You are previewing Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB.
O'Reilly logo
Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB

Book Description

As the only book to address ASP.NET 3.5, AJAX, and IIS 7 security from the developer's point of view, this book begins with a look at the new features of IIS 7.0 and then goes on to focus on IIS 7.0 and ASP.NET 3.5 integration. You'll walk through a detailed explanation of the request life cycle for an ASP.NET application running on IIS 7.0 under the classic mode, from the moment it enters IIS 7.0 until ASP.NET generates a corresponding response.

Table of Contents

  1. Copyright
  2. About the Author
  3. About the Previous Author
  4. Credits
  5. Acknowledgments
  6. Introduction
  7. Introducing IIS 7.0
    1. Overview of IIS 7.0
    2. Application Pools
    3. IIS 7.0 Components
    4. IIS 7.0 Modules
    5. Summary
  8. IIS 7.0 and ASP.NET Integrated Mode
    1. Advantages of IIS 7.0 and ASP.NET Integrated Mode
    2. IIS 7.0 Integrated Mode Architecture
    3. Summary
  9. HTTP Request Processing in IIS 7.0 Integrated Model
    1. Built-in IUSR Account and IIS_IUSRS Group
    2. Integrated Mode Per-Request Security
    3. The Unified Processing Pipeline
    4. Summary
  10. A Matter of Trust
    1. What Is an ASP.NET Trust Level?
    2. Summary
  11. Configuration System Security
    1. Using the <location /> Element
    2. Using the lockAttributes
    3. Managing IIS 7.0 Configuration versus ASP.NET Configuration
    4. Extending IIS 7.0 with Managed Modules and Handlers
    5. Managing the Native versus Managed Configuration Systems
    6. IIS 7.0 Feature Delegation
    7. Reading and Writing Configuration
    8. Using Configuration in Partial Trust
    9. Protected Configuration
    10. Summary
  12. Forms Authentication
    1. A Quick Recap of Forms Authentication
    2. Understanding Persistent Tickets
    3. Securing the Ticket on the Wire
    4. Setting Cookie-Specific Security Options
    5. Using Cookieless Forms Authentication
    6. Configuring Forms Authentication Inside IIS 7.0
    7. Sharing Tickets between 1.1 and 2.0/3.5
    8. Using Forms Authentication Across Different Content Types
    9. Leveraging the UserData Property
    10. Passing Tickets Across Applications
    11. Enforcing Single Logons and Logouts
    12. Summary
  13. Integrating ASP.NET Security with Classic ASP
    1. IIS 5 ISAPI Extension Behavior
    2. IIS 7.0 Wildcard Mappings
    3. DefaultHttpHandler
    4. Using the DefaultHttpHandler
    5. Serving Classic ASP in IIS 7.0 Integration Mode
    6. Authenticating Classic ASP with ASP.NET
    7. Authenticating Classic ASP with IIS 7.0 Integrated Mode
    8. Authorizing Classic ASP with ASP.NET
    9. Authorizing Classic ASP with IIS 7.0 Integrated Mode
    10. Summary
  14. Session State
    1. Does Session State Equal Logon Session?
    2. Session Data Partitioning
    3. Cookie-Based Sessions
    4. Cookieless Sessions
    5. Configuring Session State Inside IIS 7.0
    6. Session State for Applications Running in IIS 7.0 Integrated Mode
    7. Session ID Reuse and Expired Sessions
    8. Session ID Denial-of-Service Attacks
    9. Trust Levels and Session State
    10. Database Security for SQL Session State
    11. Security Options for the OOP State Server
    12. Summary
  15. Security for Pages and Compilation
    1. Request Validation and Viewstate Protection
    2. Page Compilation
    3. Fraudulent Postbacks
    4. Site Navigation Security
    5. Summary
  16. The Provider Model
    1. Why Have Providers?
    2. Patterns Found in the Provider Model
    3. Core Provider Classes
    4. Building a Provider-Based Feature
    5. Summary
  17. Membership
    1. The Membership Class
    2. The MembershipUser Class
    3. The MembershipProvider Base Class
    4. The "Primary Key" for Membership
    5. Supported Environments
    6. Using Custom Hash Algorithms
    7. Summary
  18. SqlMembershipProvider
    1. Understanding the Common Database Schema
    2. The Membership Database Schema
    3. Working with SQL Server Express
    4. Database Security
    5. Database Schemas and the DBO User
    6. Changing Password Formats
    7. Custom Password Generation
    8. Implementing Custom Encryption
    9. Enforcing Custom Password Strength Rules
    10. Account Lockouts
    11. Implementing Automatic Unlocking
    12. Supporting Dynamic Applications
    13. Managing an Application's Users Through IIS 7.0
    14. Summary
  19. ActiveDirectoryMembership Provider
    1. Supported Directory Architectures
    2. Provider Configuration
    3. Unique Aspects of Provider Functionality
    4. ActiveDirectoryMembershipUser
    5. Working with Active Directory
    6. Using ADLDS
    7. Using the Provider in Partial Trust
    8. Summary
  20. Role Manager
    1. The Roles Class
    2. The RolePrincipal Class
    3. The RoleManagerModule
    4. RoleProvider
    5. WindowsTokenRoleProvider
    6. Summary
  21. SqlRoleProvider
    1. SqlRoleProvider Database Schema
    2. Provider Security
    3. Working with Windows Authentication
    4. Running with a Limited Set of Roles
    5. Authorizing with Roles in the Data Layer
    6. Supporting Dynamic Applications
    7. Managing an Application's Roles Through IIS 7.0
    8. Summary
  22. AuthorizationStoreRoleProvider
    1. Provider Design
    2. Supported Functionality
    3. Using a File-Based Policy Store
    4. Using a Directory-Based Policy Store
    5. Using a Microsoft SQL Server Database-Based Policy Store
    6. Working in Partial Trust
    7. Using Membership and Role Manager Together
    8. Summary
  23. Membership and Role Management in ASP.NET AJAX 3.5
    1. ASP.NET Membership and Role Services Overview
    2. ASP.NET AJAX Application Services
    3. Summary
  24. Best Practices for Securing ASP.NET Web Applications
    1. Web Application Security Threats Overview
    2. Developers Beware
    3. AJAX-Enabled Application Threats
    4. Summary
  25. Index