Implementing security through web

I am working on a web application for one of the client of my company since last 10 months. The site is not public. It is for the internal management which will run in a company’s local intranet system. Last 1 month we worked on security for this nice application. The site in on ASP.NET platform and we are using ASP.NET membership and role services for this application.

Why security is so essential?
Security is very essential for everywhere. It is how we can store our recourse secured. When you go out for office in the morning you used to lock your house. The man of my local book shop also locks his shop at night before leaving. These all because of security. So you can fill the necessity of security every where very easily. Same is for web applications. In a web application there is much recourse which you want to be secured. For example you must be logged in before checking your mails, or sending some greetings to your friend on his/her birthday on your favorite social networking site. The application which we are working now also has some recourse to access only by the right person.

Authentication and Authorization
There are two things you have to understand. One is authentication and the other is authorization.

Authentication is the procedure which one can prove them. For example think how can you prove your identity? May be using your voter identity card, or may be your pan card number, or may be your social security number. The same is for a web application. Think how you can prove your identity through web, when you want to check your mail. You logged in using your user name and password right? This user name and password combination is unique to you and using this you can prove your identity to your email provider site.

Authorization is the procedure by which it will be checked that an authenticated user has the permission to access the particular recourse which he is requesting. For example think you are playing an adventure and action game on your Xbox. In a particular stage in your game you hack the gate password of a building and able to get enter in it, but still you are finding some locked door. This is because you have not enough permission to get entering these rooms. Authorization is permission for the authenticated or logged in users. So after login it will decide whether you have the authority to access the particular web page or not.

ASP.NET solution
Before .NET Framework 2.0 developer used to implement this authentication and authorization from the ground up. Many times they have to round up the same wheel again and again for there different applications. Microsoft creates a solution for this problem and they introduce a provider model from .NET Framework 2.0. It has the full data access layer and business logic in .NET Framework so that developer can use it. There are some classes named Membership, Roles etc. These are business logic class which we can use from our UI. Under the hood these business logic class communicates to the data source through data access layer that is called provider. You can change the data source and provider but your UI will be fine because the same business logic classes are working for you. You can extends this provider and use your own logic. You can use any data source and extends your provider to support your data source. Also some third party provider can be downloaded from internet. Not only security but many ASP.NET solutions use this provider model. You can see your default provider configuration in machine.config file on your computer under.
C:\WINDOWS\Microsoft.NET\Framework\[version number]\CONFIG\

Membership provider configuration in machine.config file:

<membership>
    <providers>
        <add name="AspNetSqlMembershipProvider"
            type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
            connectionStringName="LocalSqlServer"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            applicationName="/"
            requiresUniqueEmail="false"
            passwordFormat="Hashed"
            maxInvalidPasswordAttempts="5"
            minRequiredPasswordLength="7"
            minRequiredNonalphanumericCharacters="1"
            passwordAttemptWindow="10"
            passwordStrengthRegularExpression=""/>
    </providers>
</membership>

Role provider in machine.config file:

<roleManager>
    <providers>
        <add name="AspNetSqlRoleProvider"
            connectionStringName="LocalSqlServer"
            applicationName="/"
            type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
        <add name="AspNetWindowsTokenRoleProvider"
            applicationName="/"
            type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    </providers>
</roleManager>

Also ASP.NET gives some web controls for the UI, like Login, CreateUserWizerd, ChangePassword etc. You can find these web controls in your visual studio toolbox under login category. With these now implementing the membership and role functionality in your application is very easy in ASP.NET.

How we are implementing
No doubt about that we are also using ASP.NET provider model into our application. But in some are we also inject our customization also. First of all we are using sql server 2005 and SqlMembershipProvider for membership/authentication and SqlRoleProvider for role/authorization. But this provider use a local sql server express edition file named aspnetdb.mdf. But we need to use our sql server database. ASP.NET has a very extensible framework. There are many properties we can set in the membership provider and role manager provider. For example we use a connection string set to our database and place it in the place of LocalSqlServer.

<connectionStrings>
    <add name="OurApplicationConnectionString"
        connectionString="our server name;Integrated Security=True;User Instance=True"
        providerName="System.Data.SqlClient"/>
</connectionStrings>
<membership>
    <providers>
        <add name="AspNetSqlMembershipProvider"
            type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
            connectionStringName="OurApplicationConnectionString"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            applicationName="/"
            requiresUniqueEmail="false"
            passwordFormat="Hashed"
            maxInvalidPasswordAttempts="5"
            minRequiredPasswordLength="7"
            minRequiredNonalphanumericCharacters="1"
            passwordAttemptWindow="10"
            passwordStrengthRegularExpression=""/>
    </providers>
</membership>
<roleManager>
    <providers>
        <add name="AspNetSqlRoleProvider"
            connectionStringName="OurApplicationConnectionString"
            applicationName="/"
            type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    </providers>
</roleManager>

Then to create the database schema for membership and role manager provider we used aspnet_regsql.exe tool. You can find this tool under
C:\WINDOWS\Microsoft.NET\Framework\[version number]\
You can set your target sql server database and also you can choose what are the ASP.NET services you want to configure in your database. Apart from the usual structure which is created by aspnet_regsql.exe we have some additional tables. For example we have to map our user with company’s employee, and we have to create and manage access rules dynamically through database table.

To manage the membership and role we use System.Web.Security. Membership class and System.Web.Security.Roles class. These two are static class and have many members to work with membership and role.

All users are in role. Access rules are set on roles. If the user is logged in and have the access permission of the role in which the he/she is for the particular page which he/she are requesting, then he can access the recourse of the page . That means authentication and authorization both must mach for the particular page to be accessed. To reuse our code we use a base page class and place the common code in it.

using System;
using System.Web.UI;

/// <summary>
/// Base class of the all web forms in this web application.
/// </summary>
public class BasePage : Page
{
    /// <summary>
    /// Parameter less constructor.
    /// </summary>
    public BasePage()
    {
        this.Init += this.CheckAuthorisation;
    }

    /// <summary>
    /// Check wheather the user is authorised for this page or not.
    /// </summary>
    /// <param name="sender">Page object.</param>
    /// <param name="e">EventArgs.</param>
    public void CheckAuthorisation(object sender, EventArgs e)
    {
        // Check permission.
    }
}

Then we use this class as a base class for all our web forms.

public partial class GenCast : BasePage
{
    // UI label code.
}

Also we have an admin panel for manage all the roles and users. We have a user and company’s employee mapping here.

Since this application is not open source I can not post real code in it. These are only demo codes. But the motto is I want to share the concept.

If any one has some better idea to solve this kind of problem please do not forget to place a comment.

Advertisements

One Reply to “Implementing security through web”

  1. Aw, this was a really nice post. In idea I would like to put in writing like this moreover ? taking time and actual effort to make a very good article? but what can I say? I procrastinate alot and by no means seem to get something done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s