Microsoft ASP .NET Professional Projects - Premier Press

Page-level Tracing

To enable Tracing for a page, the following directive is added at the top of a page:

<%@Page Language="VB" Trace="True"%>

You can use the TraceMode attribute to sort by category as follows:

<%@Page Language="VB" Trace="True" TraceMode="SortByCategory"%>

To sort by time (the default):

<%@Page Language="VB" Trace="True" TraceMode="SortByTime"%> Within the body of the page, you would have a number of Trace.Write() or Trace.Warn() statements. Trace_page.aspx provides an example.

Trace_page.aspx

<%@Page Language="VB" Trace="true" TraceMode="SortByCategory"%>

<html>

<script language="VB" runat="server">

Sub Page_Load(objSource As Object, objArgs As EventArgs)

Trace.Write("My Trace", "This is Page Load")

End Sub

</script>

<body>

Some body matter.... <p />

<%

Trace.Write("My Trace", "This is in the Body")

%>

</body>

<%

Trace.Write("My Trace", "OK this is the end..")

%>

</html>

Figure 12.1 shows the output generated.

Figure 12.1: Page-level tracing.

Application-level Tracing

I discussed the web.config file in Chapter 10. This file has a Tracing section that is used to set application-wide tracing. For example:

<configuration>

<system.web>

<trace

enabled="true"

pageOutput="false"

requestLimit="20"

traceMode="SortByCategory" />

</system.web>

</configuration>

This section has the four following attributes:

1.Enabled = True or False: This setting enables or disables application-wide tracing. Page-level tracing will override this setting for pages where it is set.

2.PageOutput = True or False: When set to true, trace output is displayed at the bottom of the page. When set to false, no output is displayed. To see the output, the utility trace.axd is used.

3.RequestLimit = some integer: The total number of requests to keep cached in memory on a per-application basis.

4.TraceMode = SortByCategory or SortByTime: The user can specify categories when using Trace.Write(). For example,

Trace.Write("My Trace", "This is Page Load") can see trace output grouped by categories when the TraceMode is set to be

SortByCategory. The SortByTime is the default.

In the samples directory of this folder, I have included a web.config file and a web form called trace_application.aspx to demonstrate application tracing. The web.config file has been described above and trace_application.aspx is the same Web page that I discussed in the context of page-level tracing (trace_page.aspx). The only difference is that there is no page directive at the top of the page; tracing is controlled through the web.config file. Remember that you need to create a virtual path for the folder where you place the web.config file and the trace_application.aspx web form.

First, run the trace_application.aspx with the PageOutput setting set to true. You will see the trace output at the bottom of the file as before. Now set the PageOutput setting to false and run the form. You will note that no output is displayed. To see the trace output you must use trace.axd. This is done by simply requesting trace.axd in the same application directory that the request for the sample application was made. For example, my application folder is called ASPVirtual and I would request trace.axd by specifying a URL of http://Localhost/ ASPVirtual/trace.axd. Figure 12.2 shows the resultant output.

In Figure 12.2 you will note that we are presented with a list of traces to view and we can simply click on a particular trace to view all the details about that trace. The resultant output will be identical to the output obtained from page-level tracing.

Figure 12.2: Using Trace.axd to see the trace output.

Disabling Tracing

When you are ready to deploy the application in production, you should explicitly disable trace.axd by adding the following entry in the HttpHandlers section of config.web:

<HttpHandlers>

<add verb="*" path="trace.axd" type="System.Web.Handlers.TraceHandler" />

<remove verb="*" path="trace.axd"/>

</HttpHandlers >

There is no need to delete the various Trace.Write() statements within the body of the web forms in the application.

Summary

Tracing is a very useful debugging tool. In the past, we had to write a number of Response.Write() statements in the body of a web form to debug problematic code. When the application was ready to be deployed we had to get rid of these statements. This was time-consuming and bug prone because we might delete a line of code with the Response.Write() statements. Tracing avoids these problems because there is no need to remove debugging statements from the web form. You can simply turn off tracing and the debugging statements will not be displayed.

Chapter 13: Security

Overview

Security plays a very important role in Internet applications. Unauthorized users need to be restricted from sensitive portions of the Web sites and authorized users granted access to sections of the site based on their "roles." ASP.NET in conjunction with IIS provides excellent security features.

