2. Tech
  3. New security features in ASP.NET 2.0

New security features in ASP.NET 2.0

xiaoxiao2021-03-06  17

New security features in ASP.NET 2.0

Release Date: 8/26/2004

| Update Date: 8/26/2004

Stephen walther

Microsoft Corporation

Applicable to:

Microsoft ASP.NET 2.0

Microsoft ASP.NET FRMEWORK

Microsoft SQL Server

Microsoft Visual Studio .NET

Summary: ASP.NET 2.0 includes some new features to make sure that the security of the ASP.NET application becomes more easier than before. Learn how to use new controls, tools, and APIs to control access to pages, and make information about the user more easily.

This page

Security and Provider Models use the Web Site Management Tool to configure security to use the login control to create a standard security page directly using the Membership API small knot

ASP.NET 2.0 is built on ASP.NET 1.x, allowing you to easily create and manage users, and password protection for page in web applications. The new frame contains new features for handling authentication and authorization, and can simultaneously meet the needs of Web site administrators and developers.

Web site administrators can use the new Web site management tool to create new users and roles, and control access to the page in web applications. The Web Site Management is a set of preparatory ASP.NET pages that do not have programming skills that can use them to configure web applications.

Developers can utilize new Login controls to quickly generate pages related to security in the web application. For example, developers can simply create a login page by dragging the Login control to the .aspx page. By using the login control, developers can generate login pages, registration page, or password recovery page without writing any code.

Finally, the ASP.NET 2.0 frame includes new security related features that meet the needs of senior developers. The new MemberShip API is a class that contains methods for creating and retrieving information about application users. In addition, the new frame contains classes that make it easier to deal with custom user roles.

Security and provider model

For the ASP.NET 2.0 framework, the maximum change you feel is very effective. Using a new framework, you can register and verify the user immediately after enabling format authentication, without having to generate any database tables or write any code. This is because the ASP.NET 2.0 framework uses the provider model to implement security.

Provider models (use in the entire ASP.NET 2.0 framework) provides you with standard methods for inserting components (which do different services for your application). ASP.NET 2.0 Framework uses two types of providers to implement security: member identity providers and role providers. Membership provides a program for storing usernames and passwords, while role providers are used to store user roles.

The default member identity provider is AccessMembershipProvider. This provider stores username and password in the Microsoft Access database. This database is automatically created for you in the application's Data folder (if you accidentally delete the Access database, you will automatically recreate the database when you try to connect to the database next time.). Whenever you create a new web application, the Access Provider will automatically create all the content you need to start authenticating the user.

The ASP.NET 2.0 framework comes with two member identity providers: the default AccessMembershipProvider and SqlmembershipProvider. If you want to store member identity information in the Microsoft SQL Server database, you can configure your application to use SqlmembershipProvider without having to rewrite any application code (enabling SQLMEMBERSHIPPROVIDER steps will be discussed in the next section). You can also create a custom member identity provider. For example, you may want to store member identity information in an XML file, FoxPro database, or Oracle database. You may even want to implement a member identity provider for retrieval member identity information through Web services. If you want to create your own member identity provider, you need to implement all methods and properties of abstract class MEMBERSHIPROVIDER (member identity provider is just an instance of the MembershipProvider base class).

Use SqlmembershipProvider

If you are developing a web application, or developing applications for use for a few users, it is already very good to use the Access database. However, if you need to generate a more robust app, you need to store usernames and passwords in a database with higher scalability (such as Microsoft SQL Server).

If you want to store member identity information in the Microsoft SQL Server database instead of the default Microsoft Access database, you need to modify the default member identity provider for your application. The following application web.config file Sets the AspnetSqlProvider to the default member identity provider:

If you don't want to manually update the application's web.config file, you can also use the Web site management tool (in the next section) or the ASP.NET Microsoft Management Console (MMC) management unit for Internet Information Services. Switch provider. Both tools provide you with user-friendly interfaces for specifying member identity providers.

Unlike Microsoft Access providers, you must first create the necessary database tables and stored procedures, and then you can use the SQL Provider. By performing an ASPNET_REGSQL tool from the command line, you can automatically create all the required SQL Server database objects (see Figure 1). By default, this tool will create a new database called ASPNETDB on the local SQL Server instance.

