Asp Net 2.0 Security Membership And Role Management

Introduction

This book covers security topics on a wide range of areas in ASP.NET 2.0. It starts with detailed coverage of how security is applied when an ASP.NET application starts up and when a request is processed. The book then branches out to cover security information for features such as trust levels, forms authentication, session state, page security, and configuration system security. You will also see how you can integrate ASP.NET security with legacy ASP applications. Over the course of these topics, you will gain a solid understanding of many of the less publicized security features in ASP.NET 2.0.

The book switches gears in Chapter 9 and addresses two new security services in ASP.NET 2.0: Membership and Role Manager. You start out learning about the provider model that underlies both of these features. Then you will get a detailed look at the internals of both features, as well as the SQLand Active Directory–based providers that are included with them. After reading through these topics, you will have a thorough background on how you can work with the new providers and how you can extend them in your applications.

Who Is This Book For?

This book is intended for developers who already have a solid understanding of ASP.NET 1.1 security concepts in the area of forms authentication, page security, and website authorization. Where the book addresses new functionality, such as Membership and Role Manager, it assumes that you have already used these features and have a good understanding of the general functionality provided by both of them. As a result, this book does not rehash widely available public information on various features or API reference documentation.

Instead, you will find that the book has been written to “peel back the covers” of various ASP.NET security features so that you can gain a much deeper understanding of the security options available to you. The book also addresses lesser known security functionality such as ASP.NET trust levels and ASP.NET- to-ASP integration so that you can take advantage of these approaches in your own applications.

If you are looking for a deep dive on general ASP.NET 2.0 security, then you will find Chapters 1–8 very useful. If your initial focus is on the new Membership and Role Manager features, then Chapters 9–15 will be immediately useful to you. After you have read through these topics, you will definitely have a thorough understanding of why ASP.NET security works the way it does, and you will have insights into just how far you can “stretch” ASP.NET 2.0 to match your application’s security requirements.

What Does This Book Cover?

The subject of ASP.NET security can refer to a lot of different concepts: security features, best coding practices, lockdown procedures, and so on. This book addresses ASP.NET security features from the developer’s point of view. It gives you detailed information on every major area of ASP.NET security

Introduction

you will encounter while developing web applications. And it shows you how you can extend or modify these features.

Chapter 1 walks you through the internal processing ASP.NET performs when it starts up an application domain. You will see how control passes from IIS to ASP.NET, and you will learn about the special processing ASP.NET performs during the very first request to an app domain.

Chapter 2 gives you a detailed walk through of the security processing ASP.NET performs in its pipeline for each HTTP request. You will see how the default authentication and authorization modules work, as well as how ASP.NET blocks access to content with special handlers. This chapter also describes subtleties in how request identity works with ASP.NET 2.0’s asynchronous pipeline events and asynchronous page model.

Chapter 3 describes what an ASP.NET trust level is and how ASP.NET trust levels work to provide more secure environments for running web applications. The chapter goes into detail on how you can customize trust levels and how to write privileged code that works in partial trust applications.

Chapter 4 covers the new security features in the 2.0 Framework’s configuration system. It discusses new configuration options for locking down configuration sections as well as protecting configuration sections from prying eyes. It also discusses how ASP.NET trust levels and configuration system security work together.

Chapter 5 explains new ASP.NET 2.0 features for forms authentication. You will learn about the new integrated cookieless support and the new support forms authentication has for passing authentication tickets across web applications. The chapter also presents an extensive example of implementing a lightweight single sign-on solution using forms authentication, as well as how to enforce a single login using a combination of forms authentication and Membership.

Chapter 6 demonstrates using IIS6 wildcard mappings and ASP.NET 2.0’s support for wildcard mappings to share authentication and authorization information with classic ASP applications. The sample code in the chapter also shows you how you can use these features to integrate Membership and Role Manager with classic ASP.

Chapter 7 covers security features and guidance for session state. New session state security features introduced in ASP.NET 2.0 are covered, as well as security options for out-of-process state and the effect ASP.NET trust levels have on the session state feature.

Chapter 8 describes some lesser known page security features from ASP.NET 1.1. It also describes new ASP.NET 2.0 options for securing viewstate and postback events. Chapter 8 also covers how the new dynamic compilation model can be used with code access security.