Security in ASP.NET involves authentication and authorization. Authentication is the process of checking the user credentials (name and password) against authorities called authentication providers. If the credentials are verified, the user is considered authenticated. Once authenticated, the authorization process determines whether the user has rights to access the requested resource. ASP.NET can also execute code using the identity of the user. This is known as impersonation. Security is thus a three-step process (the third step—impersonation—is optional):

§User Authentication: This involves verification of the user credentials like name and password and checking against "authentication providers."

§User Authorization: This is the process of determining whether an authorized

user has access to the resource requested.

§User Impersonation: This is when the application executes code using the identity of the client making the request.

ASP.NET implements authentication through authentication providers. These authentication providers are modules that contain code required to authenticate the credentials of the requesting user. Three authentication providers are currently available: windows authentication, passport authentication, and forms authentication.

Windows authentication is used in conjunction with IIS authentication. IIS provides authentication using Basic, Digest, or Integrated Windows Authentication. Configuring these authentication options is similar to the way we did it under ASP using the IIS MMC.

Passport authentication is a centralized authentication service provided by Microsoft that offers a single sign-in and core profile services for member sites.

Forms-based authentication service uses cookies to authenticate users and allows an application to do its own credential verification. Unauthenticated requests are directed to an HTML login form. The user supplies his credentials and submits the page. The application authenticates the request against a password repository stored in a database, an XML file, or the web.config file. If the user is authenticated, the system issues a cookie containing the credentials in some form or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers.

To activate the authentication services and select the authentication provider, you must configure the <authentication> element in the <security> section of the web.config file. This file was discussed in Chapter 10. Here is a sample security section of a configuration file:

//web.config file

<configuration>

<system.web>

<security>

<authentication mode="[Windows/Forms/Passport/None]">

</authentication>

</security>

</system.web>

</configuration>

After the user is authenticated using any of the authentication providers above, you can further restrict his access based on NTFS's access control list or by permissions on the resources specified in the web.config file. ASP.NET supports role-based security. Users

can be authenticated based on their NT user/group accounts or on custom-defined user/group information specified in either a database or a text file.

Form-Based Authentication

The form-based authentication is the most flexible approach of the three because it allows you to design your own HTML login forms and have more overall control over the authentication process. I will discuss this approach with two examples. The first is a simplified example, which stores usernames and passwords in the web.config file. This will give you a very quick insight into the cookie-based authentication process. The second example is more functional and is relevant to production sites in which I show you how to authenticate passwords against credentials stored in a database table.

A Simple Example of Form-Based Authentication

This example contains three files: web.config, default.aspx, and login.aspx. These files are included in the "simple" folder of the samples folder of this chapter on the book's Web site at www.premierpressbooks.com/downloads.asp. You should create an IIS virtual folder (to mark it as an ASP.NET application) and place these three files there.

The web.config's security section is configured as follows: web.config

<configuration>

<system.web>

<authentication mode="Forms">

<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All" timeout="60">

<credentials passwordFormat="Clear" >

<user name="hersh" password="bhasin"/>

<user name="joe" password="smith"/>

<user name="test" password="user"/>

</credentials>

</forms>

</authentication>

<authorization>

<deny users="?" />

</authorization>

<globalization requestEncoding="UTF -8" responseEncoding="UTF -8" />

</system.web>

</configuration>

Note that this file has three sections: authentication, authorization, and identity. The meaning of various elements are discussed below:

<authentication mode>

As discussed earlier, authentication mode can be Windows (the default), Forms,

Passport, or None.

<forms>

<forms name=".ASPXUSERDEMO" path = "/" loginUrl="login.aspx" protection="All" timeout="60" />

The name setting gives the name of the cookie, the loginurl specifies the name of the aspx login form, which in this case is login.aspx . The path attribute specifies the path for which the cookie is valid and path = "/" indicates the complete site. The protection attribute can be All, None, Encryption, or Validation. All is the default and uses both encryption and data validation.