Figure 1. Configuring SqlmembershipProvider

After you create a new database, you need to make sure that the database is available for your ASP.NET application access. By default, integrated security will be used. Therefore, you need to make sure that the ASP.NET account (for Windows Server 2003, for the NT Authority / Network Service account; for Windows 2000 or XP, for the ASPNET account) has the permissions required to access the ASPNETDB database.

Configuring member identity provider properties

AccessmembershipProvider and SqlmembershipProvider support multiple properties unique to providers: •

ApplicationName - If you need to have multiple applications on the same web server, you can use this property to isolate users associated with different applications.

ConnectionstringName - Name of the database connection string defined in the Connectionstrings section of the web configuration file.

Description - Provides a description of the programs definition.

When the EnablePasswordReset-Value is TRUE, the user can reset its password to a randomly generated password.

When the EnablePasswordRetrieval-Value is TRUE, you can retrieve user passwords from the Member Provider.

PasswordFormat - This property may have three values: Clear, Encrypted and Hashed. When the password is hash, it will not be able to retrieve the original password from the membership provider.

When the RequiresQuestionAnswer-Value is True, the user must first answer a password retrieval problem before reset or retrieve user passwords.

The RequiresUniQueemail-Value is TRUE, the unique email address must be associated with each user.

These membership provider properties can be used to control ways to store and retrieve member identity information in the database. The values ​​of these properties can be changed in the application's web configuration file.

For example, the PasswordFormat property determines how to store passwords in the database. You can choose to store a clear text password, an encrypted password or a password hash value. For security reasons, you may want to store a hash value in the database instead of the actual password so that when your web application is damaged, the hacker cannot steal the actual user password.

Also note that you can also allow or prohibit user passwords from the database by setting EnablePasswordRetrieVal properties. Similarly, in order to ensure safety, you may not want to allow users to retrieve their password.

Back to top

Use the Web Site Management Tool to configure security

ASP.NET 2.0 Framework The web site management tool allows you to configure ASP.NET applications through the web page interface (see Figure 2) You can use the Web site management tool to create and manage users and roles, and control pair Access to folders and individual pages in web applications (Web Site Management Tools can also be used to configure several other aspects of web applications).

Figure 2. Using Web Site Management Tools

There are a variety of ways to navigate to the web management interface. If you want to generate a web application within Visual Studio .NET 2005, you can open the Web site management tool by selecting ASP.NET Configuration from the Website menu. If you want to develop a web application outside the Visual Studio .NET, you can directly navigate to the Web site management tool by requesting special page WebAdmin.axd. For example, if your application is located in a virtual directory name MyWebApp on a local computer, you can open the application's Web site management tool by entering the following URL in a web browser.

http://localhost/mywebapp/webadmin.axd

You can also use this after a way to access the WEB site management tool for deployed applications.

After the scene, the Web site management tool consists of a set of ASP.NET pages that use the standard Login controls discussed in the next section. These pages are located in the INETPUB / WWWROOT / ASPNET_WEBADMIN folder. If for some reason, these files are accidentally deleted from the server, and you can automatically reinstall them by performing the ASPNET_REGIIS tool. You can also use the ASPNET_REGIIS tool to control access to the Web site management tool. For example, you can use the ASPNET_REGIIS tool to limit access to the Web site management tool to your local server. Back to top

Use the login control to create a standard security page

ASP.NET 2.0 includes a set of new controls related to security, collectively referred to as Login controls. By using the Login control, you can create a standard registration, login, and password recovery page without writing any code.

You can also use the Login control to display different information to the user, depending on their role and the current authentication status. For example, a different template can be defined by the LoginView control, which is displayed to a member of different roles. For example, you can use the Control to display different information displayed to the guests role member using the member of the Control to the Administrators role.

After the scene, the Login control takes full advantage of the provider model. If you have configured your application to use AccessMembrovProvider, the Login control will automatically query the Microsoft Access database to retrieve member identity information. These controls will use the configured SQL Server database if SQLMEMBERSHIPPROVIDER is enabled.

You should enable format authentication for your application before using any Login control. You can enable format authentication by modifying the application's web configuration file or by using the Web Site Management Tool.

Use the login control

The Login control allows you to create a standard login page simply by adding a single tag to the page.

The Login control automatically generates a standard login interface. By default, this interface is not very beautiful, but you can quickly improve the appearance of the control by right-clicking the Login control in Visual Studio .NET 2005 and selects AutoFormat (see Figure 3). Note that you will get a standard username and password text box, a "Remember ME" check box and a submission button.

