DotNetDubai

Regular Expressions in .Net

2005-12-05T13:07:00.000-08:00

Regular Expressions

Regular expressions have been widely popular in languages such as PERL and AWK and have been utilized for pattern matching, text manipulation and text searching. These languages are specifically is known for its advanced pattern matching features. Dot Net regular expressions are based on that of Perl and are compatible with Perl 5 regular expressions.

To begin with, they are not as complex as they look, especially if you start experimenting with them. I would recommend that you download a tool such as Expresso (http://www.ultrapico.com/), to become familiar with regular expressions.

Regular Expression Elements

Some of the commonly used regular expression elements are:

^	Matches start of input
$	Matches end of input
.	Matches any character except new line
\|	OR
*	Match the preceding expression 0 or more number of times
+	Match the preceding expression 1 or more number of times
?	Match the preceding expression 0 or 1 number of times
()	Logical group / sub-expression (capture as auto number group)
(?(exp))	Named capture group
(?=exp)	Match any position preceding a suffix exp
(?<=exp)	Match any position following a prefix exp
(?!exp)	Match any position after which exp is not found
(?	Match any position before which exp is not found
[…]	List of characters to match
[^expression]	Not containing any of the specified character
{n} or {n. m}	Quantifier (Match exact number or range of instances)
(?(exp (yes\|no))	If expression (exp) is true match yes part else no part
\	Escape character (to match any of the special characters)
\w	Match any word character
\W	Match any non-word character
\s	Match any white space character
\S	Match any non-white space character
\d	Match any numeric digit
\D	Match any numeric digit
\b	Match a backspace if in character matching mode ([]). Otherwise match the position at beginning or end of a word
\t	Match tab
\r	Match carriage return
\n	Match line feed

The following are matching substitutions:

num	Substitute last substring matched by group number num
${name}	Substitute last substring matched by group name
$&	Substitute a copy of entire text itself
$`	Substitute all the text of the input string before match
$’	Substitute all the text of the input string after match
$+	Substitute last matched group
$_	Substitute input string
$$	Substitute literal $

Regular expressions could also be used to find repeating patterns by making use of backreferencing, using which you can name a pattern found and then use that reference elsewhere in expression. This naming of patterns is also useful in case we need to parse a string like free form date or time strings.

Some Example Regular Expressions

Match a word - \btest\b
Match all 6 letter words - \b\w{6}\b
Match all 6 digit numbers - \b\d{6}\b
Match any number \b\d+\b

Instead of giving loads of examples here, I suggest that you download Expresso and check its analyzer view for detailed analysis of the regular expression.

Regular Expressions in .Net

As already discussed, .Net regular expressions are based on that of Perl and are compatible with Perl 5 regular expressions. Dotnet contains a set of powerful classes that makes it even easier to use regular expressions. The classes are available in the System.Text.RegularExpressions namespace.

How to validate an input string in .Net

Create a Regex object ‘RegexObj’
Call RegexObj.IsMatch (subjectString ), which will return a Boolean showing validity of input string

How to perform regular expression substitution (search and replace) in .Net

Create a Regex object ‘RegexObj’
Call RegexObj.Replace ( subjectString, replaceString ), which will return a Boolean showing validity of input string

How to parse an input string in .Net

Create a Regex object ‘RegexObj’, make sure to name the expressions
Call RegexObj.Match ( subjectString ), which will return a list of matches in the input string as per the match regular expression
Iterate through the matches to perform post parsing

Free form time parsing function in DotNet

For an example, I have developed a simple free format time parser. I have provided the code and details in this code project article.

References and Further

Security Practices: ASP.NET 2.0 Security Practices at a Glance

2005-12-05T03:08:00.000-08:00

Summary
This module presents a set of consolidated practices designed to address ASP.NET version 2.0 security issues. The answers and recommendations presented in this module are designed to supplement the companion modules and additional guidance. The practices are organized by various categories that represent those areas where mistakes are most often made. This module includes an index of practices.
Contents
How to Use This Module What's New in 2.0 Index of Practices Auditing and Logging Authentication Authorization Code Access Security Configuration Data Access Exception Management Impersonation and Delegation Input and Data Validation Secure Communication Sensitive Data Companion Guidance Additional Resources
How to Use This Module
To get the most from this module:
Use the index to browse the practices. Scan across the practices and quickly jump to a specific practice.
Learn the practices. Learn the key items, terms, and relationships among the various practices.
Use the companion guidance for further details. The referenced How To modules and guideline modules can be used to obtain further details and step-by-step instructions to help you implement solutions.
What's New in 2.0
The .NET Framework version 2.0 and ASP.NET version 2.0 introduce many new security features. The most notable enhancements for ASP.NET Web applications are:
Forms authentication and membership. You can now use forms authentication with the new membership feature and membership API. The membership feature supports a provider model, with the SqlMembershipProvider for SQL Server databases and ActiveDirectoryMembershipProvider for Active Directory and Active Directory Application Mode (ADAM) stores provided as built-in providers. You can also create custom providers for your custom user stores. You no longer have to create your own custom databases and write your own custom authentication code.
Role manager. The new role management feature provides secure role storage and an API for managing and checking role membership. The role manager supports a provider model. The supplied providers are:
The SqlRoleProvider for SQL Server role stores.
The WindowsTokenRoleProvider used with Windows authentication, which uses Windows groups as roles.
The AuthorizationStoreRoleProvider, which uses Windows Server 2003 Authorization Manager for managing roles in Active Directory or ADAM.
DPAPI managed wrapper. The .NET Framework version 2.0 provides a set of managed classes to access the Win32 Data Protection API (DPAPI). Code requires the DataProtectionPermission to be able to use DPAPI.
Configuration file changes. Machine-wide configuration settings for all Web applications on a server are now maintained in a machine-level Web.config file instead of Machine.config. The machine-level Web.config file is located in the \Windows\Microsoft.NET\Framework\{version}\CONFIG directory.
Configuration file encryption. ASP.NET version 2.0 introduces a Protected Configuration feature to enable you to encrypt sections of your Machine.config and Web.config files by using either DPAPI or RSA encryption. This is particularly useful for encrypting connection strings and account credentials.
Health monitoring. ASP.NET version 2.0 introduces a health monitoring system. It supports many standard events that you can use to monitor the health of your application. Examples of security-related events that are automatically generated include logon failures and successes when using the ASP.NET membership system, attempts to tamper with or reuse forms authentication tickets, and infrastructure events such as disk access failures. You can also create custom events to instrument your application for other security and non-security related notable events.
Code access security. The SQL Server managed data provider no longer demands Full trust. This means that Medium trust Web applications can now access SQL Server databases by using this provider. Also, in version 2.0, SmtpPermission is available at Full, High, and Medium trust levels. This allows partial trust Web applications to send e-mail.
Machine key enhancements. The now supports a decryption attribute that specifies the symmetric encryption algorithm used to encrypt and decrypt forms authentication tickets. ASP.NET version 2.0 provides support for AES symmetric encryption, which is used by default, in addition to DES and 3DES.
Index of Practices
Auditing and Logging
How to use health monitoring in ASP.NET
How to write to the event log
Authentication
How to choose between Windows authentication and forms authentication
How to use Windows authentication in ASP.NET
How to use Kerberos authentication in ASP.NET
How to use forms authentication in ASP.NET
How to protect forms authentication
How to use membership in ASP.NET 2.0
How to use forms authentication with SQL Server
How to use forms authentication with Active Directory
How to use forms authentication with Active Directory in multiple domains
How to enforce strong passwords using membership
How to configure account lockout using membership
How to enable password reset using ActiveDirectoryMembershipProvider
Authorization
How to perform authorization in ASP.NET
How to perform role-based authorization in code
How to use role manager in ASP.NET
How to use Windows groups for role authorization
How to use Authorization Manager in ASP.NET
How to cache roles in ASP.NET
How to configure URL authorization in Web.config
How to lock authorization settings
Code Access Security
How to use code access security in ASP.NET
How to use custom trust levels with code access security in ASP.NET
How to run in Medium trust
Configuration
How to encrypt sensitive data in Machine.config and Web.config
How to choose between machine and user key storage
How to use DPAPI with a user store to encrypt a connection string in Web.config
How to use RSA with a user-level key container to encrypt a connection string in Web.config
How to run an ASP.NET application with a particular identity
How to create a service account for ASP.NET
How to configure the machine key in Web farms
How to lock configuration settings
Data Access
How to protect database connection strings
How to access a database from ASP.NET
How to use Windows authentication to connect to SQL Server
How to access SQL Server by using SQL authentication
How to use the Network Service account to connect to SQL Server
How to prevent SQL injection
Exception Management
How to handle exceptions securely
How to prevent detailed errors from returning to the client
How to use structured exception handling
How to create a global error handler for your application
How to specify a default error page
Impersonation and Delegation
How to choose between trusted subsystem and impersonation/delegation
How to impersonate the original caller
How to temporarily impersonate the original caller
How to use protocol transition and constrained delegation in ASP.NET
Input and Data Validation
How to validate input in ASP.NET
How to validate input in server controls
How to validate input in HTML controls, QueryString, cookies, and HTTP headers
How to prevent cross site scripting
Secure Communication
How to choose between IPSec and SSL
How to secure communication between browser clients and Web server
How to secure communication between servers
Sensitive Data
How to protect sensitive data in a database
How to encrypt configuration data in a Web farm
How to protect ViewState
How to protect passwords
Auditing and Logging
How to use health monitoring in ASP.NET
You can use the health monitoring feature introduced in ASP.NET version 2.0 to instrument key application events. You can choose where to log events by configuring an appropriate provider. You can instrument built-in events or create custom events by deriving from one of the provided base events to monitor specific business logic or operations in your Web application. By default, health monitoring tracks all Web infrastructure error events (inheriting from System.Web.Management.WebErrorEvent) and all audit failure events (inheriting from System.Web.Management.WebFailureAuditEvent). You need to identify the additional security-related events that you want to instrument.
To configure health monitoring:
In Web.config, configure the events that you want to instrument by using the element, specifying a user friendly name and type of the event. You can configure event mappings for custom events and for any of the standard events in System.Web.Management, such as WebFailureAuditEvent and WebAuthenticationFailureAuditEvent.
Configure the provider that you want to use as your event sink by using a element, specifying a user friendly name and type of the provider. Providers are supported for SQL Server, the Windows event log, WMI, e-mail, and trace. You can also create custom providers.
Configure the element by specifying the following:
minInstances. This is the minimum occurrences after which the event should be logged.
maxLimit. This is the maximum limit for the occurrences to be logged.
minInterval. This is the minimum interval between which the same event can be logged.
Note that this is optional because you can specify the same information in a configuration. By using a element, you benefit from reuse because you can use the same profile for multiple different rules.
Configure the element, specifying the event name, the provider name, and the profile name. You can specify the profile to be used or you can configure the profile information for a rule by setting the minInstances, maxLimit and minInterval directly on the element.
The following configuration file example shows the structure of a typical health monitoring configuration.

