Home > 2010 Winter BTI420 > ASP.NET Web Forms apps security topics essentials for BTI420 students

ASP.NET Web Forms apps security topics essentials for BTI420 students

January 28, 2010 Leave a comment Go to comments

There are some essential security topics that you must learn or be aware of as you build ASP.NET Web Forms apps, and they are discussed here.

 

There are many questions you can ask about securing your ASP.NET Web Forms app:

  • Do browser users "out there" get anonymous access to your site’s pages?
  • Is authentication required, for all or part of your site?
  • How is security organized on the server? What options are available to you?
  • What server account identity executes your code (on behalf of the browser user)?
  • Can a browser user "walk" the file system of my web site?
  • Are file uploads allowed? How? To where? Are there any restrictions on file downloads (i.e. serving a resource to a browser user/requestor)?

 

A short course: "ASP.NET  Security 101"

Please go through the "ASP.NET Security 101" document to learn some important foundational concepts. Learning these will enable you to perform the file I/O tasks that follow. The document includes useful code examples that you can use to learn security concepts. Go through the document now.

 
Note: Your professor STRONGLY RECOMMENDS that you try implementing the code examples in the "ASP.NET Security 101" document IN YOUR OWN web site. Past experience has shown that students who do NOT do this, and the similar Lab 4, WILL FAIL TEST 2.

Welcome back. The following ideas and guidelines summarize what you will learn about security:

  • Your ASP.NET pages execute in the security context of the NETWORK SERVICE account
  • This account has read permissions in your web site’s file system directory/folder
  • However, this account can NOT write files

How do we deal with this problem?

Here are all of the options available to you:

  1. Change the file system permissions to permit writing (Modify) operations

Comment: This requires web admin rights, which we do NOT have on the warp cluster

  1. Ask the hosting provider (e.g. ACS is the warp cluster administrator) to change permissions

Comment: May be inconvenient or unresponsive outside daytime College business hours

  1. Write a file system management application that lets us do this

Comment: Beyond the scope of this course

  1. Use a security concept – Impersonation – to do the job

Comment: Impersonation – this is the approach we will use initially, although it’s not ideal for the long term, and it’s not real-world

How do we implement the solution?

Here’s what we want to do:

  • Specify a file or folder (hierarchy) that will be capable of write operations

  • Edit Web.config to include identity impersonation information

  • Write code that does the write operations

 


Advertisements
Categories: 2010 Winter BTI420
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: