module – deploying your site

Company Confidential

1

Module – Deploying Your Site

Objectives

• Web Application Security Overview• Working with Windows Based Authentication and

Securing Web site using Windows Based Authentication• Working with Forms Based Authentication and Securing

Web site using Forms Based Authentication• Overview of MS Passport Authentication• Securing a MS ASP.NET Web Application• Configuring an ASP.NET Web Application• Deploying an ASP.NET Web Application

Objectives (Cont…)

• Configuring, Optimizing and Deploying a MS ASP.NET Application

• Registering New Users• Permitting Users to Sign Out

Web Application Security Overview

• Website Security – – Preventing unauthorized users NOT to access the

portion of website or web store or web front Database.

– This has certainly become a seemingly important aspect for ecommerce based websites, where customers confidential data such as personal information, credit card information that would be stored in the Database need to be thoroughly secured.

– The security features of ASP.NET addresses the above, besides many other security issues, that are related.

Web Application Security Overview (Cont…)

• Microsoft’s ASP.NET, addresses these web security issues in combination with its Web server layer.

• Microsoft Internet Information Server (MS IIS), where the user’s identification viz names and passwords that can be authenticated using –– Windows Based Authentication– Forms Based Authentication– Microsoft Passport Authentication

Lets understand the scenario with the terms

Authentication and Authorization

Web Application Security Overview (Cont…)

Authentication versus Authorization• The terms Authentication and Authorization seems to be synonyms

for many of them, however they aren’t the same• The process of Authentication

– identifies the users of the system whereas • The Authorization defines

– the level of access the authenticated user has, to the systems and its resources.

Note: In many host-based systems and client/server systems, both

these Authentication and Authorization processes are performed by

the same physical hardware and, in some cases, the same software.

Working with Windows Based Authentication

• ASP.NET uses Windows authentication in combination with its Web server layer Microsoft Internet Information Services (IIS) authentication.

• This process can be performed by IIS using one of the following ways:– Basic – Digest or – Integrated Windows Authentication (default

mechanism)• Once the above process is complete, ASP.NET uses the

authenticated identity to authorize access.

Working with Windows Based Authentication (Cont…)

• To enable an authentication provider for an ASP.NET application, we need to create an entry for the application’s ‘web.config’ configuration file as follows:

– <authentication mode= "[Windows]"/>

Working with Windows Based Authentication (Cont…)

Working with Windows Based Authentication (Cont…)

• Click on Website menu and select ASP.net Configuration and click it

Working with Windows Based Authentication (Cont…)

• You will see the following screen

Working with Windows Based Authentication (Cont…)

• Click on security tab to create Users (for authentication) and Roles (to authorize an authenticated user)

Working with Windows Based Authentication (Cont…)

• Select ‘From Internet Option’ if the application is hosted on Internet to facilitate users from Internet or Select ‘From a local network’ if the application is hosted on intranet.

Working with Windows Based Authentication (Cont…)

• Users being ‘0’ initially, this is highlighted for your reference

Working with Windows Based Authentication (Cont…)

• Creating role, you need to enable the option

Working with Windows Based Authentication (Cont…)

• Existing roles being ‘0’ initially, this is highlighted for your reference

Registering New User (ASP.NET Web Administration Tool)

• Registering New Users –using ASP.NET Website Administration Tool

Registering New User (ASP.NET Web Administration Tool) (Cont…)

• Registering New Users –using ASP.NET Website Administration Tool (Cont…)

• User created Successfully

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Existing user is 1, highlighted for your reference

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Creation of new role that can be managed later

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Creating a New Role called ‘Power User’

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Power User created that can be managed later using the manage link

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Role is changed to 1 as a new role is defined and highlighted for your reference

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Users can be managed

Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)

• Initially all the users will be alphabetically arranged and a selection can be narrowed down if the number of users list grows

Working with Windows Based Authentication

• Adding a new item (Web form) in the solution explorer

Working with Windows Based Authentication (Cont…)

• A new web form called login.aspx is about to get created

Working with Windows Based Authentication (Cont…)

• A new web form called login.aspx is created and from the Login palette on the toolbox of the IDE, a login control is dragged and dropped on the web form (login.aspx)

Working with Windows Based Authentication (Cont…)

• Highlight the login control and click on the tiny little arrow to open a diglog box as shoen below to format the control to have a naet look-n-feel

Working with Windows Based Authentication (Cont…)

• Formatted login control on the login.aspx web form

Working with Windows Based Authentication (Cont…)

• Usage of other login controls such as ‘login view’• On the default.aspx page, pull a login view control and

place it

Working with Windows Based Authentication (Cont…)

• Usage of other login controls such as ‘login view’(Cont…)

• On the default.aspx page, pull a login view control and place it

• The login view control has the ability to show an anonymous user and a user who is already logged on

Working with Windows Based Authentication (Cont…)

• Usage of other login controls such as ‘login view’(Cont…)

• On the default.aspx page, pull a login view control and place it (Cont…)

