Security
Introduction
Authentication
Authorization – which particular directories, resources that particular user allows to access
Authentication
1.) Users Forms Authentication
2.) Windows Authentication
Users Forms Authentication
system.web>
..
authentication mode="Forms">
forms name="MyAuthCookie" loginUrl="~/Login.aspx" timeout="30">
/forms>
/authentication>
…
authorization>
deny users="?"/> //deny unauthenticated users
/authorization>
/system.web>
name – name of the cookie that send back to the client
loginUrl – when user attempt to visit any page of the web site asp.net automatically redirect to the web page u specify here
system.web>
..
authentication mode="Forms">
forms name="MyAuthCookie" loginUrl="~/Login.aspx" timeout="30">
credentials passwordFormat=”Clear” >
user name=”anuruddha” password=”aaa”>
user name=”mahanama” password=”bbb”>
/credentials>
/forms>
/authentication>
…
/system.web>
protected void LoginButton_Click(object sender, EventArgs e)
{
string username = NameTextBox.Text;
string password = PasswordTextBox.Text;
if (FormsAuthentication.Authenticate(username, password))
//if (Membership.ValidateUser(username, password))
{
FormsAuthentication.RedirectFromLoginPage(username, false); //if need to keep a cookie abt user details even though user log out , set this to true
}
else
{
MessageLabel.Text = "Invalid username or password.";
}
}
credentials passwordFormat=”Clear” >
user name=”anuruddha” password=”aaa”>
user name=”mahanama” password=”bbb”>
/credentials>
Rather than this there is better way to do this using membership store.
Membership store
There is API in asp.net which talks to DB n get the membership info. That means u dnt have to put credentials here.
Microsoft Visual Studio 2008 Visual Studio Tools Visual Studio 2008 command prompt
And run following batch file
aspnet_regsql -S
-E –A all
-S = idenfy where ur sql server instance is located
= as my sqk server instance is in in my local machine
-E = how u going to authenticated run the command , (-E I am going to use windows authentication)
-A = which particular table u want to create (here I am creating all)
This create new DB in my sql server instance. It include table abt membership, personalization. Now u van use membership mechanism to store my user info. But how we get the user info into membership data store. U use web site administrator tool for that.
Website ASP.NET Configuration N u will see security tab.
When u use the membership
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.RedirectFromLoginPage(username, false); //if need to keep a cookie abt user details even though user log out , set this to true
}
else
{
MessageLabel.Text = "Invalid username or password.";
}
}
Now use the login control that come with asp.net and go to events and generate the event authenticate which equivalent to the pressing the logging button
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
if (Membership.ValidateUser(Login1.UserName, Login1.Password))
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, false);
}
This means that asp.net is not authenticate u, u are authenticated by IIS
Internet Information Service
Create new virtual dir. Then configure the property, in particular in the directory security -> anonymous access and authentication control. Tick the Integrated windows authentication(windows logging info is go to server)
Authorization
authorization>
deny users="?" /> //anonymous user not allowed
allow users="ANDYO\Andy Olsen "/> // grant permission this user (machinename/username)
deny users="*"/> //deny for all other users
/authorization>
Authorization here is apply for this particular folder. U can specify web.config file in sub folders if u need to have different security levels in each sub folders.