.....

...
...
...
...
...

.....

For more information, see How To: Use Health Monitoring in ASP.NET 2.0.
How to write to the event log
By default, ASP.NET applications that run under the default Network Service identity can write to the Windows event log by using an existing event source, but they cannot create new event sources. To create an event source, your ASP.NET account needs permissions to create a new registry entry beneath the following key: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\.
To enable your ASP.NET application to write to the event log using its own event source, you have two options:
Grant your ASP.NET process account (or impersonated identity if your application uses impersonation) permissions on the following registry key: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\.
Create the event source at application install time when administrator privileges are available. You can use a .NET installer class, which can be instantiated by the Windows Installer (if you are using .msi deployment) or by the InstallUtil.exe system utility.
Note When you use the event log provider with ASP.NET health monitoring, events are logged by using an event source named "ASP.NET xxxxxx" where xxxxxx represents the .NET Framework version number. This event source is created when you install the .NET Framework. This is not configurable and you cannot change the event source used by health monitoring events.
For more information on auditing and logging, see How To: Instrument ASP.NET 2.0 Applications for Security.
Authentication
How to choose between Windows authentication and forms authentication
Use Windows authentication when you can because it provides secure credential management, password policies, and user account management tools.
To choose between Windows authentication and forms authentication:
If your user accounts are in Active Directory or are local accounts, use Windows authentication if you can.
If you cannot use Windows authentication to your Active Directory store, use forms authentication to Active Directory, and use the ActiveDirectoryMembershipProvider.
If your user accounts are in a SQL Server database, use forms authentication to SQL Server, by using the SqlMembershipProvider.
If your user accounts are in ADAM, use forms authentication to ADAM, by using the ActiveDirectoryMembershipProvider.
If your user accounts are in a store other than the previously listed stores, create a custom membership provider and configure forms authentication to use it.
How to use Windows authentication in ASP.NET
To use Windows authentication in ASP.NET, you must use Microsoft Internet Information Services (IIS) to disable anonymous access and configure a Windows-based authentication method for your Web application's virtual directory. You are generally recommended to use Windows integrated authentication, but you can also use Basic, Digest, or client certificate authentication. You must also ensure that the mode attribute on the element is set to "Windows" (the default setting) in your Web.config file.
For more information, see How To: Use Windows Authentication in ASP.NET 2.0.
How to use Kerberos authentication in ASP.NET
To use Kerberos authentication to authenticate the end users of your Web application, all computers must be in a Windows Server 2000 or later domain. Your clients must be using Internet Explorer version 5.5 or later. Your application's virtual directory must be configured for Integrated Windows authentication and anonymous access must be disabled. You must set in your Web.config file.
If you run your application using a domain service account, you must register a service principal name (SPN) for that account in Active Directory to associate the account with the HTTP service on the Web server. To register an SPN, use the Setspn.exe utility as follows:
setspn -A HTTP/webservername domain\customAccountName
setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName
Note that you cannot have multiple Web applications with the same host name if you want them to have multiple identities and to use Kerberos authentication. This is an HTTP limitation, not a Kerberos limitation. The workaround is to have multiple Domain Name System (DNS) names for the same host, and start the URLs for each Web application with a different DNS name. For example, you would use http://app1 and http://app2 instead of http://site/app1 and http://site/app2.
Note: By default, Integrated Windows authentication is not enabled in Internet Explorer 6.
If your clients run Internet Explorer 6, you must enable the browser to respond to a negotiate challenge and perform Kerberos authentication. To do this, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser. Administrators can enable Integrated Windows authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
How to use forms authentication in ASP.NET
In the machine-level Web.config file or your application's Web.config file, set the mode attribute on the element to "Forms". In IIS, ensure that your Web site is configured for anonymous access. Deny unauthenticated users access to your Web site by configuring URL authorization. To do this, create an element in Web.config with .
ASP.NET 2.0 introduces the membership feature. This feature simplifies forms authentication and reduces the amount of code you need to write. For more information, see How to Use Membership in ASP.NET 2.0.
How to protect forms authentication
Use Secure Sockets Layer (SSL) to protect the forms authentication credentials and the forms authentication cookie passed from browser to server. Ensure that the authentication cookie is passed only over HTTPS connections. Encrypt and integrity check the authentication cookie, do not persist it on the client computer, and do not use it for personalization purposes; use a separate cookie for personalization. Set the httpOnly cookie attribute to protect cookie information being accessed by client script. A secure element configuration is shown here.

