Abstract
This article is the first of two articles describing the secure use and setup of a three tier solution for managing ASP.NET Membership and Roles. This first article will focus on configuring, using, and, most importantly, securing this solution, as well as providing an overview of how it can be implemented in a typical Microsoft ASP.NET 2.0 Web solution. The Membership and Roles objects will be treated as working without delving into their internal structures. Managing Members and Roles will seem no different than managing data from a simple data source. In the second article, the internals of these controls and objects will be explained in enough detail so developers would be able to build their own using similar techniques.Introduction
ASP.NET 2.0 extends user authentication directly into the application programming domain. Using a standard .NET Library reference (system.web.security), developers can build full authentication into their application with very little extra work. With this in mind, it is important to remember that a certain level of due diligence is necessary to minimize the possibility that the application being built will not have its security compromised during use.This article provides an overview of the security mechanisms and shows example security settings that are an essential part of creating a secure environment for Web applications. ASP.NET 2.0 provides many different configuration options that may or may not be deemed necessary, depending on security requirements. Throughout this article, the pros and cons of these configuration options will be discussed.
Security Considerations
Securing the Physical Environment
It is often said that a computer's security ends at the computer's front panel power switch. No matter how well the system is secured from an OS level, physical protection is essential. It must be assumed that anyone who has physical access to the computer will always be able to compromise its integrity in one way or another.For further information on recommended best practices for securing a computer's physical environment, please review this article on Microsoft TechNet.
Securing the Domain Environment
Best practices for setting up user accounts, passwords, and privileges must be followed. If, for example, a user without privilege is able to directly access the database containing secure data used by the Web application, the application can become compromised.For further information on securing a computer's domain environment, the following articles on the Microsoft Security Home Page give a lot of very helpful recommendations and tips.
Securing the .NET Environment
The .NET environment allows the setting of code access security. This means that individual system and application libraries can be associated with different trust levels. This can be very important in, for example, a shared hosting environment where multiple Web applications may be running. Each Web application that is potentially owned by different users may require isolation and protection from each other. In addition, without this isolation, each Web application could potentially impact critical system functions.In this article, it will be assumed that the ASP.NET user (the user that IIS runs on behalf of) is running with the highest trust level. This would likely be the case when a Web application is running in a dedicated environment. For further information on how code level security could be used to enhance the security of a Web server, see the MSDN article Using Code Access Security with ASP.NET.
ASP.NET's Relationship with IIS
ASP.NET supports three authentication providers when working with IIS: Forms Authentication, which uses application specific logic; Passport authentication, which is a centralized authentication service provided by Microsoft; and Windows authentication, which uses the authentication provided directly through IIS. The default authentication for ASP.NET projects, Forms Authentication, is used in this article. The authentication mode is specified in the web.config file. The syntax choices are as follows.The flow that is followed when a user logs in from a Web client is depicted in the flow chart in this article.
Keep in mind that this article was written in 2001 and is current with the flow of IIS 5.1, not the currently shipping IIS 6.0 or later.
Figure 1. Security Flow between IIS and ASP.NET
Role-Based Security in an ASP.NET 2.0 Web Site
Initial Setup and Configuration
The Web.Config File / Infrequently Changed Items
Certain parameters that affect the overall running of an ASP.NET 2.0 Web application are set in the web.config file. Example parameters include a reference to the membership Provider (or database), the strength of the password required, and whether an e-mail is required to register. The relevant section of the web.config file is shown below with sample values for a minimalist security configuration. More details can be found by accessing Visual Studio 2005 help and looking up "Membership Members." Each security parameter is explained there in detail.<providers> <remove name="AspNetSqlMembershipProvider"/> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" commentTimeout=""/> </providers>
The Web.Config File / .aspx Page Security
Each Web page in the Web application can be assigned a security level. This is done by specifying what role is required to access the page. The syntax in the web.config file is very straightforward. For example, the following web.config snippet specifies that the MembershipGrid.aspx Web page will only be accessible by a user whose role is assigned as Administrator.<system.web> <location path="MembershipGrid.aspx" > <system.web> <authorization > <allow roles="Administrators"/> </authorization> </system.web> </location> </system.web>
<system.web> <location path="AdminDir" > <system.web> <authorization > <allow roles="Administrators"/> </authorization> </system.web> </location> </system.web>
The Web.Config File / Inside .aspx Page Security
It is often necessary to provide more granular security than what is previously described. That is, it may be necessary to protect a control such as a button or an aspx page. To do this, it is necessary to programmatically change the attribute associated with the control to be affected. For example, if it is necessary to hide a delete button based on the user's role, there are two things that need to be done: first, a method called ShowButtonBasedOnRole should be added to the codebehind class of the Web page. It should return true if the user is permitted in the role requested, and false if the user is not included in the role requested.protected bool ShowButtonBasedOnRole(string RoleOfInterest) { return User.IsInRole(RoleOfInterest); }
<asp:Button ID="Button1" runat="server" Text="Button" Visible='<%# (bool) ShowDeleteRowBasedOnRole("administrator") %>'> />
Using the Member/Role Manager aspx Page
To use the aspx page included within this project (Membership.aspx) there are a few things that need to be done. First, the two data classes from the article project files need to be copied and included in the target project's app_code directory. These two files are MembershipDataObject.cs and RoleDataObject.cs. Then, the aspx file Membership.aspx and its codebehind page, Membership.aspx.cs need to be moved to the current project.It is very important that this page be protected from being accessed by any user who is not assigned the administrator role. Otherwise, any user would be able to modify any other user's logon information. To do this, make sure that in the web.config file the Membership.aspx page is protected. Sample lines from a web.config file to accomplish this are as follows.
<system.web> <location path="Membership.aspx" > <system.web> <authorization > <allow roles="Administrators"/> </authorization> </system.web> </location> </system.web>
The best way to get around this is to execute the code below one time, then remove that code from the Web server. It could, for example, be in the pageload event of an ASP.NET Web page. Then, after this page has been called, delete the page from the server. At that point, the Membership Management Page will only be accessible by logging into the account admin with the password.
Roles.CreateRole("Administrator"); Roles.CreateRole("User"); Roles.CreateRole("Guest"); Membership.CreateUser("admin", "some strong password here"); Roles.AddUserToRole("admin", "Administrator");
No comments:
Post a Comment