Lab: Configuring Authentication in ASP.NET Applications

baasopchoppyΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

91 εμφανίσεις

Lab: Configuring Authent
ication in ASP.NET Applications

In these exercises, you create an ASP.NET Web application and then configure it to restrict access
using role manager.

Exercise 1: Create a Web site that uses ASP.NET Memberships

In this exercise, you create a new ASP.NET Web site and add support for ASP.NET Memberships.

1.Create an ASP.NET Web application using Visual Studio.

2.Create two subfolders named Members and Admin. To each subfolder, add a blank ASP.NET
Web form named D
efault.aspx. Later, you’ll access these pages to verify that ASP.NET requires
proper authentication.

3.On the Website menu, select ASP.NET Configuration.

4.Select the Security tab and click the Use The Security Setup Wizard To Configure Security Step
By
Step link.

5.On Step 1, click Next.

6.On Step 2, select the From The Internet option button. Then click Next.

7.On Step 3, click Next.

8.On Step 4, select the Enable Roles For This Web Site check box. Then click Next.

9.On the Create New Role page, cr
eate two roles: Users and Administrators. Then click Next.

10.On Step 5, create two users: StandardUser and Admin. Provide your e
-
mail address for each
and make note of the passwords you assign. Then click Next.

11.On Step 6, select the Admin directory.
Create a rule that grants the Administrators role Allow
access. Then create a rule that grants All Users Deny access. Note that the new Deny rule appears
before the default Allow
-
All rule, which means users who are not members of the Administrators
role ha
ve their access denied.

12.While still on Step 6, select the Members directory. Create a rule that grants the Users role Allow
access. Then create a rule that grants All Users Deny access. Click Next.

13.On Step 7, click Finish.

14.You return to the Sec
urity tab of the Web Site Administration Tool. Click Create Or Manage
Roles.

15.For the Administrator role, click Manage. Click All, and then select User Is In Role for Admin.
Click Back.

16.For the Users role, click Manage. Click All, and then select Us
er Is In Role for StandardUser and
Admin. Click Back.

17.Click the Application tab. Click Configure SMTP E
-
mail Settings. Configure your SMTP server,
type a From e
-
mail address, and then click Save. Click OK.

18.Return

to Visual Studio and open the root Web.config file. Notice that the role
-
Manager element
is enabled and the authentication element is set to Forms.

19.Open Members/Web.config and Admin/Web.config. Notice that the Web Site Administration Tool
created thes
e files and used them to specify the permissions for each folder. You can also do this
using a single Web.config file by specifying the <location> element, as described in the next lesson.

Now the Web site is ready to use ASP.NET memberships, and you have

created users, roles, and
access rules. Continue working with this Web site for the next exercise.

Exercise 2: Create Web forms that use Login controls

In this exercise, you create Web forms using Login controls to take advantage of ASP.NET
membership.

1.Continue working with the Web site you created in the previous exercise, which is configured to
support ASP.NET membership and has users and roles added to the database. Alternatively, you
can open the completed Lesson 1, Exercise 1 project from the CD.


2.Create a new ASP.NET Web form named Login.aspx. Add the following controls:

A. A Login control

B. A PasswordRecovery control

3.Open the root Default.aspx page. Add the following controls:

A. A HyperLink

control with the Text property set to Members only and the NavigateUrl set to
Members/Default.aspx.

B. A HyperLink control with the Text property set to Administrators only and the NavigateUrl set to
Admin/Default.aspx.

C. A LoginStatus control.

4.Pres
s Ctrl+F5 to open Default.aspx in a Web browser.

5.On the Default.aspx page, click the Members Only link to attempt to access a protected page.
Notice that ASP.NET detects that you are not authenticated and redirects you to the default
Login.aspx page. Al
so notice that the URL includes a parameter named ReturnUrl that contains the
page you were attempting to access.

6.On the Login.aspx page, in the User Name box, type StandardUser. Type your password in the
Password box, and then click Log In. ASP.NET tak
es you to the Members/Default.aspx page, which
is blank. However, because it does not return an error, you know you are successfully
authenticated.

7.Click the Back button in your browser twice to return to the root Default.aspx page, and then click
the A
dministrators Only link. Even though you are already authenticated, ASP.NET redirects you to
the Login.aspx page because the StandardUser account does not have access to the Admin folder.

8.On the Login.aspx page, in the User Name box, type Hacker. Then c
lick Log In. Notice that
ASP.NET rejects your authentication attempt.

9.Under Forgot Your Password, type Admin, and then click Submit. Provide an answer to your
security question, and then click Submit to request a new password. Check your e
-
mail for a
me
ssage from the Web server containing your new password.

10.After you have your new password, use the new credentials to authenticate. ASP.NET takes you
to the Admin/Default.aspx page, which is blank. However, because it does not return an error, you
know
you are successfully authenticated.


Lab: Controlling Author
ization in ASP.NET Applications

In this lab, you modify an ASP.NET Web application to use Windows authentication.

Exercise: Create a Web site that uses ASP.NET memberships

In this exercise, you

update a previously created ASP.NET Web site to disable role manager and
use Windows authentication instead.

1.Continue working with the Web site you created in Lesson 1, Exercise 2, which has been
configured to support ASP.NET membership and has users an
d roles added to the database.
Alternatively, you can open the completed Lesson 1, Exercise 2 project from the CD.

2.On the Website menu, select ASP.NET Configuration.

3.Click the Security tab, and then click Select Authentication Type.

4.Click From A L
ocal Network, and then click Done.

5.In Visual Studio, examine the Web.config file. Notice that the authentication element has been
removed, which means forms authentication is no longer enabled. Now remove the <roleManager>
element so that the roles elem
ent refers to Windows groups, instead of the roles you added using
role manager.

6.In Visual Studio, add a LoginName control to the Default.aspx page. This enables you to see the
user account you are using to access the Web site.

7.With the Default.aspx
page still open, press Ctrl+F5 to open the page in a browser. Notice that the
LoginName control shows that you are automatically logged in using your Windows user account.

8.Click the Members Only link. If your current account is a member of the local Use
rs group, you
are allowed to access the page. Otherwise, ASP.NET denies you access.

9.Click the Administrators Only link. If your current account is a member of the local Administrators
group, you are allowed to access the page. Otherwise, ASP.NET denies
you access.

10.On the Website menu of Visual Studio, select ASP.NET Configuration. Click the Security tab.
Notice that you can no longer use the Web Site Administration Tool to manage roles. When role
manager is disabled, ASP.NET uses Windows groups as ro
les. Therefore, you must manage the
groups using tools built into Windows, such as the Computer Management console.

11.On the Security tab of the Web Site Administration Tool, click Manage Access rules. Then click
the Admin subfolder. Notice that it displ
ays the existing rules. Click Add New Access Rule and
notice that you can add a rule for specific users, all users, or anonymous users. You cannot,
however, add rules to grant access to roles, because role manager has been disabled. To add
access rules for

Windows Groups using roles, you must manually edit the <authorization> section of
the Web.config files.

This exercise worked because the role names you created in Lesson 1 are exactly the same as the
default group names in the local Windows user database
. Typically, you would not use the
ASP.NET Web Site Administration Tool to create access rules. Instead, you would manually edit the
Web.config files, as described in this lesson.