For new site designs, consider creating a separate subfolder for those pages that require authenticated and SSL-based access. If you cannot use SSL, consider reducing the cookie lifetime by reducing the timeout value to minimize the time window within which an attacker can use a captured authentication cookie to access your site. If you are in a scenario where you are concerned about cookie hijacking, consider reducing the timeout and setting slidingExpiration="false". If sliding expiration is turned off, the authentication cookie expires after the time out period irrespective of whether or not the user is active. After the timeout period, the user must re-authenticate.
Also ensure that your credential management is secure. Enforce strong passwords and protect your authentication login form against SQL injection attacks by validating and constraining input credentials, and by using parameterized stored procedures while accessing the user store. Secure the connection string that points to your user store for example by encrypting the connectionStrings section in your Web.config file. Do not store plaintext or encrypted passwords in your user store. Store non-reversible password hashes instead. For more information, see How To: Protect Forms Authentication in ASP.NET 2.0.
How to use membership in ASP.NET 2.0
To configure membership, you need to define a connection string to point to the provider store and configure your provider definition in the Web.config file.
To configure membership:
Configure your application for forms authentication by setting
Add a connection string to the section to point to your user store. If you are using the ActiveDirectoryMembershipProvider, this is a Lightweight Directory Access Protocol (LDAP) query string pointing to your user container in Active Directory or ADAM. If you are using the SqlMembershipProvider, this is a database connection string that points to your user store database.
Add a section to configure your chosen membership provider.
Configure the specific provider by creating a section beneath the element in your application's Web.config. The membership system supports a number of different providers:
If your user accounts are in Active Directory or ADAM, use the ActiveDirectoryMembershipProvider.
If your user accounts are in SQL Server, use SqlMembershipProvider.
If your user accounts are in a store other than those previously listed, create a custom membership provider by inheriting from the MembershipProvider base class.
Set the defaultProvider attribute on the element to your chosen provider.
To validate and manage users, use the Membership API (for example, Membership.CreateUser and Membership.ValidateUser) or use the Login controls, which automatically use your membership configuration.
How to use forms authentication with SQL Server
To use forms authentication against a SQL Server user store, you use the SqlMembershipProvider.
To use this provider:
Create the membership SQL Server database by using the Aspnet_regsql tool.
Create a SQL Server login for your ASP.NET application's process identity (or impersonated identity if your application uses impersonation) and grant it the appropriate permissions in the membership database.
Establish a connection string in Web.config that points to the membership database.
Configure the element in Web.config for SqlMembershipProvider, specifying at least the connection string name and an application name. The membership system subdivides the membership database by application name.
Set the defaultProvider attribute on element to the configured provider name.
Configure password complexity rules if you need to override the defaults, which ensure a minimum length of 7 characters with one of them being non-alphanumeric.
A typical SQLMembershipProvider configuration is shown here.

...

For more information, see How To: Use Forms Authentication with SQL Server in ASP.NET 2.0.
How to use forms authentication with Active Directory
To use forms authentication with Active Directory, you use the ActiveDirectoryMembershipProvider.
To use this provider:
Configure a connection string in Web.config that contains an LDAP query string that points to your user's container in Active Directory.
Configure the element in your Web.config file for ActiveDirectoryMembershipProvider specifying at least the connection string name and optionally the credentials of an account capable of accessing Active Directory with the necessary permissions. If you do not specify account credentials, your application's process identity is used to access Active Directory, regardless of whether your application uses impersonation. Either the account specified in the Web.config file or your process account must have the appropriate permissions to access Active Directory.
Set the defaultProvider attribute on element to the configured provider name.
A typical ActiveDirectoryMembershipProvider configuration is shown here.

...

\administrator">connectionPassword="password"/>

...

For more information, see How To: Use Forms Authentication with Active Directory in ASP.NET 2.0.
How to use forms authentication with Active Directory in multiple domains
Create a custom login page by using text boxes and buttons. You cannot use the ASP.NET version 2.0 login controls in a multiple domain scenario.
Configure your application for forms authentication in the Web.config file.

Deny unauthenticated access to your Web application.

Add a connection string to point to the relevant users container in the domain controller for each domain.

...

Configure the membership element and the ActiveDirectoryMembership providers in the Web.config file to point to each domain.

...

Note that the preceding example assumes you are working in a test domain and specific credentials are specified to connect to your Active Directory. If you do include credentials, you should encrypt them by using the Aspnet_regiis.exe utility. If you do not specify credentials, your application's process identity is used to connect to Active Directory.
Authenticate users against the appropriate domain controller. You can obtain the domain controller name from the domain component of the supplied user name. The following example assumes that the user supplies a UPN of the form username@domainname.com. string[] partsOfUserName =
UserNameTextBox.Text.Split("@".ToCharArray());
string domainName = partsOfUserName[1];
MembershipProvider domainProvider;
switch (domainName)
{
case "TestDomain1.test.com":
domainProvider = Membership.Providers["TestDomain1ADMembershipProvider"];
break;
case "TestDomain2.test.com":
domainProvider = Membership.Providers["TestDomain2ADMembershipProvider"];
break;
default:
throw(new Exception("This domain is not supported"));
}
if (domainProvider.ValidateUser(UserNameTextBox.Text,
PasswordTextBox.Text))
{
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage(UserNameTextBox.Text,
false);
}
else
{
FormsAuthentication.SetAuthCookie(UserNameTextBox.Text, false);
}
}
else
{
Response.Write("Invalid UserID and Password");
}

For more information, see How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0.
How to enforce strong passwords using membership
You can strengthen user password requirements by configuring the attributes minRequiredPasswordLength, minRequiredNonAlphanumericCharacters, and passwordStrengthRegularExpression on your membership provider configuration.
If you are using the SqlMembershipProvider, the default password strength is set to a minimum password length of 7 characters with at least one non-alphanumeric character.
If you are using the ActiveDirectoryMembershipProvider with Active Directory, your domain password policy is used by default, although you can further strengthen password policy by overriding this with your membership configuration by using the attributes listed earlier. Similarly, if you are using ActiveDirectoryMembershipProvider with ADAM, your local password policy is used, although you can override this with your membership configuration.
For more information, see How To: Protect Forms Authentication in ASP.NET 2.0.
How to configure account lockout using membership
If you are using the SqlMembershipProvider, you use the maxInvalidPasswordAttempts and passwordAttemptWindows attributes. By default, these values are 5 and 10, respectively. This means you get 5 invalid attempts within 10 minutes before you are locked out.
If you are using the ActiveDirectoryMembershipProvider, your domain or local security policy controls the password lockout. Note that if an account is locked out by the provider, it is not locked out within Active Directory, so you could still log on to Windows with the account. However, the ActiveDirectoryMembershipProvider treats the account as locked out, so the user cannot logon through an application that uses the provider until the lockout duration elapses. Accounts locked out by the provider are re-enabled after a time interval defined by the attributeMapFailedPasswordAnswerLockoutTime attribute. Alternatively, you can write code that calls the UnlockUser method on the MembershipUser object.
How to enable password reset using ActiveDirectoryMembershipProvider
The ActiveDirectoryMembershipProvider class supports password reset security by requiring the user to answer a question that was provided along with an answer when the account was initially created.
To enable password reset:
Extend your Active Directory schema to add new attributes to the built-in User class. To extend the User class:
Add two single-valued attributes of type string to hold the password question and password answer.
Add three new attributes to store tracking data used to manage account lockout, a single-valued attribute of type integer to track the failed answer count, a single-valued attribute of type Large integer/interval to hold the last time at which an invalid answer was supplied by the user while attempting to reset their password, and a single-valued attribute of type Large integer/interval to hold the time at which the account was locked out because of a succession of bad password answers being provided.
Configure your element in Web.config for the ActiveDirectoryMembershipProvider. Set enablePasswordReset and requiresQuestionAndAnswer to true. Also set the series of mapping attributes to establish mappings to the extended Active Directory User object attributes that you created. Mapping attributes include attributeMapUsername, attributeMapPasswordQuestion, attributeMapPasswordAnswer, attributeMapFailedPasswordAnswerCount, attributeMapFailedPasswordAnswerTime, and atributeMapFailedPasswordAnswerLockoutTime.
Your provider configuration to support password resets should look similar to the one here.