Figure 3. Create a login interface with the login control

Login controls not only provide you with an interface, but also work! When you submit your username and password by using the Login Control, your credentials will be automatically verified by the configured member identity.

There is a series of amazing properties associated with the login control. Most of these properties only allow you to control different aspects of the appearance of the login interface. For example, you can use a variety of FailureText properties to control the contents and appearance of text displayed when logging in fails. In addition, you can use createUserURL and PasswordRecoveryURL properties to create links to the registration page and password recovery page.

One of the more valuable properties attached to the login control is the VisibleWhenLoggedIn property. This property allows you to automatically hide the Login control after authenticating the user. For example, you may want to include the login control at the top of each page in the web application. By using the VisibleWhenLoggedin property, you can automatically hide the Login control immediately after authenticating the user.

Use the CreateUserWizard control

The CreateUserWizard control enables you to create a standard user registration page. Just add the following tags to the page, you can enable new users to register on your Web site.

The exact appearance of the generated interface generated by CREATEUSERWIZARD depends on the settings of the application's member identity provider. For example, if the default member identity provider's RequireSquestionAnswer value is True, the password problem and the answer text box will appear. The registration page in Figure 4 is generated when CreateUserWizard is used in conjunction with the default ASPNetAccessProvider member.

Figure 4. Registering new users with CreateUserWizard control

One of the more interesting things that use the CreateUserWizard control can do, which is automatically sent to register email after the user has completed all registration steps. For example, you can send an email to thank users register in your Web site. This email can contain information such as the user's registered user name and password.

You can configure an email sent by the control by assigning a value assigning a MAildEfinition property of the CreateUserWizard control. The MaildEfinition property represents an instance of the MaildEfinition class, which contains all the properties required to define emails.

For example, whenever a user completes the Registration Wizard, the following CreateUserWizard control will use the content of the registrationemail.txt file as a text of the registered email (CreateUserWizard) When sending an email, use the Mail section of the web configuration file The email server specified in the middle.

BodyFileName = "~ / registrationemail.txt"

From = "Yoursite@yourdomain.com"

Subject = "Thanks for Registering!">

Inside the registrationemail.txt file, you can use special expressions such as <% UserName%> and <%>>) to replace the registered user name and password of the new user in the e-mail.

In a more complex registration program (you need to verify the validity of the user email address to the user's access to the web application), the email function of the CreateUserWizard control may also be useful. If you enable the AutogeneratePassword property of the CreateUserWizard control, the control will generate a password randomly for the user. By using the CreateUserWizard control email feature, you can automatically send randomly generated passwords to users. If the user then uses the sent password to authenticate the web application, you will know that the user has provided a valid email address.

Use the PasswordRecovery control

The PasswordRecovery control enables users of the web application to request email reminders of their passwords (see Figure 5). Like the CreateUserwizard control, you can define the properties of email sent to the user with the maildefinition property. Figure 5. Send a password via email with the PasswordRecovery control

For example, the following tag adds a PasswordRecovery control to the page that sends an email from your YourSite@yourDomain.com email account.

From = "Yoursite@yourdomain.com"

Subject = "Password Reminder">

The PasswordRecovery control has different behaviors, depending on the configuration of the default member identity provider. When the value of the EnablePasswordRetrieval property is true and the value of the PasswordFormat property is not HASHED, the original plain text password of the user will be sent in the email. For other almost almost each type of value, you will first reset the password into a randomly generated character sequence, and then send it to the user.

Use the ChangePassword control

You may guess that the ChangePassword control enables users to change their registered passwords. This control can present text boxes for entering the original password and entering a new password (see Figure 6).

Figure 6. Change your password with ChangePassword control

Like the CreateUserWizard and PasswordRecovery controls, the ChangePassword control includes a maildefinition property. If you assign a value to the maildefinition property, the ChangePassword control will automatically send an email to the user when the password is successfully changed.

The following tag declares an instance of a ChangePassword control and sets the maildefinition property.

BodyFileName = "~ / changepasswordemail.txt"

From = "Yoursite@yourdomain.com"

Subject = "Your Updated Password">

The BodyFileName property contains a path for a particular text file (which contains the body of the email sent to the user). Inside the text file, you can display the user's registered user name and the modified password in the email using special expressions (such as <% username%> and <%>>) email.

Use the LoginName and LoginStatus controls

The LoginName and LoginStatus controls allow you to display information about the current authentication status of a user. After a user logs in to your application, the Loginname control displays the user's registered username. If the user has not authenticated by the format authentication, the LoginName control does not display any information. The following is a way to declare the loginname control on the page.