Chapter 9 gives you an architectural overview of the new provider model introduced in ASP.NET 2.0. The chapter covers the various Framework classes that are “the provider model” along with sample code showing you how to write your own custom provider-based features.

Chapter 10 talks about the new Membership feature. The chapter goes into detail about the core classes of the Membership feature as well as how you can extend the feature with custom hash algorithms.

Chapter 11 delves into both the SqlMembershipProvider as well as general database design assumptions that are baked into all of ASP.NET 2.0’s new SQL-based features. You will learn how you can extend the provider to support automatically unlocking user accounts. The sample code also covers custom password encryption, storing password histories, and extending the provider to work in portal environments.

xx

Introduction

Chapter 12 covers the other membership provider that ships in ASP.NET 2.0: the ActiveDirectoryMembershipProvider. You will learn about how this provider maps its functionality onto Active Directory, and you will see how to set up both Active Directory and Active Directory Application Mode servers to work with the provider.

Chapter 13 describes the new Role Manager feature that provides built-in authorization support for ASP.NET 2.0. You will learn about the core classes in Role Manager. The chapter also details how the RoleManagerModule is able to automatically set up a principle for downstream authorization and how the module and Role Manager’s caching work hand in hand. Chapter 13 also covers the WindowsTokenRoleProvider, which is one of the providers that ships with Role Manager.

Chapter 14 discusses the SqlRoleProvider and its underlying SQL schema. You will learn about using the provider in conjunction with Windows authentication, extending the provider to support custom authorization logic, and how you can use its database schema for data layer authorization logic. Although not specific to just SqlRoleProvider, the chapter covers how to get the provider working in a partial trust non-ASP.NET environment.

Chapter 15 covers the AuthorizationStoreRoleProvider — a provider that maps Role Manager functionality to the Authorization Manager feature that first shipped in Windows Server 2003. You will learn how to set up and use both file-based and directory-based policy stores with the provider. The chapter covers special Authorization Manager functionality that is supported by the provider, as well as how to use both the ActiveDirectoryMembershipProvider and AuthorizationStoreRoleProvider to provide Active Directory based authentication and authorization in your web applications.

What You Need to Run the Examples

This book was written using various Beta 2 and RC releases of the 2.0 Framework on Windows Server 2003 SP1. The sample code in the book has been verified to work with late RC builds of the 2.0 Framework. To run all of the samples in the book, you will need the following:

Windows Server 2003 SP1

Visual Studio 2005 RTM

Either SQL Server 2000 or SQL Server 2005

A Windows Server 2003 domain running at Windows Server 2003 functional level

Most of the samples should also work when using Windows XP. Note that the information in most of the book refers to security credential configuration using IIS6 application pools as opposed to the older <processModel /> approach used in Windows XP and IIS 5.1.

The book covers topics in Chapter 6 that require IIS6 features to work.

Chapters 11 and 14 use the SQL-based providers. You should have either SQL Server 2000 or SQL Server 2005 set up to use these samples. Scattered throughout the book are other samples that rely on the Membership feature — these samples also require either SQL Server 2000 or SQL Server 2005.

xxi

Introduction

To run the samples in Chapter 12, you will need either a Windows Server 2003 domain controller, or a machine running Active Directory Application Mode (ADAM). Chapter 12 addresses using the

ActiveDirectoryMembershipProvider in both environments.

The sample code in Chapter 15 uses the Authorization Manager functionality in Windows Server 2003 (both setting up policies as well as consuming them). As a result, to run most of the samples you will need a Windows Server 2003 domain controller that has been set up to work with Authorization Manager. For file-based policy stores, you do not need your own domain controller if you just want to try out file-based policy stores with AuthorizationStoreRoleProvider.

Conventions

Code has several styles. If I am talking about a word in the text—for example, when discussing a For . . . Next loop — it’s in this font. If it’s a block of code that can be typed as a program and run, then it’s also in a gray box:

Private Sub mnuHelpAbout_Click(ByVal sender As Object, _

ByVal e As System.EventArgs) Handles mnuHelpAbout.Click

Dim objAbout As New About

objAbout.ShowDialog(Me) objAbout = Nothing

End Sub

Configuration information and the results from running code use a similar font, but do not have a background color:

<connectionStrings>

<add name=”myDatabase” connectionString=”some connection string”/> </connectionStrings>

Sometimes you’ll see code in a mixture of styles, like this:

