authentication The FormsAuthentication Ob ject Creating a Logon Page Using Role-Based Security with ASP.NET Forms-Based Authentication viii Module 5: Securing Web Pages This is an instructor-led practice. You will start the practice by configuring the Web server on the London computer and showing the code in the Web pages. Then, students will access the pages in the http://London/2300Demos/Mod05 folder and answer the questions. When students are redirected to the ASPXLogin.aspx page, show them that the Uniform Resource Locator (URL) contains the page ASPXSecurePage1.aspx, which is needed to redirect the user to the requested page, if the entered credentials are validated. This topic is a summary of the primary differences between ASP and ASP.NET forms-based authentication. The most significant difference is that developers must program most of the logic in an ASP Web application, while there are features in ASP.NET that will do some of this logic either automatically or through configuration settings. Lab 5: Securing Web Pages The TailspinToys Web application is both an Internet and an extranet Web application. Introduce the lab with a group brainstorming session about which Web pages need to be secured for the extranet part of the TailspinToys Web application and what would be the best way to secure them. The lab secures the following pages: ! In the ASP Web application, the extranet pages will be secured manually in the logon page by code that checks for a Session variable. ! In the ASP.NET Web application, the extranet pages will be placed in a new folder named Resellers and secured with a <location> section in the Web.config file. At the end of the lab, reiterate how forms-based authentication was implemented in the two Web applications and why. Instructor-Led Practice: Using ASP.NET Forms- Based Authentication Comparing ASP and ASP.NET Forms-Based Authentication Module 5: Securing Web Pages ix Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. Lab Setup To complete this lab, students can either continue working in the Tailspin Toys Visual Studio .NET projects that they used in previous labs, or they can start with new files. To start with new files, students must complete the following steps. ! Create the Web applications for the ASP exercises 1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab05\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys. 2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab05\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin. ! Create the Web applications for the ASP.NET exercises 1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab05\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET. 2. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab05\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET. ! Configure the TailspinToysAdmin and TailspinToysAdmin.NET Web applications to use Integrated Windows authentication • Use IIS to turn off Anonymous access, leaving only Integrated Windows authentication, for the TailspinToysAdmin and TailspinToysAdmin.NET Web applications. Lab Results Performing the lab in this module causes the Resellers.aspx and OrderStatus.aspx pages to move into a Resellers folder in the TailspinToys.NET Web application. [...]... users="Domain\Bob, Domain\Alice"/> Module 5: Securing Web Pages 25 Securing a Single Web Page Web. config Sets a specific Sets a specific Web page as secure Web page as secure Determines who is Determines who is authorized to access authorized to access the Web page the Web page ... files and explain the relationship between these files ! Secure a single Web page by using the authentication and authorization configuration settings in the Web. config file Module 5: Securing Web Pages 17 Multimedia: ASP.NET Authentication Methods IIS IIS ASP.NET ASP.NET Web Application Web Application Client Computer Secure Web Pages *****************************ILLEGAL FOR NON-TRAINER USE******************************... pages of your Web application There are two disadvantages with Passport authentication First, there is a subscription fee to use the service Second, Passport authentication requires each user to have a valid Passport account Module 5: Securing Web Pages 21 Configuring ASP.NET Web Applications Config Machine.config Settings apply to Settings apply to all Web applications all Web applications Root Web. config... files that are named Web. config The Web. config files are located in the same directories as the Web application files In an ASP.NET Web application, child directories inherit the settings of the parent directories, unless the settings of the parent directories are overridden by a Web. config file in the child directories 22 Module 5: Securing Web Pages Configuration hierarchy When a Web server receives... case sensitive Module 5: Securing Web Pages 23 Authentication and Authorization Configuration Settings in Web. config Web. config Sets the ASP.NET Sets the ASP.NET authentication mode authentication mode Determines who is Determines who is authorized to access authorized to access the Web application the Web application... assemblies by using the NET Framework, see Course 2350, Securing and Deploying Microsoft NET Assemblies 10 Module 5: Securing Web Pages Lesson objectives After completing this lesson, you will be able to: ! Define the purpose of code access security in the NET Framework ! Define the purpose of role-based security in the NET Framework Module 5: Securing Web Pages 11 Overview of Code Access Security ! Code... Visual Studio NET documentation 16 Module 5: Securing Web Pages Lesson: Overview of ASP.NET Authentication Methods ! Multimedia: ASP.NET Authentication Methods ! Comparing the ASP.NET Authentication Methods ! Configuring ASP.NET Web Applications ! Authentication and Authorization Configuration Settings in Web. config ! Securing a Single Web Page ! Practice: Using Web. config Files *****************************ILLEGAL... profile services for member Web sites Users are authenticated to access many Web sites (those Web sites that sign up to use Passport) by using a single Passport account Passport is an Extensible Markup Language (XML) Web service Note For more information about Passport, search for “Passport SDK Documentation” in the Microsoft MSDN® online documentation Module 5: Securing Web Pages 19 Comparing the ASP.NET... Windows-based authentication in an ASP.NET Web application ! Implement forms-based authentication in an ASP.NET Web application 2 Module 5: Securing Web Pages Lesson: ASP Forms-Based Authentication ! Overview of ASP Forms-Based Authentication ! Creating an ASP Logon Page ! Validating the Session Variable ! Instructor-Led Practice: Using Forms-Based Authentication in an ASP Web Application *****************************ILLEGAL... entire Web application To set the entire Web application as secure, create an section in the section Using the section To set only specific pages or folders in your Web application as secure, create a Web. config file in the root folder that has a section, with and subsections for each secure page or folder of secure pages . 37 Review 55 Lab 5: Securing Web Pages 57 Module 5: Securing Web Pages Information in this document, including URL and other Internet Web site references,. respective owners. Module 5: Securing Web Pages iii Instructor Notes This module explains how to secure the Web pages that compose a Web application through