Set the PasswordRecoveryText and PasswordRecoveryURL on your Login control. Set the URL to a page that contains a PasswordRecovery control. If a user has forgotten a password, he or she can click the password recovery text link on the Login control and then enter a user name. The PasswordRecovery control then prompts the user with the predetermined question. On submission of the correct answer, the ActiveDirectoryMembershipProvider resets the user's password to a randomly created password value of an appropriate strength, and then it sends an e-mail message to the user with the new password. The e-mail address is usually supplied during registration.
Authorization
How to perform authorization in ASP.NET
After you authenticate the caller, you can authorize the user prior to performing restricted operations or accessing restricted resources. ASP.NET attaches a User object (which implements an IPrincipal interface) to the current HTTP context (HttpContext.User) and you use that as the basis for your authorization checks. Administrators can configure authorization in Web.config or you can authorize the caller programmatically in code. Authorization options include:
FileAuthorization. For file types mapped by IIS to the ASP.NET ISAPI extension (Aspnet_isapi.dll), automatic access checks are performed using the authenticated user's Windows access token (which may be IUSR_MACHINE for anonymous users) against the access control list (ACL) attached to the requested ASP.NET file. The FileAuthorizationModule class only performs access checks against the requested file. For example, if you request Default.aspx and it contains an embedded user control (Usercontrol.ascx), which in turn includes an image tag (pointing to Image.gif), the FileAuthorizationModule performs an access check for Default.aspx and Usercontrol.ascx, because these file types are mapped by IIS to the ASP.NET ISAPI extension. The FileAuthorizationModule does not perform a check for Image.gif, because this is a static file handled internally by IIS. However, because access checks for static files are performed by IIS, the authenticated user must still be granted read permission to the file with an appropriately configured ACL.
UrlAuthorization. By configuring the element in Web.config, administrators can authorize the user held in the HttpContext.User object. You can authorize the user based on the user's name or based on the user's role membership. ASP.NET version 2.0 on Windows Server 2003 protects all files in a directory, even those not mapped to ASP.NET, such as .html, .gif, and .jpg files.
Role checks in code. You can call User.IsInRole or Roles.IsUserInRole methods for fine grained authorization logic in code. Alternatively, you can use PrincipalPermission demands to ensure that the caller is a specific identity or a member of a particular role.
For more information, see How to perform role-based authorization in code and How to configure URL authorization in Web.config in this topic.
How to perform role-based authorization in code
You can perform role-based authorization in code either by performing explicit role checks (User.IsInRole or Roles.IsUserInRole) or by using PrincipalPermission demands. You can do the latter either imperatively in the body of a method or declaratively by adding attributes to your classes and methods. You often need to perform role-based authorization in code when you need additional run-time variables to be able to construct the required authorization logic. For example, authorization might be dependent on a user being a member of the Manager role and a transaction amount not exceeding a particular limit.
To use explicit role checks:
Use the IPrincipal interface of the user object attached to the current HTTP request. This approach works with ASP.NET versions 1.0, 1.1 and 2.0. if(User.IsInRole("Manager"))
// Perform restricted operation
else
// Return unauthorized access error

Alternatively, use Role Manager APIs introduced in ASP.NET version 2.0, which support a similar Roles.IsUserInRole method, as shown here. if(Roles.IsUserInRole("Manager"))
// Perform restricted operation
else
// Return unauthorized access error

The preceding code tests whether the currently authenticated user is a member of a particular role. You can also test whether any given user is a member of a role, as follows. if(Roles.IsUserInRole("Bob", "Manager"))
// Perform restricted operation
else
// Return unauthorized access error

Note To use the Role Manager API, you must enable the role manager feature and configure an appropriate role store. The following Web.config file configuration enables role manager and uses the built-in WindowsTokenRoleProvider. This provider is for use with Windows authentication, where Windows groups are used as roles.

To use PrincipalPermission demands:
Construct a PrincipalPermission object and call its Demand method to perform authorization.
For fine grained authorization, call PrincipalPermission.Demand within code as shown here. // Imperative checks
PrincipalPermission permCheckUser = new PrincipalPermission("Bob", null);
permCheckUser.Demand();

Alternatively, you can decorate your classes or methods with the PrincipalPermissionAttribute as shown here. [PrincipalPermission(SecurityAction.Demand, Role="Manager")]

The advantage of this approach is that the security requirements of your methods are visible to tools such as Permview.exe.
How to use role manager in ASP.NET
Role manager is new feature introduced in ASP.NET 2.0 for role-based authorization.
To use the role manager feature in an ASP.NET application, you need to do the following:
Add a element beneath the section of your application's Web.config file and enable role manager by setting its enabled attribute to true.
Add a connection string to the section to point to your roles store. If you are using the AuthorizationStoreRoleProvider, this is an LDAP query string pointing to your Authorization Manager Policy store in Active Directory or ADAM. If you are using the SqlRoleProvider, this is a database connection string that points to your role store database.
Configure the specific provider in the element in your application's Web.config file. The role manager system supports the following providers:
If your application roles are in an Authorization Manager Policy store in Active Directory or ADAM, use the AuthorizationStoreRoleProvider.
If your application roles are in a SQL Server database, use the SqlRoleProvider.
If your application uses Windows groups as roles, use the WindowsTokenRoleProvider. Note that this is recommended to be used with Windows Authentication only.
If your application roles are in a store other than those previously listed, create a custom roles provider inheriting RoleProvider base class.
Set the defaultProvider attribute on the element to the chosen role provider.
To check roles and manage roles, use the Role Manager API (for example Roles.IsUserInRole and Roles.CreateRole). For more information, see How To: Use Role Manager in ASP.NET 2.0.
How to use Windows groups for role authorization
If you use Windows authentication, you can use the ASP.NET 2.0 Role Manager feature with the WindowsTokenRoleProvider for role-based authorization. In this scenario, Windows groups are used as roles.
Enable role manager by setting the enabled attribute on the element to true. Note that the Machine.config file contains a default configuration for a WindowsTokenRoleProvider instance named AspNetWindowsTokenRoleProvider. You can use this provider instance and set it as the default provider by modifying your Web.config file as follows.

To check role membership to authorize callers, use the Role Manager APIs such as IsUserInRole. if(Roles.IsUserInRole("Readers")){};

As in ASP.NET version 1.1, you can also directly check role membership by using the authenticated user's Windows token. You can do this by using manual, imperative, and declarative role checks. For more information, see How to perform role-based authorization in code in this topic.
How to use Authorization Manager in ASP.NET
The Role Manager feature provides an AuthorizationStoreRoleProvider that uses the Windows Server 2003 Authorization Manager.
To use AuthorizationStoreRoleProvider:
Create an Authorization Manager policy store in either Active Directory or ADAM and grant administrative or reader rights to your ASP.NET process account, such as the Network Service account.
Enable role manager by setting the enabled attribute on the element to true.
Configure a connection string containing an LDAP query to point to your Authorization Manager (AzMan) policy store.
Configure the AuthorizationStoreRoleProvider in Web.config.
Set the defaultProvider attribute to your provider instance.
A typical configuration is shown here.

...

...

If you use an Authorization Manager policy store in Active Directory, the Authorization Manager policy roles are different from the Windows groups you define in Active Directory.
Note that the AuthorizationStoreRoleProvider only exposes a subset of Authorization Manager's functionality. For example, you cannot use Authorization Manager's authorization business logic, such as tasks and operations. If you need to use tasks and operations you need to use COM interop and directly call members of the azroles 1.0 type library. For more information, see How To: Use Authorization Manager (AzMan) with ASP.NET 2.0 and How To: Use ADAM for Roles in ASP.NET 2.0.
How to cache roles in ASP.NET
If a user's browser accepts cookies, you can cache role information for that user in a cookie on the user's computer. On each page request, ASP.NET reads the role information for that user from the cookie. This can improve application performance by reducing the amount of communication required with the data source to retrieve role information. If the role information for a user is too long to store in a cookie, ASP.NET stores only the most recently used role information in the cookie and then looks up additional role information in the data source as and when required.
To configure and enable role caching, set cacheRoleInCookie to true on the element as shown here.

To secure the cookie, set the cookieProtection attribute to All, to ensure that the cookie is signed and encrypted. Set cookieRequireSSL to true to ensure that the cookie is only transmitted over HTTPS connections. Set createPersistentCookie to false to ensure the cookie is not persisted on the client's computer, and then use the cookieTimeout attribute to set a limited cookie expiration time.
How to configure URL authorization in Web.config
To configure URL authorization, use an element in Web.config and specify which user and/or role names are allowed access to the current directory or the nominated directory or file. ASP.NET version 2.0 on Windows Server 2003 protects all files in a given directory, even those not mapped to ASP.NET, such as .html, .gif, and .jpg files.
Authorization settings in Web.config refer to all of the files in the current directory and all subdirectories unless a subdirectory contains its own Web.config with an element. In this case, the settings in the subdirectory override the parent directory settings.
URL authorization can be used for both forms authentication and Windows authentication. In the case of Windows authentication, user names take the form "DomainName\WindowsUserName" and role names take the form "DomainName\WindowsGroupName". The local administrators group is referred to as "BUILTIN\Administrators". The local users group is referred to as "BUILTIN\Users". The following example shows Windows users and Windows roles.

The following example uses a custom role.

To apply authorization rules to a specific file or folder, enclose the element inside a element as shown here.

This example denies access to unauthenticated users and forces a redirect to the login page that is specified on the element.
The following example shows how you can apply authorization to a specific file (Page.aspx).

...