• The login status control is a toggle control that toggles between login and log out (sign out)

Working with Windows Based Authentication (Cont…)

• Usage of other login controls such as ‘user name’

• On the default.aspx page, pull a user name control and place it

• The username control has the ability to show a user who is already logged on

Working with Windows Based Authentication (Cont…)

• Running the application by hitting the F5 function key

Working with Windows Based Authentication (Cont…)

• About to get to run mode and display the web form

Working with Windows Based Authentication (Cont…)

• Run mode of login.aspx

Working with Windows Based Authentication (Cont…)

• Administrator is authenticated and the corresponding controls behave as per norms

Working with Windows Based Authentication (Cont…)

• User ‘Administrator’ NOT authenticated as a password was wrongly supplied to test the application

Working with Forms Based Authentication

• In Forms Based Authentication– unauthenticated requests will be re-directed to a

HTML form using the client side redirection object.– If the user’s identity is authenticated, the process

issues an authentication ticket in a cookie that contains the credentials or a key to re-acquire the identity.

– All the requests hence forth are issued with the cookie in the request headers (that are authenticated) and will be authorized by an ASP.NET handler.

Registering a new user using Forms Based Authentication

• Create a new webform in the solution explorer and name it ‘createuser.aspx’

Working with Forms Based Authentication (Cont…)

• A control called createnewuserwizard is pulled from the login control pallete and placed on the webform called createuser.aspx

Working with Forms Based Authentication (Cont…)

• Adding a hyperlink control on the login window

Working with Forms Based Authentication (Cont…)

• Run mode of login.aspx to use the create new userwizard control

Working with Forms Based Authentication (Cont…)

• Run mode of createuser.aspx to use the createnewuserwizard control for signing up a new user

Working with Forms Based Authentication (Cont…)

• Corresponding entries are made

Working with Forms Based Authentication (Cont…)

• New user called New Horizons is added successfully using Forms Based Authentication

Working with Forms Based Authentication (Cont…)

• Users changed to 2

Working with Forms Based Authentication (Cont…)

• You can see a user called New Horizons while you hit the manage link

Working with Forms Based Authentication (Cont…)

• Click on the hyperlink alphabet to narrow down the search criteria

Working with Forms Based Authentication (Cont…)

• Anonymous user logged in

Working with Forms Based Authentication (Cont…)

• Trying to see if we can use this control, wrong password entered

Working with Forms Based Authentication (Cont…)

• Login failed for the user New Horizons

Working with Forms Based Authentication (Cont…)

• New Horizons user authenticated

Working with Forms Based Authentication (Cont…)

• User New Horizons logged out

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication

• Create a ForgotPassword.aspx page in solution explorer

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication

• Pull a PasswordRecovery control to the form ForgotPassword.aspx

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)• Create a hyperlink called Forgot Password that can be linked to this

ForgotPassword.aspx page

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Design mode of login.aspx page to test the Forgot Password link

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Run mode of login.aspx page to test the Forgot Password link

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Wrong password entered

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Wrong password entered and failed status

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Entering correct password

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity –- Input wrong entry

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity -- Invalid answer

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity – Input Correct entry• This will lead to the ‘Password sent’ to the email at the

time of registration page

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity – Input Correct entry (Cont…)

• This will lead to the ‘Password sent’ to the email at the time of registration page

• Note: For this the FROM PROPERTY must be filled and SMTP email must be configured, if any of these is missing, it will go to a failure page as follows:

Working with Forms Based Authentication (Cont…)

• Securing your website using Forms Based Authentication (Cont…)

• Confirming the identity – Input Correct entry (Cont…)

Overview of Microsoft Passport Authentication

• Passport authentication– is a centralized authentication service provided

by Microsoft that offers a single signon* and core profile services for member sites.

– Microsoft .NET Passport, provides • a basic form with a graphical user interface (GUI) for

sign-up and login, • a database of user information, • authentication logic at the Web server, • Log-out functionality wrapped inside an easy-to-use

programmatic interface.

Overview of Microsoft Passport Authentication (Cont…)

• This Passport architecture is simple, where in which a single .NET Passport class named System.Web.Security.PassportIdentity wraps all authentication functionality.

• A Passport-enabled Web application developer need only instantiate the PassportIdentity class and use its methods to perform the complete authentication process.

Overview of Microsoft Passport Authentication (Cont…)

• * Single Sign-onSingle sign-on is yet another good feature of Microsoft. This corporate hosts its passport service on their own servers and allows an integrated single sign on identity for all passport enabled accounts viz hotmail, msn.

• This means users with Passport-enabled accounts need to remember only one login password pair to access all partner sites.

Overview of Microsoft Passport Authentication (Cont…)

• Permitting users to Sign-in using the form based login

Overview of Microsoft Passport Authentication (Cont…)

• Permitting users to Sign-out

Overview of Microsoft Passport Authentication (Cont…)

• Permitting users to Sign-in using the Login hyperlink

Thank You

Thank You