Embed Size (px)
Citation preview
1
CS 3870/CS 5870: Note 12
Authentication and Authorization
Membership Provider
2
Prog 5
Copy folder Prog4 as Prog5
Modify Prog4MasterPage
Name: Prog5MasterPage
Text: Prog 5
TreeView:
New root node
NavigationURL of master page
3
Prog 5
Modify the Content Pages
Reset the MasterPageFile
(top line of the source file)
4
Prog 5
Modify the Session Variables
Prog4_ to Prog5_
File Global
Code file
5
Prog 5
Make sure it’s working the same as Prog4
before adding features for Prog5
6
Web.Config• Machine.config
– Machine level settings – Default settings for all Web applications
• Application Web.config – Under the application root directory – Apply to the entire application – Overwrite some settings set in Machine.config
• Local Web.config – A sub-folder can have its own Web.config file – Overwrite some settings set in higher level Web.config – Not every setting can be set in local Web.config
• AUTHENTICATION must be set in application Web.config • AUTHORIZATION can be different for different sub-folders
• Page Directives – Apply to the page only – Overwrite settings set in Web.config
Machine.config on XrayC:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
<membership> <providers> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers></membership>
7
Machine.config on Xray
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
<connectionStrings> <add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated
Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf; User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
8
9
Web.Config• Application Configuration File under the main web site
<system.web> <authentication mode="Forms" > <forms name="formsAuth"
loginUrl="login.aspx" path="/" requireSSL="false" slidingExpiration="true" protection="All" defaultUrl="~/Prog5/Default.aspx" timeout="1" cookieless="UseDeviceProfile" /> </authentication> </system.web>
10
Authentication
• To identify the user• Four Modes
–Windows: IntraNet –Forms : Internet –Passport: MS–None
11
Forms Based Authentication– name : cookie's name – loginUrl : default is login.aspx – path : the location to save the cookie, default is / – protection: the amount of protection applied to the cookie
• Encryption • Validation • All (both, default) • None
– timeout : minutes (default 30)
a durable cookie could be issued
12
Forms Based Authentication– defaultUrl: If the user requests the login.aspx page
Otherwise, go to the requested page– requiresSSL : credential be sent over an encrypted wire (SSL)– slidingExpiration : timeout of the cookie is on a sliding scale– cookieless:
• UseDeviceProfile: default• UseCookies: require to use cookies• UseUri: force to store credential within Uri• AutoDetect: sending a test cookie first
Authentication
All pages are still accessible to the public
After Authentication is set in config file
<system.web> . . . <authentication mode =“forms”> . . . </authentication> . . .</system.web>
13
Form Login
• Create form Login under the root folder• Add control Login from tab Login
• All pages are still accessible to the public
14
15
Authorization
• Web.config file under the main folder
</system.web> . . . <authentication mode="Forms"> . . . </authentication> . . . <authorization> <deny users="?" /> </authorization> . . .</system.web>
No Page Accessible
16
17
Authorization
• Web.config file under the main folder
</system.web> <authentication mode="Forms"> </authentication></system.web>
<location path="Prog5"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location><!–- could have multiple locations -->
All Pages Are Accessible
Except those under folder Prog5
18
Control CreateUserWizard• Add a form CreateUser.aspx under the main folder• Add control CreateUserWizard• Create one user
– UserName: jim– Password: cs3870@UWP– Your email– Your choices for others
19
Event ContinueButtonClick
• In CreateUser.aspx.vb• Select CreateUserWizard1• Select event ContinueButtonClick• Code
Response.Redirect("Login.aspx")
20
21
Authorization
<deny users="*" /> <allow users="*" /> <allow users="[comma separated list of users]" roles="[comma separated list of roles]" verbs="[comma separated list of roles]"/> <deny users="[comma separated list of users]" roles="[comma separated list of roles]" verbs="[comma separated list of roles]"/>
* : everyone ? : anonymous verbs: POST, GET, HEADER, DEBUG
Other Login Controls
• ChangePassword• LoginName• LoginStatus• LoginView• PasswordRecovery
22
Prog5MasterPage
• Add LoginName and LoginStatus
23
Prog5MasterPage
Partial Class Prog5_MasterPage
Protected Sub LoginStatus1_LoggedOut(. . .) Handles LoginStatus1.LoggedOut
Response.Redirect("~/Login.aspx") End Sub
End Class
24
New Page Checkout
• Maintain a shopping bag for each session• Add items into the shopping bag when
shopping• GridView to display all items in the
shopping bag on checkout• Clear the bag when checkout
25
Shopping Bag
• Your Choice– DataTable– ArrayList– New class– . . .
• Location– SQLDataClass– . . .
26
Shopping BagPublic Shared Function NewShoppingBag() As Data.DataTable Dim bag As New Data.DataTable
bag.Columns.Add("Product ID") bag.Columns.Add("Product Name") bag.Columns.Add("Unit Price") bag.Columns.Add("Quantity") bag.Columns.Add("Cost")
Dim PK() As Data.DataColumn = {bag.Columns(0)} bag.PrimaryKey = PK
Return bag End Function
27
Global.vb
Sub Session_Start(. . .) . . .
' For Prog5 Session("Prog5_Bag") = SQLDataClass.NewShoppingBag
. . .End Sub
28
Page Shopping
• New Button “Add to Shopping Bag”• Click Event Dim myBag As Data.DataTable = Session("Prog5_Bag") Dim row As Data.DataRow = myBag.NewRow row(0) = txtID.Text row(1) = txtName.Text row(2) = txtPrice.Text row(3) = txtQuanity.Text row(4) = txtSubTotal.Text
Dim r As Data.DataRow = myBag.Rows.Find(row(0)) If Not r Is Nothing Then myBag.Rows.Remove(r) ‘ replace the old item End If myBag.Rows.Add(row)
29
Page Checkout
Protected Sub Page_Load(. . .) Handles Me.Load
GridView1.DataSource = Session("Prog5_Bag") GridView1.DataBind()
End Sub
30
Page Checkout
Protected Sub Button1_Click(. . .) Handles Button1.Click ‘ End the current session ‘ will clear all session variables Session.Abandon()
' Logout of Membership FormsAuthentication.SignOut()
‘ Go to Login.aspx Response.Redirect(FormsAuthentication.LoginUrl)End Sub
31
32
Schedule
• Thursday– Still have class– Do Prog5 and Project– Lab 206
• Next Tuesday– Do Prog5 and Project– Lab 206
• Lose 10 points if missing class without my permission
