Security in ASP.NET 2.0

Today we will see how to secure web sites in ASP.NET 2.0. Security has been one of the most challenging tasks in developing portals and web sites for ecommerce and data protection. Integrating security in the web sites before .NET was a challenge and integrating security with the server was cumbersome and was not flexible to maintain. And making security changes in a huge portal was not easy to maintain because security had to be integrated with some of the modules. And making changes to the modules affected the security a lot which gave night mares to developers.

With the advent of .NET advances were made in integrating the security features in the framework. Security was provided through identities and roles. Roles were assigned to specific folders through web.config files. Hence the application could assign the roles to the folders based on the user's identity and deny access if the authorization failed. But this still had drawbacks like

Binding of the identities and roles with the user data storage. Creating of own administrative tools to configure security.

Maintaining a separate data storage for storing the user credentials.

Now with ASP.NET 2.0 these limitations have been overcome and new features implemented to give a better management of the security for web applications. This included an administrative application to manage the user data stores by implementing the Provider API. Also a new set of controls have been provided for security. These controls are "Login", "LoginView", "PasswordRecovery", "LoginStatus", "LoginName", "CreateUserWizard" and "ChangePassword".

We will explore the security features with the help of a walkthrough. We will enhance the application that was developed in the previous session "Master Pages in ASP.NET". We will also see the enhanced controls provided for login and authentication and we will make use of the controls described above.

Start Visual Studio .NET 2005 Beta 1 and open the site "MasterPage" that we created in the previous session. If you observe carefully, you will see that the site is no longer a virtual site but a plain physical folder and the files are all separated from each other without being tied to a solution like earlier versions.

Now we will start with the Masterpage that we created in the last session and then add the following controls. "LoginView" above the SiteMap Control.

Similar to the smart tag control that was explained with the data grid in the last session, we will now work with the smart tag for the "LoginView" control. Clicking on the smart tag button on the control invokes the smart tag and we see that there are 2 views. One is Anonymous Template and the other one is LoggedIn Template. Let me explain what they are for. They are used for displaying the text according to the logged status of the person who uses the site. If the user is logged in the site should show a message that "You are now logged in" and when he is not logged in it should show "You are not logged in".

Select the Anonymous Template from the views drop down list box and then type the sentence "You are not logged in" in the control. Similarly do the same "You are now logged in" for the "Loggedin template".

Now we will use another control "LoginStatus ". Drag and drop the control next to the LoginView control. This control helps to show a link to login and when the user is logged in the status changes to logout.

This control will always call a pre-defined page called Login.aspx so that the authentication can be done. This also allows us to create our own authentication mechanism. For now let us create a simple page to enable the user to enter his user name and password.

Right click on the project name in Solution Explorer and then add a new web page. Call it Login.aspx and uncheck the option of adding a master page to this page. We do not need a master page for this login since the login is a separate process and is called before the user enters the site.

Now open the Login page and now drop the Login Control on the page. Wow it is that same thing which we have be recreating and recoding every time for each and every application for the past years. This control has 2 text boxes, one for entering the username, one for entering the password, a button to login and a check box to enable the feature "remember me".

Let us spruce the screen by adding some style and colouring. Click on the Auto Format link on the smart tag and choose any style that suits your need. And viola the control is now transformed into a pleasing control.

Now we will have to complete the functioning of the login control. First we will modify the mode of authentication. By default all web sites authentication mode is set to Windows Integrated Security. But since we are using the login control we will have to modify the authentication mechanism to "Forms". Open the web.config file from Solution Explorer and modify the following fragment as seen below.

We will show the authentication mechanism by granting authentication to a particular folder so that we can see the real power of ASP.NET 2.0 in managing individual folders rather than the entire site.

In Solution Explorer right click the project and create a new folder and name it Secure. We will restrict the access to this folder only for a particular set of people.

Open this folder "Secure" and add a web page. Name it default.aspx and add a phrase "This is a secure page". This will enable us to identify the page that was accessed after authentication.

Modify the web.sitemap to include a menu link to this folder. The modified file is shown below.

Now we will come to the new core functionality of the topic which is new in ASP.NET 2.0. this is eliminating the need to maintain the data store for the users and their credentials. This is called the ASP.NET Web Site Administration tool. We will refer to it as WSAT for short.

To launch this WSAT, do the following. On the smart tag of the LoginView Control click on the Administrative Template. This will launch a web site known as the Administrative Console. This looks like this below.

The sole features of this console are :-

What we will do now is the following so that we get to know the capabilities of the Administrative Console.

First we will start with the Roles.

In the WSAT click on Security and you will see the screen as seen below.

Since no roles have been created so far for this web site, roles will have to be created. Click on Enable Roles and then click on Create Roles. A wizard will pop up and guide through the process of creating a role. Name this role as Admin. Click on the back button and this will take u back to the security home page.

Now we will create 2 users and map one of them with the admin's role. Click on Create user and you will see the form as seen below. Create 2 users with the credentials required in the form. It is simple and needs no explanation.

Make sure that you select the role as admin for one of them and leave the other one without this role. The summary of each user is displayed as seen below.

Now we will configure the privileges for the folder "Secure" that we created earlier.

Click on Create Access rules and then you will see the screen as follows.

On the left side you will see the folders that were created for this project (web site). In the right hand side you will see the roles, users and the type of permission (whether it can be allowed or denied).

We will configure the folder "Secure" to grant access to the role "admin" and deny access to the rest.

Select the folder "Secure" and then do the following

Select the role as admin and click the allow radio button.

Click on ok.

Repeat the process and select the role as user and click the deny radio button.

Now clicking on Manage access you will see that the admin has been granted access and the user has been denied access to the "Secure" folder.

If you remember in earlier versions each folder had a web.config file which allowed the privileges to be configured and this would look like this. Well after creating the privileges with the WSAT, we find that the web.config file has been updated in the same way as it was done manually in earlier versions.

A word of Caution about the ordering of the roles. It is very important to note that the ordering of the "allow and deny" functions plays a very important role in how the security is granted. If you see the web.config file you will see that allow roles comes first and then deny users comes next. That means that the security will be granted in this order, first check if the user has the role of admin and allow him, next deny all the users access. The reverse is not true ie if the deny role comes first and then the allow roles comes next, the security will deny everyone access and because the person who also has the role of admin is also a user he also gets denied access. And the next sentence allow roles will never be executed. So pay attention how you use the web.config file.

The access rules you just created are stored within your application. Security information relating to a user (such as what roles they have, their password, etc.) are saved in the user data storage.

Now we will test the web site and see how the privileges are granted.

Run the website and you will see that the phrase "You are not logged in" is displayed and a login link is displayed next to it. If you click on it you will be taken to the login screen.

Alternatively if you click on the Administration menu link you will be taken to the login screen.

Login as the first user who has the admin's role and you will see that the user is able to see the page which has the phrase "This is a secure page".

Login as the second user who does not have admin's role and you will see that he will never be taken to the secure page. This is because he doesn't have privileges to view the page.

We have covered a lot here and saw how the WSAT helps a lot to configure the roles, manage users, and configure the access roles on a folder wise basis.