<credentials>

<credentials passwordFormat="Clear/SHA1,MD5">:

We store the credentials (meaning usernames and passwords) of the users allowed to access our application in this section. It is not required that we store credentials here, so I will explain how credentials can be stored in a database in the subsequent example. The passwordFormat setting can be Clear, SHA1, or MD5. Clear means that the passwords are stored as clear text and user passwords are compared directly against this value without further transformation. SHA1 and MD5 indicate the hashing algorithms to be used on the passwords. The SHA1 encryption method stores the password in the SHA1 Digest and the MD5 in the MD5 hash digest. Passwords are normally stored in a database. To protect the passwords from prying eyes, they can be encrypted (using SHA1 or MD5 hashing algorithms). This can be done using the

HashPasswordForStoringInConfigFile method defined in the

FormsAuthentication class. This method accepts the password string and the encryption methods and returns the encrypted password. Here is an example:

encrypt.aspx

<%@ Import Namespace="System.Data" %>

<html>

<head>

<script language="VB" runat="server">

Sub Page_Load(Src As Object, E As EventArgs)

Dim SHA1Password As string

Dim MD5Password As string

SHA1Password = FormsAuthentication.HashPasswordForStoringInConfigFile ("Hersh","SHA1")

Else

Msg.Text = "Sorry Invalid username or password : Please try again" End If

End Sub </script> <body>

<form runat=server>

<h3><font face="Verdana">Login Page</font></h3> <table>

<tr>

<td>User Name:</td>

<td><input id="UserName" type="text" runat=server/></td>

<td><ASP:RequiredFieldValidator ControlToValidate="UserName" Display="Static" ErrorMessage="*"

runat=server/></td>

</tr>

<tr>

<td>Password:</td>

<td><input id="UserPass" type=password runat=server/></td>

<td><ASP:RequiredFieldValidator ControlToValidate="UserPass" Display="Static" ErrorMessage="*"

runat=server/></td>

</tr>

<tr>

<td>Persistent Cookie:</td>

<td><ASP:CheckBox id=PersistCookie runat="server" /> </td> <td></td>

</tr>

</table>

<asp:button text="Login" OnClick="Login_Click" runat=server/> <p>

<asp:Label id="Msg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat=server />

</form>

</body>

</html>

The body of this form has two textboxes: UserName and UserPassword and one checkbox: PersistCookie. When this checkbox is checked, the cookie is persisted; that is, the cookie information is not lost when the browser is closed.

When the user clicks on the login button, the login_click event is fired. This event first uses the authenticate method of the FormsAuthentication class to authenticate the user credentials. If the user is authenticated, the RedirectFromLoginPage method is used to store the cookie (and if the PersistCookie checkbox is checked, to persist the cookie) and to redirect the user back to the page that was actually requested by the user.

The default.aspx form is the form that the user originally requests, and after the login process, gets to see. This is its listing:

default.aspx

<%@ Import Namespace="System.Web.Security " %>

<html>

<script language="VB" runat=server>

Sub Page_Load(Src As Object, E As EventArgs)

msg.Text = "Welcome, " + User.Identity.Name

End Sub

Sub Signout_Click(Src As Object, E As EventArgs)

FormsAuthentication.SignOut()

Response.Redirect("login.aspx")

End Sub

</script>

<body>

<h3><font face="Verdana">Using Cookie Authentication</font></h3>

<form runat=server>

<h3><asp:label id="msg" runat=server/></h3>

<asp:button text="Signout" OnClick="Signout_Click" runat=server/>

</form>

</body>

</html>

In the page load event of this page, I access the user's name using the User class as follows:

msg.Text = "Welcome, " + User.Identity.Name

The User class is available intrinsically from a Web page and has three methods:

IsAuthenticated, Name, and Type. The IsAuthenticated method returns a Boolean specifying whether the user has been authenticated. The Name method returns the username, and the Type method returns the type of authentication used.

Finally, clicking on the signout button clears the cookie using the SignOut method of the

FormsAuthentication class as follows:

Sub Signout_Click(Src As Object, E As EventArgs)

CookieAuthentication.SignOut()

Response.Redirect("login.aspx")

End Sub

Figure 13.1 is the screenshot of the login page. Figure 13.2 is the screenshot of a successful login.

Figure 13.1: The login page.