Programming4us
         
 
 
Programming

ASP.NET Security : Security-Related Controls (part 2)

10/17/2010 6:19:04 PM
Creating Role-Based Templates

The LoginView control also allows you to define blocks of user interface to display to all logged-in users who belong to a particular role. As mentioned, these templates take precedence over the <loggedintemplate> template, if both apply.

<asp:loginview runat="server">
<rolegroups>
<asp:rolegroup roles="Admin">
<contenttemplate>
...
</contenttemplate>
</asp:rolegroup>
<asp:rolegroup roles="Guest">
<contenttemplate>
...
</contenttemplate>
</asp:rolegroup>
</rolegroups>
</asp:loginview>

The content of each <contenttemplate> block is displayed only to users whose role matches the value of the roles attribute. You can use this feature to create areas in a page whose contents are strictly role-specific. For the LoginView control to work fine, role management must be enabled, of course. The control uses the default provider.

The PasswordRecovery Control

The PasswordRecovery control is another server control that wraps a common piece of Web user interface into an out-of-the-box component. The control represents the form that enables a user to recover or reset a lost password. The user will receive the password through an e-mail message sent to the e-mail address associated with his or her account.

The control supports three views, depending on the user’s password recovery stage, as follows. The first view is where the user provides the user name and forces the control to query the membership provider for a corresponding membership user object. The second view is where the user must provide the answer to a predetermined question in order to obtain or reset the password. Finally, the third view is where the user is informed of the success of the operation.

Requirements for Password Retrieval

For the control to work properly, you must first ensure that the selected membership provider supports password retrieval. The password retrieval also requires that the provider defines a MembershipUser object and implements the GetUser methods. Remember that the membership provider decides how to store passwords: clear text, hashed, or encrypted.

If passwords are stored as hashed values, the control doesn’t work. Hash algorithms are not two-way algorithms. In other words, the hash mechanism is great at encrypting and comparing passwords, but it doesn’t retrieve the clear text. If you plan to use the PasswordRecovery control, you must ensure that the provider stores password as clear text or encrypted data.

Retrieving a Password

The PasswordRecovery control supports a child element named MailDefinition:

<asp:passwordrecovery runat="server">
<maildefinition from="admin@contoso.com" />
</asp:passwordrecovery>

The <MailDefinition> element configures the e-mail message and indicates the sender as well as the format of the body (text or HTML), priority, subject, and carbon-copy (CC). For the same settings, you can also use a bunch of equivalent properties on the associated Framework class and set values programmatically.

If the user who has lost the password has a question/answer pair defined, the PasswordRecovery control changes its user interface to display the question and ask for the answer before the password is retrieved and sent back. Figure 5 demonstrates the behavior of the control.

Figure 5. The PasswordRecovery control in action.


The control first asks the user to provide the user name; next it retrieves associated information and displays the security question, if any is defined for the user. Finally, if an e-mail address is known, the control sends a message with details, as in Figure 6. Bear in mind that you need to have proper e-mail settings in the web.config file, specifically in the <system.net> section, as below:

<system.net>
<mailSettings>
<smtp deliveryMethod="Network">
<network host="your.smtp.server" />
</smtp>
</mailSettings>
</system.net>

Figure 6. The e-mail message with password information.


The ChangePassword Control

The ChangePassword control provides an out-of-the-box and virtually codeless solution that enables end users to change their password to the site. The control supplies a modifiable and customizable user interface and built-in behaviors to retrieve the old password and save a new one:

<asp:ChangePassword ID="ChangePassword1" runat="server" />

The underlying API for password management is the same membership API we discussed earlier in this chapter.

User Authentication

The ChangePassword control will work in scenarios where a user might or might not be already authenticated. However, note that the User Name text box is optional. If you choose not to display the user name and still permit nonauthenticated users to change their password, the control will always fail.

If the user is not authenticated but the User Name text box is displayed, the user will be able to enter his or her user name, current password, and new password at the same time.