If necessary, you can apply different authorization rules for separate pages based on the identity, or more commonly, the role membership of the caller, by using multiple elements within separate elements.
How to lock authorization settings
Server administrators can lock authorization settings by using the element in the machine-level Web.config file. This ensures that an individual application cannot override machine-level policy. To lock authorization settings, surround the element inside a element and set allowOverride="false" as shown here.

This example forces authenticated access.
Code Access Security
How to use code access security in ASP.NET
Administrators can use code access security trust levels with ASP.NET to isolate applications and to restrict which resource types they can access and which privileged operations they can perform. The ability to isolate applications is particularly important in hosted environments, where multiple applications share the same server.
To use code access security in ASP.NET, you need to evaluate requirements, choose a trust level, and configure the application to use the appropriate trust level.
To use code access security in ASP.NET:
Evaluate the required permissions. You can do this by either doing a manual code review or by using the PermCalc tool to help calculate the required permissions.
Choose a standard trust level (High, Medium, Low, or Minimal) that meets application requirements. Ensure that you do not grant more permissions than needed. If you do not find a perfect match with standard trust levels, create a custom trust policy to meet application requirements.
If your application needs medium trust, configure the application to use the trust level as shown here.
...

...

...
For more information, see How To: Use Code Access Security in ASP.NET 2.0.
How to use custom trust levels with code access security in ASP.NET
To use a custom trust level, create a custom trust file based on the existing trust file that most closely matches your application requirements.
To create a custom level and configure an application to use it:
Identify the trust level that satisfies most of your application's permission requirements.
Copy the trust policy file for that level to create a custom trust policy file, for example web_CustomTrust.config.
Add the additional permissions required. For example, to add the registry permission to a custom trust policy file:
Add a element.

Add an element to the "ASP.Net" named permission set.
...

...

Configure your application's root Web.config file to make your application use the custom trust policy file. ...

How to run in Medium trust
Medium trust ASP.NET 2.0 applications can now access SQL Server databases. Running at Medium trust is particularly useful for environments where multiple applications run on the same server and you need to ensure that applications are isolated from one another and from shared system resources.
By running in Medium trust, applications have no access to unmanaged code, and file access is restricted to the application's own virtual directory hierarchy. Applications also have no access the registry, the event log, or OLE DB data sources. Your code is unable to use reflection, and it can only communicate with specific servers identified by the originUrl attribute on the element.
To configure applications to run with Medium trust, set the level attribute of the element in the machine-level Web.config as shown here.

...

...

By setting allowOverride="false" on the element, you prevent an individual application's Web.config file from overriding the machine-wide policy. Use the originUrl attribute to determine which HTTP servers applications can communicate with.
If you need additional permissions beyond those granted by Medium trust policy, create a custom policy file and add the necessary permissions as described in How to use custom trust levels with code access security in ASP.NET. For more information, see How To: Use Medium Trust in ASP.NET 2.0.
Configuration
How to encrypt sensitive data in Machine.config and Web.config
In ASP.NET 2.0, use the Aspnet_regiis.exe tool with the -pe (provider encryption) option to encrypt sections of the Machine.config and Web.config files.
To encrypt the connectionStrings section by using the DPAPI provider with the machine key store (the default configuration), run the following command from a command prompt:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI"
-prov "DataProtectionConfigurationProvider"
-pe specifies the configuration section to encrypt.
-app specifies your Web application's virtual path. If your application is nested, you need to specify the nested path from the root directory, for example "/test/aspnet/MachineDPAPI"
-prov specifies the provider name.
The .NET Framework 2.0 SDK supports RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers, which you use with the Aspnet_regiis.exe tool:
RSAProtectedConfigurationProvider. This is the default provider and uses the RSA public key encryption to encrypt and decrypt data. Use this provider to encrypt configuration files for use on multiple Web servers in a Web farm.
DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt configuration files for use on a single Windows Server.
The following sections often contain sensitive information that you need to encrypt:
. Custom application settings.
. Connection strings.
. Web application identity. Can contain impersonation credentials.
. Contains connection string for out of process session provider.
You do not need any special steps for decryption, because the ASP.NET runtime takes care of this for you. You cannot use the Aspnet_regiis.exe tool and protected configuration to encrypt the following sections in Web.config and Machine.config:
, , , , , , , , , and .
For these sections, use the Aspnet_setreg.exe tool. You must also use this tool with ASP.NET 1.1. For more information about AspNet-setreg.exe, see Microsoft Knowledge Base article 329290, How to use the ASP.NET utility to encrypt credentials and session state connection strings.
How to choose between machine and user key storage
The DPAPI and RSA protected configuration providers used to encrypt sensitive data in configuration files can use either machine stores or user stores for key storage. You can either store the key in the machine store and create an ACL for your specific application identity or store the key in a user store. In the latter case, you need to load the user account's profile to access the key.
Use machine-level key storage when:
Your application runs on its own dedicated server with no other applications.
You have multiple applications on the same server that run using the same identity and you want those applications to be able to share sensitive information and the same encryption key.
The DPAPI machine key is stored at the following location:
%windir%\system32\Microsoft\Protect\S-1-5-18
The RSA machine key is stored at the following location:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Use user-level key storage if:
You run your application in a shared hosting environment and you want to ensure that your application's sensitive data is not accessible to other applications on the server. In this scenario, each application should have a separate identity so that they all have their own individual and private key stores.
RSA user-level key containers are stored in the following folder:
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
The DPAPI user key is stored in a folder at the following location:
\Documents and Settings\{UserName}\Application Data\Microsoft\Protect
How to use DPAPI with a user store to encrypt a connection string in Web.config
By default, the DataProtectionConfigurationProvider is configured to use DPAPI with the machine store. To use it with the user store, add a section to your Web.config file and set the useMachineProtection attribute to false as shown here. You must also specify a unique provider name.

Then run the following command from a command prompt to encrypt the section:
aspnet_regiis–pe "connectionStrings"–app "/UserDPAPI" -prov "MyUserDataProtectionConfigurationProvider"
The configuration ensures that DPAPI is used with the user store. Make sure that your application is running with the same user identity as the account you used to encrypt the data. For more information, see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI.
How to use RSA with a user-level key container to encrypt a connection string in Web.config
The RSAProtectedConfigurationProvider is the default provider and is configured to use the machine-level key container. To use it with a user-level key container, add a section to your Web.config file and set the useMachineContainer attribute to false as shown here.

Then run the following command from a command prompt to encrypt the section:
aspnet_regiis -pe "connectionStrings" -app "/UserRSA"–prov "MyUserRSAProtectedConfigurationProvider"
The configuration ensures that RSA is used with the user-level key container. Make sure that your application is running with the same user identity as the account you used to encrypt the data. For more information, see How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA.
How to run an ASP.NET application with a particular identity
In IIS 6.0, use IIS Manager to create an application pool running as a specific identity. Use IIS Manager to assign your application to that application pool.
In IIS 5.0, you can configure the ASP.NET process identity by setting the userName and password attributes on the element in Machine.config. If you do this, you should encrypt the credentials by using the Aspnet_setreg.exe utility.
How to create a service account for ASP.NET
To create a service account:
Create a Windows account
Run the following Aspnet_regiis.exe command to assign the relevant ASP.NET permissions to the account:
aspnet_regiis.exe -ga machineName\userName
On Windows 2003, running the Aspnet_regiis.exe -ga command will add the account to the IIS_WPG group. The IIS_WPG group provides the Log on as a batch job permission and ensures that the necessary file system permissions are granted.
Note At the time of this writing, the Aspnet_regiis–ga command on .NET Framework 2.0 beta 2 does not add the account to the IIS_WPG group and this must be done manually. The release version of the .NET Framework 2.0 will fix this issue and the account will be added to the IIS_WPG group.
Use the Local Security Policy tool to grant the Windows account the Deny logon locally user right. This reduces the privileges of the account and prevents anyone logging onto Windows locally with the account.
Use IIS Manager to create an application pool running under the new account's identity and assign the ASP.NET application to the pool.
For more information, see How To: Create a Service Account for an ASP.NET 2.0 Application.
How to configure the machine key in Web farms
You use the to specify keys and algorithms used by ASP.NET to protect Forms authentication tickets and ViewState. If you deploy your application in a Web farm, you must manually generate key values and ensure that the configuration files on each server share hashing and encryption keys.
To generate cryptographically random keys:
Use the RNGCryptoServiceProvider class to generate a cryptographically strong random number.
Choose an appropriate key size. The recommended key lengths are as follows:
For SHA1, set the validationKey to 64 bytes (128 hexadecimal characters).
For AES, set the decryptionKey to 32 bytes (64 hexadecimal characters).
For 3DES, set the decryptionKey to 24 bytes (48 hexadecimal characters).
The following code shows how to generate random key values. Compile the code to create a console application, and then pass the required key size as a command line argument expressed as the desired number of hexadecimal characters. Each byte is represented by two hexadecimal characters; therefore, to request a 32-byte key, pass 64 as a command line argument. If you do not specify an argument, the code returns a 128 hexadecimal character (64-byte) key. // C# Example
using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;
class App {
static void Main(string[] argv) {
int len = 128;
if (argv.Length > 0)
len = int.Parse(argv[0]);
byte[] buff = new byte[len/2];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes(buff);
StringBuilder sb = new StringBuilder(len);
for (int i=0; iHow To: Configure the Machine Key in ASP.NET 2.0.
How to lock configuration settings
To lock the configuration settings for all the Web applications on a Web server to prevent an individual application from overriding them, place the configuration settings inside a element nested within a element in the machine-level Web.config file, and then set the allowOverride attribute to false.
The following example enforces the use of Windows authentication for all Web applications on the server.

