How to build secure ASP.NET applications

ASP.NET provides several ways to protect your Web-based app from attack. Here's an overview of authentication, authorisation, and role-based security.

Web applications are subject to several types of attacks, whose damage and impact can vary quite a bit depending on the characteristics of the application itself. As a result, security is strictly related to the application’s usage and how the users interact with its features. But how do you design and code secure ASP.NET applications?From an application point of view, security is mostly a matter of authenticating users and authorising actions on the system’s resources. ASP.NET provides a range of authentication and authorisation mechanisms implemented in conjunction with IIS, the .NET Framework, and the underlying security services of the operating system.

When a client issues a Web request, the following sequence of authentication and authorisation events occurs.

IIS authentication
ASP.NET authentication
ASP.NET authorisation

Authenticating users
If the page can be viewed, and the request comes from a nonrestricted IP address, IIS authenticates the caller using any of the predefined authentication mechanisms. IIS first ensures that the request comes from a trusted IP address. If not, the request is rejected with HTTP error 403.6. A second preliminary check is then made to determine whether the requested resource is available for reading or browsing. If not, the request is rejected with HTTP error 403.2. Next, IIS attempts to authenticate the caller using the Integrated, Digest, or Basic authentication method. If the Windows Integrated method is used, either Kerberos or NTLM is used. If the request passes this stage, ASP.NET gets involved.ASP.NET supports three types of authentication methods: Windows, Forms, and Passport. If ASP.NET is configured for Windows authentication, no additional steps are needed and ASP.NET just accepts any security token it receives from IIS. If ASP.NET is configured for Forms authentication, the user is prompted for credentials using an HTML form. The User ID and password are authenticated against a stored list of valid users. The application is free to choose the best-suited storage mechanism, including a SQL Server database or Active Directory services. Finally, if ASP.NET is configured for Passport authentication, the user is redirected to a Passport Web site and authenticated by the Passport service.A fourth type of authentication is None, meaning that ASP.NET does not attempt to perform its own authentication and completely relies on the authentication already carried out by IIS. In this case, anonymous users can connect, and resources are accessed using the ASP.NET account. Setting the ASP.NET authentication mode to the None option does not prevent the application from implementing its own personal authentication layer.
You choose the ASP.NET authentication mechanism using the section in the Web.config file.

By default, the authentication mode is set to Windows.

Authorisation Of course, authentication means only that the user is known and proven to be who he or she claimed to be. The next task is to make sure the user has enough rights to access the requested resource.After authentication, ASP.NET verifies that the caller is authorised to access the requested resource to execute the operation. A couple of HTTP modules provide for this service:


UrlAuthorizationModule and FileAuthorizationModule. The former ensures that the authorisation rules set in the element of the Web.config file are fulfilled. The latter gets into the game when the Windows authentication is used and checks that the caller has the necessary permission to access the requested resource. In this case, the verification is performed comparing the access control list (ACL) of the resource against the caller’s token. At this stage of the process, .NET roles can also be used to verify the caller’s authorisation to work on a resource.

The authorisation rules consist of two distinct blocks of information regarding what is allowed and what is denied. Under the element, the child tag defines users, roles, and actions allowed; conversely, the child tag indicates which users, roles, or actions are not permitted.You should note that the authentication mode can be set only in the machine.config file or, better yet, in the application-level Web.config file. Child subdirectories inherit the authentication mode chosen for the application. However, authorization settings can be defined in the Web.config of each child subdirectory. In other words, authorisation supports a finer granularity than authentication.


Role-based security
If you need to authenticate users, chances are good that you also need to serve them personalized pages. There are basically two possibilities here: You either implement a profile system and store configuration information for each user or you define roles and map users to one or more of these categories.In the former case, you maintain profile records that probably need to store UI-related settings items and references to functions to enable or disable. While designing the page, you access the profile record for the current user and develop the page accordingly.If you don’t have to maintain user-specific information but simply need to catalog groups of users and maintain profile information on a per-group basis, roles are a better approach. A role is a name—just a short descriptive string—that identifies a set of functions, user interface elements, and permissions that the page grants to each user who plays that role.Defining roles is a two-step procedure. First, you define all the possible roles and give each user one or more of them. This association is normally done at the database level. Typically, you run your database of users in which you store user names and passwords; add a third column with the role of each.By the time a user is authenticated, no role information is associated with the identity. However, a function to check whether a given identity plays a certain role exists. You use the IsInRole function of Page.User object to check the role of a user:
if (User.IsInRole("Boss")) Response.Write("The user is the boss");
The second part of defining roles is to associate a role with an authenticated user.
To do this, you must create a new principal object, either generic or of the same type of the authentication. This is normally done in the Global.asax file while handling the AuthenticateRequest event:// role is the string read from the database for the current userContext.User = new GenericPrincipal(User.Identity, role);
At this point, the authentication module can check the role of the user against the section of the local Web.config file. For example, a folder whose Web.config file contains the following script would make its pages accessible only to users belonging to the Boss role:

]

The authentication module uses the IsInRole function to authorise access by role. Protect your applicationSecuring a Web application entails protecting the Web server against a variety of attacks, but it also requires implementing effective policies to prevent illicit accesses to pages. ASP.NET provides some built-in layers of code to authenticate and authorise users and actions.