Password Change

The change of the password is performed using the ChangePassword method on the MembershipUser object that represents the user making the attempt. Note that the provider might pose an upper limit to the invalid attempts to change or reset the password. If set, this limit affects the ChangePassword control. The control won’t work any longer once the limit has been exceeded.

Once the password has been successfully changed, the control can send—if properly configured—a confirmation e-mail to the user, as shown in Figure 7.

Figure 7. The ChangePassword control in action.


The e-mail message is configured through the same <MailDefinition> element we saw earlier for the PasswordRecovery control.

The Continue button points the page with the control to a new destination URL to let users continue working. If you don’t set the ContinuePageDestinationUrl property, clicking the button simply refreshes the current page.

The CreateUserWizard Control

The CreateUserWizard control is designed to provide a native functionality for creating and configuring a new user using the membership API. The control offers a basic behavior that the developer can extend to send a confirmation e-mail to the new user and add steps to the wizard to collect additional information, such as address, phone number, or perhaps roles.

Customization is supported in two ways: by customizing one of the default steps, and by adding more user-defined steps. Figure 8 shows the control in action in the Create User page of the WSAT tool.

Figure 8. The CreateUserWizard control in action within WSAT.


The difference between this control and the CreateUser method on the membership provider is that the method just adds the user name and password. The wizard provides a user interface and lets you add more information in a single shot.

Resources to Write Attack-Resistant Code

How can we design and code secure ASP.NET applications? First of all, security is strictly related to the application’s usage, its popularity, and the type of users who connect to it and work with it. Paradoxically, a poorly secured application that isn’t attractive to hackers can be perceived as being much more secure than a well-armored application with just one loophole or two. Successful attacks are possible through holes in the system-level and application-level security apparatus. When it comes to security, don’t look for a magic wand to do the job for you. Security is a state of mind, and insecurity is often the result of loose coding styles, if not true programming laziness. Never blindly trust anything regarding Web and ASP.NET security. Always keep in mind that security for Web applications is mostly about raising the bar higher and higher to make it hard for bad guys to jump over.

The following Patterns & Practices links can help you find great information to fend off most common types of attacks and implement effective input validation in ASP.NET applications:

Other -----------------
- WCF Security Concepts
- Certificate-Based Encryption
- Encryption Using SSL
- Security Privileges and Services
- Client Credentials
- User-Level Security : Service Credentials
- User-Level Security : Custom Authentication
- User-Level Security : Authorization and Impersonation (part 4) - Impersonation
- User-Level Security : Authorization and Impersonation (part 3) - Security Token Authentication
- User-Level Security : Authorization and Impersonation (part 2) - Claims-Based Authorization
- User-Level Security : Authorization and Impersonation (part 1) - Authorization
- Publisher Certificates
- Using LINQ To SQL
- Service Management API (part 2) - Making API Requests
- Service Management API (part 1)
- Windows Services : A Service Control Shell
- ASP.NET Applications and the Web Server
- Internet Information Services (IIS)
- Managing Websites with IIS Manager (part 7) - Confidentiality with SSL and Certificates
- Managing Websites with IIS Manager (part 6) - The Machine Key and Windows Authentication
 
 
Most View
- Setting Up UAG for SharePoint (part 1) - Setting Up SharePoint for Cross-Firewall Access & Creating Application Portal Trunk in UAG
- Windows Phone 7 Game Development : Lighting (part 3) - Adding Lighting to Games
- Windows Server 2008 : Working with NAP (part 8) - 802.1x Enforcement
- Windows Phone 7 : Images Via the Web
- BizTalk Server 2009 : Service-oriented endpoint patterns (part 2)
- The Art of SEO : Controlling Content with Cookies and Session IDs
- Scripting Windows 7 with WSH : Scripting Internet Explorer
- Windows Phone 7 : Creating a Favorites List
- ASP.NET Applications and the Web Server
- Exchange Server 2010 : Designing and Implementing AD RMS Integration (part 3) - Transport and Journal Report Decryption
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS