Unit 7 Learning Objectives
description
Transcript of Unit 7 Learning Objectives
![Page 1: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/1.jpg)
Unit 7 Learning Objectives
• How to Control Access to websites– Authentication and Authorization– Security and Access Control (web.config)– ASP.NET Membership controls in code (LoginView)– Using user information (Page.User)
![Page 2: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/2.jpg)
Authentication
• It determines that someone is who they say they are• It involves a username and password• Microsoft systems have two basic methods– Forms based authentication
• What you typically see when you log into a website– Windows based authentication
• What you see when you log into a computer
![Page 3: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/3.jpg)
Windows based authenticationWhat you see when you log into a computer
Forms based authenticationWhat you typically see when you log into a website
![Page 4: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/4.jpg)
Authorization• Permission to use a resource like a webpage or document• Authenticated uses do more than anonymous users• Authorization may be associated with Roles – Roles help assigning a group of users the same authority– Example: admin, staff or guest.
• Access Rules determine who is authorized to use what.
![Page 5: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/5.jpg)
Auth
oriza
tion
or A
uthe
ntica
tion?
![Page 6: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/6.jpg)
Access Rules are settings in web.config
Deny anonymous users, until they identify themselves
Provides the authentication type (i.e. FORMS), and the place to login from [
Allows the user that belongs to the role of Admin[This access rule is for the access to the Register page
![Page 7: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/7.jpg)
Access Rule Example: Consider the Styles Folder
• Access to styles is required for all users of a website.
• Add a web configuration file to the Styles folderit should look like this
• Starting on line 4, enter an authorization section
This says to allow all users access to the folder.
![Page 8: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/8.jpg)
Multiple Configurations
• Access is determined by uses the access rules closest to the page.
• How many config files are seen?
• In this case, the web.config file control access to the Finals folder.
C:\ASPPUB
![Page 9: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/9.jpg)
How to work with a user’s information
Page.User control• User is a property of the Page object• User contains information about the user logged into your
web page when one of ASP.NET’s implemented authentication methods are used
Roles• Groupings of access privileges• Example: Manager, Admin, LowlyWorm, Guest, etc.
![Page 10: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/10.jpg)
How can Page.User be used for roles?
• User has a method called IsInRole• IsInRole identifies whether the user belongs to a role• User.IsInRole("Admin")– if the current user a member of the Admin role,
then apply 10% discount
• User.IsInRole(“Guest")– is the current user a member of the Guest role?
if ( User.IsInRole(“Admin”) )TotalAmt=0.9*SubTotalAmt;
![Page 11: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/11.jpg)
L1 #1: ASP.NET security set-up in VWD
• The default web site we created at the beginning of the quarter has many uses many of ASP.NET’s security features – we just have to turn the security on
• So, let’s turn it on as the L1 for this unit1. Open your ASPPub
folder in VWD2. Select ASP.NET
Configuration from the Website menu
Go to L1 #11
![Page 12: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/12.jpg)
L1 #23. You should see a web page that looks something like this,
click the Security link
4. Then click the Use the security Setup Wizard link which will setup security and walk you through the creation of a user and access rules
![Page 13: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/13.jpg)
L1 #34. Read the Welcome
message and press Next5. Select From the Internet for
the Access Method (that means forms authentication) and press Next
![Page 14: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/14.jpg)
L1 #46. Wizard Step 3 has nothing
for us to do so press Next
7. Wizard Step 4 allows us to use roles. Click the Enable roles check box and then press Next
![Page 15: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/15.jpg)
L1 #58. In the next screen, type
Admin in the New Role Name text box and press Add Role
9. Once the role is created you have the option of adding another role, deleting an existing role or moving to the next step. Press Next
![Page 16: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/16.jpg)
L1 #610. In Wizard Step 5 you create
one or more users. Enter MIS3200 for the user name, testing! for the password, your email address and click Create User
11. After the MIS3200 user is created click Continue and add a user with your last name and any password you would like. Then press Next
Be sure you enter the username and password exactly as listed or we won’t be able to grade your work!!
MIS3200
![Page 17: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/17.jpg)
L1 #612. Wizard step 6 allows you to create Access Rules and apply them
to different folders
Look at the bottom of the screen. This shows the default access rule for the selected folder (ASPPub). This rule allows all users to access the folder.
MIS3200
![Page 18: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/18.jpg)
L1 #713. To create a new rule – Select the folder the rule applies to (ASPPub)– Select who the rule applies to (Anonymous)– Select which permission you want (Deny)– Finally, press Add This Rule
The diagram show a rule to deny anonymous users access to the ASPPub folder. The top of the diagram shows you how to set it up and the bottom shows the finished rule.
This rule will prevent any unauthenticated (i.e. anonymous) user from getting to any page, image or other resource in your ASPPub folder
MIS3200
![Page 19: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/19.jpg)
L1 #814. We will just have one access
rule for now so press Next15. Basic security setup is now
complete so press Finish
16. You should now see a screen you saw before but this time listing users and roles.
17. You can edit users, roles and access rules from here
![Page 20: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/20.jpg)
L1 #918. Close the Web Site Administration Tool19. Click the Run button to run your MIS portfolio page20. What happened? Did you get something like this?
![Page 21: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/21.jpg)
L1 #10
• Your access rule prohibits you, and everyone else, from using any page in ASPPub so your default.aspx didn’t load
• But something did load? What page is it? Check the URL
• The one standard exception to the “you can’t use anything” rule is a special page called login.aspx that was created as a part of default settings. It contains a Login control.
• This serves as the page that any unauthorized access is redirected to
![Page 22: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/22.jpg)
L1 #1121. Go back to your login page and enter your user name and
password (MIS3200 and testing!)22. You should see your normal default.aspx page23. Close the page and return to VWD24. Open up your web.config file– Security settings are stored here so DO NOT delete it!– Some of the important settings are:
Access rules
Authentication mode and location of the login page [
Next: Opening access in closed areas
![Page 23: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/23.jpg)
L1 #1225. Close web.config26. Open Login.aspx in the Account folder.
It should look like this
![Page 24: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/24.jpg)
L1 #13• Compare the page shown on slide L1 #12 with that on L1 #9.
Are they the same page?• If they are, why do that look so different?• They are the same page, so what happened?• The page you see on L1 #12 is formatted with style sheets• The page on L1#9 is the same page so it is formatted with the
same style sheets, but what happened?
![Page 25: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/25.jpg)
L1 #14: Opening specific folders• When you deny anonymous users access to a folder you deny
them access to everything in the folder, including style sheets, images, documents and web pages
• Lets fix this problem27. Right click on the Styles folder28. Select Add New Item…29. Select Web Configuration File
It is okay to have more than one web.config file as long as they are organized
![Page 26: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/26.jpg)
L1 #1530. Open the web.config file in the Styles folder
it should look like this
31. Starting on line 4, enter anauthorization section
This says to allow all users access to these folders. If a web site has more than one set of access control rules it uses the rules closest to the page. So in this case, the web.config in the Styles folder will its control access.
![Page 27: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/27.jpg)
L1 #1632. Save the web.config file33. Repeat the process and create another web.config file in
the Images folder34. After you save your work, try running web.config again.
You should get something like this…
![Page 28: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/28.jpg)
L1 #1735. Before you login in, notice two things on this page
1. Look at the upper right-hand portion of the page, you should see: That is actually a special .NET control called LoginStatus. LoginStatus provides an anonymous user with a link for logging in and an authenticated user with the link for logging out (see next page)
2. Look at the page URL– Does the circled portion look familiar?– It is a QueryString that tells the login page where to redirect you after you login. The
destination depends of what page you tried to access at the time you were redirected to the login page
36. Login using MIS3200 and testing!
Note: Steps 37 through 44 are informational only and do not require any changes to your L1. However, you will do these steps, take screenshots and submit them, as a part of the L1.
![Page 29: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/29.jpg)
L1 #1837. Look at the top right side of the page again
a) This is the LoginStatus control again. Notice that it has a different appearance now that we are logged in
b) This is another control called LoginName this simply displays the current users login name.
38. Notice that the message on the previous page didn’t include the Welcome
a) Both messages are contained in a control called LoginViewb) LoginView allows you to display one thing to an anonymous user and
something different to an authenticated userc) It is even possible to display different content based on roles assigned to the
user
Welcome MIS3200! [Log Out ]
![Page 30: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/30.jpg)
L1 #1939. Close the page and open your master file,
Site.master in design view40. Look at the top right of the page
a) You show see the LoginStatus controland a LoginView called HeadLoginView
41. Click on HeadLoginView and clickits button to open the smartmenu. Notice that you are currently looking at the AnonymousTemplate
42. Right-click on Log_In and look at the properties
a) Notice that this is a LoginStatus control named HeadLoginStatus
b) Also notice the HRef property that says where to find the login page
![Page 31: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/31.jpg)
L1 #2043. Click the menu button next to
AnonymousTemplate and select the LoggedInTemplate
44. You should now see the LoggedInTemplate with both a LoginStatus and LoginName control
– You can change anything you want in either template. The templates will expand to contain whatever you need.
– You can create new templates and associate them with roles by clicking the EditRoleGroups link
– You can go directly to the Web Site Configuration Tool (slide L1 #2) by clicking AdministerWebsite
![Page 32: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/32.jpg)
L1 #21 – What to turn in
45. Open your U6L3 page and click the Run button in Web Developer, you should be prompted with the login screen – capture this screenshot which shows the URL and the login prompt (the entire page)
46. Using the username and password we created (MIS3200 and testing!), login - capture the screenshot that shows your U6L3 was allowed to run after successfully logging in (the entire page again)
47. Submit both of these screenshots by attaching them to the Unit 7 L1 dropbox
![Page 33: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/33.jpg)
ASP.NET Login controls• You have already seen five ASP.NET Login controls
– CreateUserWizard – used by the Web Site Configuration Tool– Login – used on Login.aspx– LoginName – used in Site.master– LoginStatus– used in Site.master– LoginView– used in Site.master
• There are only two other controls– ChangePassword – allows a user to change a password after
answering a question– PasswordRecovery – changes the user’s password and sends
the new to the user via email
Login controls found in the Toolbox
PasswordRecovery requires access to an mail server which we don’t have in the labs
![Page 34: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/34.jpg)
L21. Open ASPPub2. Open ASP.NET Configuration (L1 slide #5)3. Click Security4. Click Manage Users5. Select your MIS3200 user and click Edit roles6. Click the check box next to the Admin role (this puts the MIS3200 user into
the Admin role)7. Close the Web Site Administration Tool8. Open Web.config in the Account folder9. Examine lines 4-1010. Change <allow users=“*” /> on line 7 to
<allow roles=“Admin” />
11. Change <deny users=“?” /> on line 13 to <deny users=“*” />
12. Save the changes
![Page 35: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/35.jpg)
L2 #213. Add the following, starting on line 11 to allow anonymous users
access to Login.aspx
14. Run your default.aspx (directly under ASPPub)15. Login as MIS320016. Try to go to ASPPub/Account/Register.aspx (in the URL bar,
change ASPPub/Default.aspx to ASPPub/Account/Register.aspx)17. You should be on the Create a New Account page18. Now click Log_Out and then log in with your other user name
which did not have the Admin role (your last name)
Why do we have to do this?
![Page 36: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/36.jpg)
L2 #319. Try to go to ASPPub/Account/Register.aspx again20.What happens? Why?
• At the present time everyone will have to login to see any of your ASPPub portfolio – not a very useful portfolio so lets allow everyone into ASPPub but restrict access to the MIS3200 folder
![Page 37: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/37.jpg)
L2 #421. Open the Web Site Administration Tool22. Select Security23. Select Manage access rules24. Delete the Deny anonymous rule25. Select the MIS3200 folder26. Click Add new access rule27. Create a rule to deny anonymous users28. Click Done and close the page29. You should now have a new Web.config in your MIS3200
folder (you may have to click Refresh to see it)
![Page 38: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/38.jpg)
L2 #5• Now try to run your default.aspx page
(i.e. your main MIS Portfolio page)• Can you get in?
– Capture the screenshot that shows your portfolio page was allowed to run• If so, what happens when you click the MIS3200 link?
(do not login)– Capture this screenshot which shows the URL and the login prompt
• What happens when you try to go to Register.aspx?– Capture this screenshot which shows the URL and error message
![Page 39: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/39.jpg)
L2 #6 – What to turn in29. Submit all three screenshots requested by the previous slide
by attaching them to the Unit 7 L2 dropbox
![Page 40: Unit 7 Learning Objectives](https://reader036.fdocuments.net/reader036/viewer/2022062222/56816699550346895dda854f/html5/thumbnails/40.jpg)
Problems?You may run into various problems when working with the security wizard. After making the users, if your pages no longer run and you see the word “login” in the URL without the “.aspx” following it, you likely clicked on something wrong in the L1 which added the following to your web.config file:
If you see these lines, delete them to correct the issue.