If you need to apply and lock settings for a specific Web application, use the path attribute on the element to identify the Web application as shown here.

If you specify the path, it must be fully qualified and include the Web site name and virtual directory name.
Data Access
How to protect database connection strings
Place connection strings inside the setting in Web.config, and then encrypt the configuration section by using one of the protected configuration providers (RSA or DPAPI). For more information about doing this and choosing between RSA and DPAPI, see How to encrypt sensitive data in Machine.config and Web.config in the Configuration topic.
How to access a database from ASP.NET
Use Windows authentication where possible and use a least privileged service identity while connecting to SQL Server. Usually, this will be your least privileged application's process account. By using a service account, you benefit from connection pooling. If you need per user authorization in the database, you can use impersonation (and delegation) and access the database with the original caller's account, but this will prevent efficient connection pooling.
How to use Windows authentication to connect to SQL Server
To use Windows authentication, configure SQL Server appropriately and then use a connection string that contains either "Trusted_Connection=Yes", or "Integrated Security=SSPI" as shown in the following code. The two strings are equivalent and both result in Windows authentication. "server=MySQL; Integrated Security=SSPI; database=Northwind"
"server=MySQL; Trusted_Connection=Yes; database=Northwind"

For more information, see How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0.
How to access SQL Server by using SQL authentication
If you cannot use Windows authentication to SQL Server, you must use SQL authentication.
To use SQL authentication:
Use a least-privileged user ID to connect to SQL.
Use a strong password for the SQL user account.
Secure the channel between the Web server and database server because credentials are passed in an unencrypted format. For example, use SSL or IPSec.
Secure the SQL connection string (which contains plaintext credentials). For more information, see How to encrypt sensitive data in Machine.config and Web.config in the Configuration topic.
If you connect to a SQL Server database using credentials (user name and password), your connection string looks like the following. SqlConnectionString = "Server=YourServer\Instance;
Database=YourDatabase;uid=YourUserName;
pwd=YourStrongPassword;"

For more information, see How To: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0.
How to use the Network Service account to connect to SQL Server
The Network Service account has network credentials, so it can be used to access resources such as a database server in the same domain or in a domain with an appropriate trust relationship.
Note If you grant access to the Network Service account, any application on the same Web server that runs using that identity has access. For individual authorization and application isolation, use distinct identities. For more information, see How to create a service account for ASP.NET in the Configuration topic.
To grant access to SQL Server for the network service account:
Create a SQL login for the Network Service account. The name appears as domainName\$ if your database is on a separate server. You can use Enterprise Manager or run the following SQL statement to create the SQL Login:
exec sp_grantlogin [domainName\$]
Create a database user in the required database and map the login to the database user. Or you can run the following SQL statement:
exec sp_grantdbaccess [domainName\$]
Place the database user in a database role. This enables you to assign permissions to roles instead of individual users, which helps should the user account change.
Grant permissions to the role. Ideally, just grant execute permissions to selected stored procedures and provide no direct table access.
Within the client application, use a connection string that contains either "Trusted_Connection=Yes" or "Integrated Security=SSPI". The two strings are equivalent and both result in Windows authentication (assuming that your SQL Server is configured for Windows authentication). For more information, see How To: Use the Network Service Account to Access Resources in ASP.NET.
How to prevent SQL injection
Validate input and use parameterized stored procedures for data access. The use of parameters (for example, SqlParameterCollection) ensures that input values are checked for type and length and values outside the range throws an exception. Parameters are also treated as safe literal values and not executable code within the database. The following code shows how to use SqlParameterCollection when calling a stored procedure called LoginStoredProcedure which accepts @au_id of type varchar(11) as a parameter. using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myCommand.Fill(userDataset);
}

Avoid passing SQL queries to be executed as a parameter to a stored procedure. Instead pass query parameters only.
Use structured exception handling to catch errors when accessing the database and prevent them from propagating back to the client. A detailed error message may reveal valuable information, such as the connection string, SQL server name, or table and database naming conventions that attackers can use for more precise attacks.
As an additional precaution, use a least privileged account to access the database, so that even if your application is compromised the impact will be minimized. For more information, see How To: Protect From SQL Injection in ASP.NET.
Exception Management
How to handle exceptions securely
Do not reveal internal system or application details, such as stack traces, SQL statement fragments, and table or database names. Ensure that this type of information is not allowed to propagate to the end user or beyond your current trust boundary. A malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks.
If an exception is thrown, make sure your application fails securely, denies access, and is not left in an insecure state. Do not log sensitive or private data, such as passwords, that could be compromised. When you log or report exceptions, if user input is included in exception messages, validate it or sanitize it. For example, if you return an HTML error message, you should encode the output to avoid possible script injection.
How to prevent detailed errors from returning to the client
By default, in ASP.NET the mode attribute of the element is set to remoteOnly, which returns complete exception information (including the stack trace) only to callers on the same computer as the server. Remote callers receive filtered exception information. In a production environment, you should set the mode attribute to On, so that all callers receive filtered exception information. You should also specify a default redirect page as shown here.

The defaultRedirect attribute allows you to use a custom error page for your application, which, for example, might include support contact details. Do not use mode="Off" because this allows detailed error pages that contain system-level information to be returned to the client.
Also set pageOutput="false" on the element to disable trace output. To prevent trace being accidentally being re-enabled, consider locking this for all applications on a server by applying the following configuration in the machine-level Web.config file. Enclose the element in a element and set allowOverride to false.

How to use structured exception handling
Use try/catch/finally structured exception handling blocks around code to avoid unhandled exceptions. Use finally blocks to execute code that runs whether an exception is trapped; this is useful for releasing resources such as closing files or disposing of objects.
How to create a global error handler for your application
Define a global error handler in Global.asax to catch any exceptions that are not handled in code. You should log all exceptions in the event log to record them for tracking and later analysis. Use code similar to the following.

Note that you need to give your ASP.NET account the necessary permissions to write to the event log. For more information, see How to write to the event log in the Auditing and Logging topic.
How to specify a default error page
Use the section of the Web.config file and set mode to On to specify a default error page to display, along with other required error pages for specific HTTP response codes that indicate errors. Use these custom error pages, as shown in the following example, to provide user friendly responses for errors not caught in a structured event handling block.

