Web.config and Security - Database Programming Weekend Crash Course pdf

There are two types of XML configuration files used by ASP.NET, they are called

machine.configand Web.config. The format of these files and elements that they can contain are the same, however the machine.configfile provides the default configuration for all applications and directories, while the Web.configfile allows you to modify these defaults for a specific application or virtual directory. The machine.configis a located at:

[install drive]:\WINNT\Microsoft.NET\Framework\[ASP.NET Version Number]\CONFIG

and there is only one copy of this file per Webserver, whereas there may be dozens of Web.configfiles for various applications and subdirectories.

You can establish the conditions for access to a particular directory or application, by modifying the <system.Web> section in your application’s Web.configfile. The conditions you set in the Web.configfile will apply to the directory, which contains it, as well as all of its associated sub directories.

Within the Web.configfile the <system.Web>section establishes the security profile for the application or directories overseen by it. The general syntax for the security section of the Web.configfile is illustrated in Listing 13-1:

Listing 13-1 General syntax for the security section of the Web.config file

<?xml version=”1.0” encoding=”utf-8” ?> <configuration>

</forms>

</authorization>

</identity> <system.Web> </location> </configuration>

Note the use of camel-casing throughout the Web.configand machine. configfile where the first letter of the first word is always lower-case and the first letter of the subsequent word is upper-case, as in “configSections”. This is important because the entire file is case sensitive, and errors in case will create application errors.

The default and optional values for these elements are shown in Table 13-1. Table 13-1 Default and Optional Values for Security Section of Web.config Element and Default Value Optional Values Comment

<location path=””> Any string that represents If you include a location tag in a valid path to a file then the settings contained in

the <system.Web>section following this tag will only apply to the specific file path named in the path property. This tag is optional and should typically only be used for files not sup- ported by ASP.NET.

<authentication mode= Forms, Passport, None The authentication mode cannot ”Windows”> be set at a level below the

application root directory. <forms name=”.ASPXAUTH”> Any string for storing You can use any string you like

the cookie for the cookie name.

<forms login Url= Any valid absolute or If the mode is set to Forms, and ”login.aspx”> relative URL if the request does not have a

valid cookie, this is the URL to which the request is directed for a forms-based login.

<forms protection= All, None, Encryption The value within the cookie can ”None”> and Validation by encrypted or sent in plain

text. For sites that only use forms authentication to identify a user and not for security pur- poses, then the default None is just fine.

Continued

Note

Table 13-1 Continued

Element and Default Value Optional Values Comment

<forms path=”/”> Any valid string Specifies the path value of the cookie. Cookies are only visible to the path and server that sets the cookie.

<credentials Clear, MD5 Tells ASP.NET the password passwordFormat=”sha1”> format used to decrypt the pass-

word value of the user attribute. Note that just setting this value does not automatically encrypt the password value, instead it is the developers responsibility to add the password value in an encrypted format.

<Passport redirecturl= Any valid URL that The authentication mode must ”internal”> provides a login equal “Passport” for this to

validation apply. When the requested page requires authentication and the user has not signed on with Passport, then the user will be redirected to the supplied “redirecturl”.

<user name=””> Any valid user name For example use the value as string “jsmith”.

<user password=””> Any valid password For example use the value as string “jsmithspassword”.

<allow users=”*”> Any comma-delimited By default the special character * list of users indicates that all users are

allowed; alternatively, ?indicates that anonymous users are

allowed.

<allow roles= > Any comma-delimited The special character *indicates list of roles that all roles are allowed. <deny users=””> Any comma-delimited Special characters *for all users

list of users and ?for anonymous user can be used.

Element and Default Value Optional Values Comment

<deny roles=””> Any comma-delimited The special character *for all list of roles roles can be used.

<identity impersonate= True With impersonation set to ”false”> “True”, the usernames and passwords will be compared against valid NT User Groups to determine access based upon NTFS Access Control Lists.

The ASP.NET Configuration System only applies to ASP.NET Resources, which are those items handled by the xspisapi.dll. By default items not handled by this DLL, such as TXT, HTML, GIF, JPEG, and ASP files, are not secured by the

Web.config. To secure these items use the IIS admin tool to register these files, or use the <location>tag to specify a specific file or directory.

The following example grants access to Tony, while denying it to Jason and anonymous users: <?xml version=”1.0” encoding=”utf-8” ?> <configuration> <system.Web> <authorization> <allow users=”Tony” /> <deny users=”Jason” /> <deny users=”?” /> </authorization> <system.Web> </configuration>

Next we’ll look at how users and roles may refer to multiple entities using a comma- separated list:

As you can see, the domain account (DomainName\tcaudill) must include both the domain and user name combination.

In document Database Programming Weekend Crash Course pdf (Page 145-148)