Microsoft Student Project Program

Academic Projects Program
A definitive program that helps you get closer to the future, Microsoft Academic Projects gives you the opportunity to work on your projects with cutting edge tools- Next Generation Microsoft Technologies that are used by software professionals across the globe. The mission of the Microsoft Academic Projects Program is to inspire dynamic academic institutions in India to innovate, solve key computing challenges with industry, and provide unparalleled experiences and opportunities to their faculty and students. Under this annual program, students get a chance to execute projects, as part of their academic curriculum, using the next generation Microsoft technologies that make them ready for the professional world when they step into it. The program will be a learning session beyond compare

Refer: http://www.msapp.net/

Highlights:

->Use leading edge Microsoft technologies for your academic projects.
->Get your project resource kit with e-books, tutorials, software and more.
->Have your projects reviewed by Microsoft and industry experts.
->Opportunity to showcase your project at the Microsoft national project exhibition.
->Cash awards for outstanding projects
->On successful completion of the projects you get a Microsoft Academic Project participation certificate.
->Add value and get visibility for your final semester projects and or mini projects.
->Top 5 colleges with largest number of submissions get one year free subscription/renewal of MSDN Academic Alliance

What's New in ASP.NET 2.0?

ASP.NET is a programming framework built on the common language runtime that can be used on a server to build powerful Web applications. The first version of ASP.NET offered several important advantages over previous Web development models. ASP.NET 2.0 improves upon that foundation by adding support for several new and exciting features in the areas of developer productivity, administration and management, extensibility, and performance:

Developer Productivity
ASP.NET 2.0 encapsulates common Web tasks into application services and controls that can be easily reused across web sites. With these basic building blocks, many scenarios can now be implemented with far less custom code than was required in previous versions. With ASP.NET 2.0 it is possible to significantly reduce the amount of code and concepts necessary to build common scenarios on the web.

New Server Controls. ASP.NET 2.0 introduces many new server controls that enable powerful declarative support for data access, login security, wizard navigation, menus, treeviews, portals, and more. Many of these controls take advantage of core application services in ASP.NET for scenarios like data access, membership and roles, and personalization. Some of the new families of controls in ASP.NET 2.0 are described below.

Data Controls. Data access in ASP.NET 2.0 can be accomplished completely declaratively (no code) using the new data-bound and data source controls. There are new data source controls to represent different data backends such as SQL database, business objects, and XML, and there are new data-bound controls for rendering common UI for data, such as gridview, detailsview, and formview..

Navigation Controls. The navigation controls provide common UI for navigating between pages in your site, such as treeview, menu, and sitemappath. These controls use the site navigation service in ASP.NET 2.0 to retrieve the custom structure you have defined for your site.

Login Controls. The new login controls provide the building blocks to add authentication and authorization-based UI to your site, such as login forms, create user forms, password retrieval, and custom UI for logged in users or roles. These controls use the built-in membership and role services in ASP.NET 2.0 to interact with the user and role information defined for your site.

Web Part Controls. Web parts are an exciting new family of controls that enable you to add rich, personalized content and layout to your site, as well as the ability to edit that content and layout directly from your application pages. These controls rely on the personalization services in ASP.NET 2.0 to provide a unique experience for each user in your application.

Master Pages. This feature provides the ability to define common structure and interface elements for your site, such as a page header, footer, or navigation bar, in a common location called a "master page", to be shared by many pages in your site. In one simple place you can control the look, feel, and much of functionality for an entire Web site. This improves the maintainability of your site and avoids unnecessary duplication of code for shared site structure or behavior.

Themes and Skins. The themes and skins features in ASP.NET 2.0 allow for easy customization of your site's look-and-feel. You can define style information in a common location called a "theme", and apply that style information globally to pages or controls in your site. Like Master Pages, this improves the maintainability of your site and avoid unnecessary duplication of code for shared styles.

Personalization. Using the new personalization services in ASP.NET 2.0 you can easily create customized experiences within Web applications. The Profile object enables developers to easily build strongly-typed, sticky data stores for user accounts and build highly customized, relationship based experiences. At the same time, a developer can leverage Web Parts and the personalization service to enable Web site visitors to completely control the layout and behavior of the site, with the knowledge that the site is completely customized for them. Personalizaton scenarios are now easier to build than ever before and require significantly less code and effort to implement.