On the other hand, LoginStatus enables users to log in to your web application or logout. This control displays one of two links. If the user has not authenticated, the link to the Login.aspx page is displayed. If the user has already verified, the link that makes the user can log out. The following is a way to declare the LoginStatus control.

Use the LoginView control

The last Login Control-LoginView control allows you to display different content according to the current user's role. For example, many web sites displays different information on their homepage based on the user's new user or registered users. New users can overview the use of the Web site, and registered users can view information specifically customized for them.

The following code shows how to use the LoginView control to display different content displayed to an authenticated user to anonymous users.

Welcome back

Welcome tour web site! If you get a registered user,

You Could View Some RealY Interesting Stuff Right Now!

Anonymous users can view all content included in Anonymousing. On the other hand, the authenticated user can view all the contents included in the LoggedInTemplate.

If you enable custom roles for your web application, you can use the LoginView control to display content that can only be viewed by a member of a specific role. For example, I envision you use the Web Site Management Tool to create a new role called Administrators. In this case, you can use the LoginView control to display the contents of the member of the Administrators role, as shown below.

Secret Stuff for Administrators!

Welcome back

Welcome tour web site! If you get a registered user,

You Could View Some RealY Interesting Stuff Right Now!

Members of the Administrators role will be able to view anything contained in associated with Administrators ro delegROUP. However, members of the Administrators role will not be able to view the contents of the LoggedInTemplate or Anonymous template. Even if there are multiple templates for you, you can only view the contents of a single template.

Back to top

Use the Membership API directly

Sometimes you need to control a higher level (higher than the Control level of the web site management tool or Login control). In these cases, you can use the MEMBERSHIP API directly.

The MEMBERSHIP API is open to the Membership class. The MEMBERSHIP class contains the following work: create new users; change your password; search users who match specific conditions; etc.. After the scene, the Login control uses these methods to interact with the configured member identity provider.

Some important methods for the Membership class are listed below:

Createuser - Enables you to create new users.

Deleteuser - Enables you to delete existing users.

FindusersByemail - Enables you to retrieve user collection that matches a particular email address.

FindusersByname - Allows you to retrieve user collection that matches a particular username.

GeneratePassword - allows you to generate a random password.

GetAllUsers - Allows you to retrieve all users stored in the member's identity provider.

GetNumberofusersonline - Allows you to return to the number of users currently being accessed.

Getuser - Allows you to retrieve member identity information associated with the current user, or enable you to retrieve member identity information associated with a user who has already provided username.

GetUserNameByemail - Enables you to retrieve usernames with a user with a particular email address.

Updateuser - Enables you to update information for specific users.

ValidateUser - Enables you to authenticate users based on the member identity provider.

These methods are very powerful. For example, by using the CreateUser method, you can create new users with a row code.

// c #

Membership.createuser ("Ruth", "Secret");

'VB.NET

Membership.createuser ("Ruth", "Secret")

This statement creates a new user named Ruth, which has a password secret.

There are several MEMBERSHIP methods such as getAllUsers and FindUsersByname returns a collection of MEMBERSHIPUSER objects. The Membershipuser class represents information about a particular user. This class has the following properties:

Comment - means any note associated with the user. •

CreationDate - Indicates the date of creation of the user.

Email - Indicates the user's email address.

IsApproved - indicates whether the user has been approved.

IsonLine - indicates whether the user is currently being accessed web applications.

LastActivityDate - Indicates the date of the user last accessed the web application.

LastLogindate - Indicates the date of authenticating the user last time.

LastPasswordChangeDDate - Indicates the date of the last changed user password.

PasswordQuestion - Indicates the password problem with the password problem and answering.

Provider - Represents a member identity provider.

UserName - Represents username.

The MEMBERSHIPUSER class also contains the following methods:

ChangePassword - Enables you to change the user's password.

ChangePasswordQuestionAnswer - Make you change your password problem and answer.

GetPassword - Enables you to retrieve user passwords.

RESETPASSWORD - Make you reset the user's password.

You can use the properties of the MemberUser class to display information about users of the web application. For example, the ASP.NET page in Listing 1 shows the username, email address, last event date, and online status of each user in the GridView control (see Figure 7).

Figure 7. Displaying member identity information with Membership API

Listing 1. DisplayMembers.aspx (C #)

<% @ Page language = "c #"%>