Private Sub mnuHelpAbout_Click(ByVal sender As Object, _

ByVal e As System.EventArgs) Handles mnuHelpAbout.Click

Dim objAbout As New About objAbout.ShowDialog(Me) objAbout.Dispose() objAbout = Nothing

End Sub

In cases like this, the code with the gray background is code you are already familiar with; the line in the bolded font is a new addition to the code.

xxii

Introduction

Customer Suppor t

We always value hearing from our readers, and we want to know what you think about this book: what you liked, what you didn’t like, and what you think we can do better next time. You can send us your comments either by returning the reply card in the back of the book or by email to feedback@wrox.com. Please be sure to mention the book’s title in your message.

How to Download the Sample Code for the Book

When you visit the Wrox site (wrox.com) simply locate the title through our Search facility or by clicking the Download Code link at the top of the main page, then find the book in the title list. Click the HTTP or FTP link for the book to download the code.

The files that are available for download from our site have been archived using WinZip. When you have saved the attachments to a folder on your hard drive, you need to extract the files using a decompression program such as WinZip or PKUnzip. When you extract the files, the code is usually extracted into chapter folders. When you start the extraction process, ensure that your software (WinZip or PKUnzip) is set to use folder names.

Errata

We’ve made every effort to ensure that there are no errors in the text or in the code. However, no one is perfect and mistakes do occur. If you find an error in one of our books, such as a spelling mistake or a faulty piece of code, we would be very grateful for feedback. By sending in errata, you may save another reader hours of frustration, and, of course, you will be helping us provide even higher-quality information. Simply email the information to support@wrox.com; your information will be checked and, if correct, posted to the errata page for that title, or used in subsequent editions of the book.

To find errata on the Web site, go to wrox.com and simply locate the title through our Advanced Search or title list or by going to the Help Center using the link at the bottom of the main page. Click the View Errata link, which is to the right of the book’s title.

Email Support

If you wish to directly query a problem in the book with an expert who knows the book in detail, then email support@wrox.com with the title of the book and the last four numbers of the ISBN in the subject field of the email. A typical email should include the following things:

The title of the book, the last four digits of the ISBN (8000), and the page number of the problem in the Subject field

Your name, contact information, and the problem in the body of the message

We won’t send you junk mail. We need the details to save your time and ours. When you send an email message, it will go through the following chain of support:

Customer Support — Your message is delivered to our customer support staff, who are the first people to read it. They have files on most frequently asked questions and will answer anything general about the book or the Web site immediately.

xxiii

Introduction

Editorial — Deeper queries are forwarded to the technical editor responsible for that book. They have experience with the programming language or particular product, and is able to answer detailed technical questions on the subject.

The Authors — Finally, in the unlikely event that the editor cannot answer your problem, he or she will forward the request to the author. We do try to protect authors from any distractions to their writing; however, we are quite happy to forward specific requests to them. All Wrox authors help with the support on their books. They will email the customer and the editor with their response, and again all readers should benefit.

The Wrox support process can offer support only for issues that are directly pertinent to the content of our published title. Support for questions that fall outside the normal scope of a book’s support is provided via the community lists of our http://p2p.wrox.com forum.

p2p.wrox.com

For author and peer discussion, join the P2P forums. Our unique system provides programmer-to- programmer contact on mailing lists, forums, and newsgroups, all in addition to our one-to-one email support system. If you post a query to P2P, you can be confident that it is being examined by the many Wrox authors and other industry experts who are present on our mailing lists. At p2p.wrox.com, you will find a number of different lists that will help you, not only while you read this book, but also as you develop your own applications. Particularly appropriate to this book are the Visual Basic and VBA forums, the Database forums, and the DotNet forums.

To subscribe to a forum, just follow these steps:

1.Go to http://p2p.wrox.com.

2.Register using the Register link from the left menu bar or log in if you are already a member.

3.Navigate to the appropriate forum.

4.Click the Subscribe to This Forum link for the forum you wish to join.

Why This System Offers the Best Support

You can choose to join the mailing lists, or you can receive them as a weekly digest. If you don’t have the time, or facility, to receive the mailing list, you can search our online archives. Junk and spam mail is deleted, and your own e-mail address is protected by the unique Lyris system. Queries about joining or leaving lists, and any other general queries about lists, should be sent to listsupport@p2p.wrox.com.

xxiv