Localization. Enabling globalization and localization in Web sites today is difficult, requiring large amounts of custom code and resources. ASP.NET 2.0 and Visual Studio 2005 provide tools and infrastructure to easily build Localizable sites including the ability to auto-detect incoming locale's and display the appropriate locale based UI. Visual Studio 2005 includes built-in tools to dynamically generate resource files and localization references. Together, building localized applications becomes a simple and integrated part of the development experience.

Administration and Management
ASP.NET 2.0 is designed with administration and manageability in mind. We recognize that while simplifying the development experience is important, deployment and maintenance in a production environment is also a key component of an application's lifetime. ASP.NET 2.0 introduces several new features that further enhance the deployment, management, and operations of ASP.NET servers.

Configuration API. ASP.NET 2.0 contains new configuration management APIs, enabling users to programmatically build programs or scripts that create, read, and update Web.config and machine.config configuration files.

ASP.NET MMC Admin Tool. ASP.NET 2.0 provides a new comprehensive admin tool that plugs into the existing IIS Administration MMC, enabling an administrator to graphically read or change common settings within our XML configuration files.

Pre-compilation Tool. ASP.NET 2.0 delivers a new application deployment utility that enables both developers and administrators to precompile a dynamic ASP.NET application prior to deployment. This precompilation automatically identifies any compilation issues anywhere within the site, as well as enables ASP.NET applications to be deployed without any source being stored on the server (one can optionally remove the content of .aspx files as part of the compile phase), further protecting your intellectual property.

Health Monitoring and Tracing:
ASP.NET 2.0 also provides new health-monitoring support to enable administrators to be automatically notified when an application on a server starts to experience problems. New tracing features will enable administrators to capture run-time and request data from a production server to better diagnose issues. ASP.NET 2.0 is delivering features that will enable developers and administrators to simplify the day-to-day management and maintenance of their Web applications.

Flexible Extensibility
ASP.NET 2.0 is a well-factored and open system, where any component can be easily replaced with a custom implementation. Whether it is server controls, page handlers, compilation, or core application services, you'll find that all are easily customizable and replaceable to tailor to your needs. Developers can plug in custom code anywhere in the page lifecycle to further customize ASP.NET 2.0 to their needs.

Provider-driven Application Services.
ASP.NET 2.0 now includes built-in support for membership (user name/password credential storage) and role management services out of the box. The new personalization service enables quick storage/retrieval of user settings and preferences, facilitating rich customization with minimal code. The new site navigation system enables developers to quickly build link structures consistently across a site. As all of these services are provider-driven, they can be easily swapped out and replaced with your own custom implementation. With this extensibility option, you have complete control over the data store and schema that drives these rich application services.

Server Control Extensibility ASP.NET 2.0 includes improved support for control extensibility, such as more base classes that encapsulate common behaviors, improved designer support, more APIs for interacting with client-side script, metadata-driven support for new features like themes and accessibility verification, better state management, and more.

Data Source Controls. Data access in ASP.NET 2.0 is now performed declaratively using data source controls on a page. In this model, support for new data backend storage providers can be easily added by implementing custom data source controls. Additionally, the SqlDataSource control that ships in the box has built-in support for any ADO.NET managed provider that implements the new provider factory model in ADO.NET.

Compilation Build Providers.
Dynamic compilation in ASP.NET 2.0 is now handled by extensible compilation build providers, which associate a particular file extension with a handler that knows how to compile that extension dynamically at runtime. For example, .resx files can be dynamically compiled to resources, .wsdl files to web service proxies, and .xsd files to typed DataSet objects. In addition to the built-in support, it is easy to add support for additional extensions by implementing a custom build provider and registering it in Web.config.

Expression Builders. ASP.NET 2.0 introduces a declarative new syntax for referencing code to substitute values into the page, called Expression Builders. ASP.NET 2.0 includes expression builders for referencing string resources for localization, connection strings, application settings, and profile values. You can also write your own expression builders to create your own custom syntax to substitute values in a page rendering.

Performance and Scalability
ASP.NET is built to perform, using a compiled execution model for handling page requests and running on the world's fastest web server, Internet Information Services. ASP.NET 2.0 also introduces key performance benefits over previous versions.

64-Bit Support. ASP.NET 2.0 is now 64-bit enabled, meaning it can take advantage of the full memory address space of new 64-bit processors and servers. Developers can simply copy existing 32-bit ASP.NET applications onto a 64-bit ASP.NET 2.0 server and have them automatically be JIT compiled and executed as native 64-bit applications (no source code changes or manual re-compile are required).

Caching Improvements. ASP.NET 2.0 also now includes automatic database server cache invalidation. This powerful and easy-to-use feature allows developers to aggressively output cache database-driven page and partial page content within a site and have ASP.NET automatically invalidate these cache entries and refresh the content whenever the back-end database changes. Developers can now safely cache time-critical content for long periods without worrying about serving visitors stale data.