Application Security Testing: An Integral Part of DevOps
Suppose you are developing a new web site and want to implement forms authentication. The web site will have a user registration page, a login page, and one or more pages that you must secure. The user registration and login pages use ASP.NET AJAX for an enhanced user experience. Also, the site must capture details such as birth date and address at the time of registration. This information is to be stored in the Profile of the user.
To develop a web site that fulfills all the above requirements, begin by creating a new ASP.NET AJAX-enabled web site with C# (see Figure 1).
Figure 1. Creating a New ASP.NET AJAX-enabled Web Site
Configuring the Web Site
Before you begin coding, configure the web site for forms authentication as well as Membership and Profile services. Open a web.config file in your Visual Studio IDE and add the following markup inside the connectionStrings section:
<connectionStrings> <add name="connstr" connectionString="data source=.\sqlexpress; initial catalog=northwind; integrated security=true" providerName="System.Data.SqlClient"/> </connectionStrings>
You specified a database connection string named connstr that points to a Northwind database. Make sure to change the connection string to match your development environment. I assume that your database is configured for application services using the aspnet_regsql.exe tool. You will use this connection string while configuring membership and profile providers.
Now, add the following markup inside the system.web section:
<system.web> <authentication mode="Forms"> <forms loginUrl="Login.aspx"></forms> </authentication> <authorization> <deny users="?"/> </authorization> <membership defaultProvider="p1"> <providers> <add name="p1" connectionStringName="connstr" type="System.Web.Security.SqlMembershipProvider" requiresQuestionAndAnswer="false"/> </providers> </membership> <profile defaultProvider="p2"> <providers> <add name="p2" connectionStringName="connstr" type="System.Web.Profile.SqlProfileProvider"/> </providers> <properties> <add name="FullName"/> <add name="DOB" type="System.DateTime"/> <group name="Address"> <add name="Street"/> <add name="Country"/> <add name="PostalCode"/> </group> </properties> </profile>
Review the above markup carefully, and you'll notice the following:
- The authentication section sets the authentication mode to Forms. The forms tag sets the URL of the login page by using the loginUrl attribute.
- The authorization section disables anonymous users by setting the users attribute of the deny tag to "?".
- The membership section configures a membership provider named p1. (You can change this any name you choose.)
- The connectionStringName attribute specifies the database that will be used for storing membership information.
- The type attribute indicates the class that will act as the membership provider. You use the built-in SQL Membership provider called SqlMembershipProvider.
- The requiresQuestionAndAnswer attribute indicates that you do not intend to accept a secret question and answer from the end user at the time of registration.
- The profile section configures a profile provider named p2 and various profile properties. The significance of the connectionStringname and type attributes is same as for the membership section. Note, however, that this time the type is a SqlProfileProvider class. The properties section defines profile properties and groups.
- You defined two simple properties called FullName and DOB and a property group called Address. The Address group further contains three properties: street, country, and postalcode. The DOB property is of type DateTime; therefore, its type attribute is set to System.DateTime.
Now that you have configured your web site for using forms authentication and membership services, it's time to expose Membership and Profile services to the client-side AJAX code. The web.config file will have a pre-defined section called webServices. By default, all its content is commented. You need to un-comment and modify it so that it looks as shown below:
<webServices> <authenticationService enabled="true" requireSSL="false"/> <profileService enabled="true" readAccessProperties="FullName,DOB,Address.Street,Address.Country, Address.PostalCode" writeAccessProperties="FullName,DOB,Address.Street,Address.Country, Address.PostalCode"/> </webServices>
The authenticationService tag is used to expose forms authentication and membership services to AJAX code. The enabled attribute governs whether AJAX code can avail membership services. The requireSSL attribute indicates whether the authentication is happening over SSL. Similarly, the Profile service is exposed to AJAX code by using the profileService tag. The readAccessProperties and writeAccessProperties attributes of the profileService tag specify the profile properties that are readable and writable, respectively. Notice how the grouped properties are specified using the dot (.) notion. If you do not include a specific profile property in these attributes, it will not be accessible to the client code.
Applying forms authentication ensures that all the forms of the web site except the login page are secured. However, you want your registration page to be unsecured because new users will need to access it. Do this by adding a location section in the web.config file as shown below:
<location path="register.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location>
The path attribute of the location tag specifies a virtual path of a file or folder that is to be configured. It then allows access to all the users using the authorization section and allow tag.
This completes the web site configuration. Now, you will move on to develop the required web forms.