When debugging your application, the mode attribute of the element must be set to RemoteOnly (the default) to view the custom errors on remote clients and ASP.NET errors on the localhost.
Impersonation and Delegation
How to choose between trusted subsystem and impersonation/delegation
With the trusted subsystem model, you use your Web application's process identity to access downstream network resources such as databases. With impersonation/delegation, you use impersonation and use the original caller's identity to access the database.
Trusted subsystem offers better scalability because your application benefits from efficient connection pooling. You also minimize back-end ACL management. Only the trusted identity can access the database. Your end users have no direct access. In the trusted subsystem model, the middle-tier service is granted broad access to back-end resources. As a result, a compromised middle-tier service could potentially make it easier for an attacker to gain broad access to back-end resources. Keeping the service account's credentials protected is essential.
With impersonation/delegation, you benefit from operating system auditing because you can track which users have attempted to access specific resources. You can also enforce granular access controls in the database, and individual user accounts can be restricted independently of one another in the database.
How to impersonate the original caller
ASP.NET does not impersonate the original caller by default. If you need to impersonate the original caller, set the mode attribute of the element in the Web.config file to Windows and the impersonate attribute of the element to true.
In IIS, disable anonymous access and select a Windows authentication mechanism. If you do not do this, the ASP.NET application will impersonate the anonymous IIS account IUSR_machineName.
How to temporarily impersonate the original caller
To temporarily impersonate the original caller in your application's Web.config file, set the mode attribute of the element to Windows.
In IIS, disable anonymous access and select a Windows authentication mechanism. In your code, use the Impersonate method of the System.Security.Principal.WindowsIdentity class, as shown here. using System.Security.Principal;
...
IIdentity WinId= HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)WinId;
// impersonate temporarily
WindowsImpersonationContext wic = userId.Impersonate();
try
{
// run code, access resources using the original caller's
// security context
}
finally
{
// restore our old security context
wic.Undo();
}

For more information, see How To: Use Impersonation and Delegation in ASP.NET 2.0.
How to use protocol transition and constrained delegation in ASP.NET
Protocol transition allows an application on a designated server to use any method to authenticate the original caller and then to transition to the Kerberos protocol to access back-end network resources. This is particularly useful in scenarios where your users access your application over the Internet but firewalls prevent them from communicating directly with the domain controller. In this scenario, you can authenticate your users by using forms, client certificates, or some alternative authentication mechanism, and then create valid Windows tokens on the server for your users; use those and Kerberos authentication to access back-end network resources. You can then use constrained delegation to ensure that these tokens and their associated logon sessions can only be used to communicate with designated services on specific servers.
To use protocol transition and constrained delegation, you must:
Be on a specially designated server that is trusted for delegation.
Use local security policy to grant the Act as part of the operating system privilege (TCB) to the account used to run ASP.NET on the Web tier (the Network Service account by default for IIS 6.0).
Configure Active Directory for protocol transition and constrained delegation.
On Windows Server 2003, the WindowsIdentity constructor uses the new Kerberos S4U extension to obtain a logon session and Windows token for a user without that user's password as shown here. using System.Security.Principal;
...
WindowsIdentity wi = new WindowsIdentity("username@domainName");
WindowsImpersonationContext wic = wi.Impersonate();
try
{
// do work
}
finally
{
// stop impersonating
wic.Undo();
}

For more information, see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
Input and Data Validation
How to validate input in ASP.NET
Assume all input is malicious. To validate input, define acceptable input for your fields. Constrain input for length, range, format, and type. Use an "allow" approach up front and define what constitutes valid input instead of relying on "deny" approaches. The problem with a "deny" approach is that it is very difficult to anticipate all possible variations of bad input. Do not rely on client-side validation as your only input validation mechanism because it can be easily bypassed. Use client-side validation only to reduce round trips and to improve the user experience. For more information, see How To: Protect From Injection Attacks in ASP.NET.
How to validate input in server controls
Validate input from server controls by using the ASP.NET validation controls, such as the RangeValidator, RequiredFieldValidator, CustomValidator, or RegularExpressionValidator. The following example shows a RegularExpressionValidator control that has been used to validate a name field.

The validation controls use client-side script to perform validation on the client browser (if supported by the browser), and also run validation logic on the server after data is posted back.
How to validate input in HTML controls, QueryString, cookies, and HTTP headers
Use the System.Text.RegularExpression.Regex class to validate this type of input to verify that the input matches an expected format, as shown in the following example. // Static method:
if (!Regex.IsMatch(Request.QueryString.Get("Number"),
@"\d{3}-\d{2}-\d{4}"))
{
// Invalid Social Security Number
}

For more information, see How To: Use Regular Expressions to Constrain Input in ASP.NET.
How to prevent cross site scripting
Validate input and encode output. Constrain input by validating it for type, length, format, and range. Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user, such as input from form fields, query strings, and cookies or from other sources, such as databases. Never just echo input back to the user without validating and/or encoding the data. The following example shows how to encode a form field. Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

If you return URL strings that contain input to the client, use the HttpUtility.UrlEncode method to encode these URL strings, as shown here. Response.Write(HttpUtility.UrlEncode(urlString));

If you have pages that need to accept a range of HTML elements, such as through some kind of rich text input field, you must disable ASP.NET request validation for the page.
To safely allow restricted HTML input:
Disable ASP.NET request validation by the adding the ValidateRequest="false" attribute to the @ Page directive.
Encode the string input with the HtmlEncode method.
Use a StringBuilder and call its Replace method to selectively remove the encoding on the HTML elements that you want to permit as shown here. ...
// Encode the string input from the HTML input text field
StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(htmlInputTxt.Text));
// Selectively allow and
sb.Replace("<b>", "");
sb.Replace("</b>", "");
sb.Replace("<i>", "");
sb.Replace("</i>", "");

For more information, see How To: Prevent Cross-Site Scripting in ASP.NET.
Secure Communication
How to choose between IPSec and SSL
Use Secure Sockets Layer (SSL) to protect the communication channel between specific client applications and a server. For example, you could use SSL to secure the channel between a specific Web application and a remote SQL Server. Use SSL when you need granular channel protection for a particular application instead of for all applications and services running on a computer.
Use Internet Protocol Security (IPSec) to secure the communication channel between two servers and to restrict which computers can communicate with one another. For example, you can help secure a database server by establishing a policy that permits requests only from a trusted client computer, such as an application or Web server. You can also restrict communication to specific IP protocols and TCP/UDP ports.
How to secure communication between browser clients and Web server
Use SSL to create a secure encrypted communication channel between browser clients and Web server.
To use SSL:
Install a server certificate on the Web server.
Install the root certificate authority (CA) certificate from the same authority into the local computer's Trusted Root Certification Authorities certificate store.
Use IIS to configure the server to force the use of encryption while accessing Web pages.
Design your pages with SSL in mind to minimize performance overhead. Optimize pages that use SSL by including less text and simple graphics and partition your site and ensure that only those pages than contain sensitive data use SSL.
How to secure communication between servers
Use IPSec to secure the communication channel between two servers and to place restrictions on which client computers can communicate with the server. For example, you can configure IPSec policy to only allow a specific application server to communicate with a database server. Also use IPSec to restrict which TCP port is used for communication and to encrypt all IP traffic that flows between the two servers.
Note that if you restrict all communication, the database server will be unable to communicate with a domain controller. In this scenario, you must use mirrored local accounts (with the same user name and password) on both computers.
Sensitive Data
How to protect sensitive data in a database
If you need to protect data in a database that is accessed by multiple Web servers, you need to encrypt the data with a strong symmetric encryption algorithm and protect the encryption key with DPAPI.
To encrypt sensitive data in a database accessed by multiple servers in a Web farm:
Use a strong symmetric encryption algorithm such as 3DES or AES.
Use the System.Security.Cryptography.RNGCryptoServiceProvider class to generate a strong (192 bit, 24 byte) encryption key. Back up the encryption key, and store the backup in a physically secure location.
Note Cryptographically, 3 DES keys are effectively 168 bits in length rather than 192 bits. This is because in each of the three DES applications, a 56 bit key is used even though the block size is 64. The remainder of the 8 bits were meant to be parity bits but were never really used for that purpose. 3DES therefore, uses three times 56 or 168 bit keys.
Use DPAPI to encrypt the symmetric encryption key on each Web server and store it in a secured registry key. Create an ACL to protect the registry key that allows full control for administrators and read only access for your ASP.NET process account.
To encrypt data and decrypt data, retrieve the encrypted symmetric encryption key from the registry, use DPAPI to decrypt the key and then use the System.Security.Cryptography.TripleDESCryptoServiceProvider class with the encryption key to either encrypt or decrypt the data stored in the database.
With this process, if the DPAPI account used to encrypt the encryption key is damaged, the backup of the 3DES key can be retrieved from the backup location and be encrypted using DPAPI under a new account. The new encrypted key can be stored in the registry and the data in the database can still be decrypted.
How to encrypt configuration data in a Web farm
To encrypt configuration data in a Web farm, use RSA encryption with a machine-level key container because you can easily export RSA keys. You need to do this if you encrypt data in a Web.config file prior to deploying it to other servers in a Web farm. In this case, the private key required to decrypt the data must be exported and deployed to the other servers.
In the following approach, you create and export a custom RSA encryption key. Then you install it on the target servers and secure it with an ACL that permits access only to your application's identity.
To use RSA to encrypt data in a Web farm:
Run the following command from a command prompt to create an exportable custom RSA encryption key:
aspnet_regiis -pc "CustomKeys"–exp
You can verify that a custom key container exists by looking for the file and checking timestamps in the following location:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Add and configure a custom protected configuration provider by adding a section to your Web.config file. Note that the key container name is set to "CustomKeys" which is the name of the key container created previously. ...

...

Run the following command from a command prompt to encrypt the connectionStrings section using the custom RSA key:
aspnet_regiis -pe "connectionStrings" -app "/WebFarmRSA " -prov "CustomProvider"
Run the following command from a command prompt to export the custom RSA encryption key:
aspnet_regiis -px "CustomKeys" "C:\CustomKeys.xml" -pri
The -pri switch causes the private and public key to be exported. This enables both encryption and decryption. Without the–pri switch, you would only be able to encrypt data with the exported key.
Deploy the application and the encrypted Web.config file to a different server computer. Also copy the CustomKeys.xml file to a local directory on the other server, for example to the C:\ directory.
On the destination server, run the following command from a command prompt to import the custom RSA encryption keys:
aspnet_regiis -pi "CustomKeys" "C:\CustomKeys.xml"
Grant access to the key container to your ASP.NET application identity. The following command grants access to the CustomKeys store to the Network Service account:
aspnet_regiis -pa "CustomKeys" "NT Authority\Network Service"
How to protect ViewState
ViewState sent between browser and server is subject to tampering and eavesdropping threats. To detect tampering, ensure that ViewState is integrity checked with HMACs. This is the default setting.
Avoid storing sensitive data in ViewState. If you must store sensitive data in ViewState, encrypt it. A common example is the DataKeyNames property of the GridView/DetailsView/FormView controls, which retains the values of the primary key fields of a data store in ViewState. Under some circumstances, these values could be sensitive, such as an employee ID. In this case, encrypt the ViewState.
To encrypt ViewState:
A control on a page needs can explicitly request ViewState encryption by calling the RegisterRequiresViewStateEncryption method.
Alternatively, set the viewStateEncryptionMode attribute to Always.
Alternatively, set the viewStateEncryptionMode attribute to Always in the the element of the Web.config file or you can use an equivalent viewStateEncryptionMode attribute on the @Page directive.
If you use ViewState HMACs or encryption, and you deploy your application in a Web farm, you must ensure that the configuration files on each server share hashing and encryption keys. For more information, see How to configure the machine key in Web farms in the Configuration topic.
How to protect passwords
You should store passwords in a non-reversible hashed format. Generate the hash from a combination of the password and a random salt value. Use an algorithm such as SHA256. The salt value helps to slow an attacker perform a dictionary attack should your credential store be compromised, giving you additional time to detect and react to the compromise.
To store password hashes:
Generate a random salt value by using the following code. byte[] salt = new byte[32];
System.Security.Cryptography.RNGCryptoServiceProvider.Create().GetBytes(salt);

Append the salt to the password. // Convert the plain string password into bytes
byte[] plainTextBytes = System.Text UnicodeEncoding.Unicode.GetBytes(plainText);
// Append salt to password before hashing
byte[] combinedBytes = new byte[plainTextBytes.Length + salt.Length];
System.Buffer.BlockCopy(plainTextBytes, 0, combinedBytes, 0, plainTextBytes.Length);
System.Buffer.BlockCopy(salt, 0, combinedBytes, plainTextBytes.Length, salt.Length);

Hash the combined password and salt by using the following code. // Create hash for the password+salt
System.Security.Cryptography.HashAlgorithm hashAlgo = new System.Security.Cryptography.SHA256Managed();
byte[] hash = hashAlgo.ComputeHash(combinedBytes);

Append the salt to the resultant hash. // Append the salt to the hash
byte[] hashPlusSalt = new byte[hash.Length + salt.Length];
System.Buffer.BlockCopy(hash, 0, hashPlusSalt, 0, hash.Length);
System.Buffer.BlockCopy(salt, 0, hashPlusSalt, hash.Length, salt.Length);

Store the result in your user store database.
This approach means you do not need to store the salt separately. To verify a password, you extract the salt from the stored combination of the hash and salt value and then recomputed the hash using the salt value and the plaintext password value obtained from the user.
Companion Guidance

XML (XMLType) inside PL/SQL Oracle 9/10

2005-10-22T23:15:00.000-07:00

The XMLType is an OO XML aware data type. It can be used in columns or in PL/SQL just like VARCHAR2 or DATE. XMLType has member functions that allow access to data using XPath.

A quick example extracting a specific value from an XML varchar2 string:
DECLARE
v VARCHAR2(32000) := 'ABC';
x XMLType;
BEGIN
x := XMLType(v);
DBMS_OUTPUT.put_line(
x.extract('/DATA/LINE[1]').getStringVal()
);
DBMS_OUTPUT.put_line(
x.extract('/DATA/LINE[1]/text()').getStringVal()
);
END;

WinFX Developer Center: InfoCard: The Laws of Identity

2005-09-27T04:29:00.000-07:00

WinFX Developer Center: InfoCard: The Laws of Identity: "The Laws of Identity"

Fields to Properties (Visual Studio.Net)

2005-09-21T02:21:00.000-07:00

Yes, we miss Automatic property generation from the Fields of the classes in the Visual Studio.net IDE.
Following is the sample code of the Macro, I am telling here which I used for myself.
This member variable to Property generation is not generic and is very difficult to be. The idea is that I demonstrate to do it my way and you can customize it for your needs.

Code is in the Visual Basic.Net
--------------------------------------------------
NEED:

Public Class AClass

#Region "Members"
Private strStaffId As String
Private strStaffName As String
#End Region

End Class

-->
Public Class AClass

#Region "Members"
Private strStaffId As String
Public Property StaffId() As String
Get
Return strStaffId
End Get
Set(ByVal Value As String)
strStaffId = Value
End Set
End Property

Private strStaffName As String
Public Property StaffId() As String
Get
Return strStaffId
End Get
Set(ByVal Value As String)
strStaffId = Value
End Set
End Property

#End Region

End Class

--------------------------------------------------

The first step in using a macro to generate code is to open the Macros IDE, add a new module, a macro, and stub out the code template.

1. To create a new macro, open Visual Studio .NET—I am using VS.NET 2003, but the example works in version 1—and select Tools|Macros|Macros IDE
2. In the Macros Project Explorer click on the MyMacros project, right-clicking Add|Add Module from the Project Explorer context menu
3. Add a public subroutine named WriteProperty to the module

So, In my case it is like:
File:- MyModule
Imports EnvDTE
Imports System
Imports System.Diagnostics

Public Module MyModule

Private Cr As String = Environment.NewLine

Private mask As String = _
"Public Property {0}() As {1}" + Cr + _
" Get" + Cr + _
" Return {2}" + Cr + _
" End Get" + Cr + _
" Set(ByVal Value As {1})" + Cr + _
" {2} = Value" + Cr + _
" End Set" + Cr + _
" End Property" + Cr

Public Sub WriteProperty()
Dim Selection As TextSelection = DTE.ActiveDocument.Selection

Dim FieldName As String
Dim PropertyName As String
Dim PropertyType As String

FieldName = Selection.Text
PropertyName = FieldName.Substring(3) 'skip strUserName -> UserName

Selection.EndOfLine()
Selection.WordLeft(True)
PropertyType = Selection.Text
Selection.EndOfLine()
Selection.NewLine(2)

Dim vp As VirtualPoint = Selection.ActivePoint
Selection.Insert(String.Format(mask, PropertyName, PropertyType, FieldName))
End Sub
End Module
-----------------------------------------------------------------------

Now, You can customize the VisualStudio environment and put a button on a toolbar and that button can call our macro. You can also assign a hot key to call this code.
To generate the property for the field, You only have to select the field and it will generate its code for the corresponding property.

When done, you only need to edit this code according to your needs.

bye
:)

Windows WorkFlow Foundation

2005-09-16T02:43:00.000-07:00

Windows Workflow Foundation is the programming model, engine and tools for quickly building workflow enabled applications on Windows. It consists of a WinFX namespace, an in-process workflow engine, and designers for Visual Studio 2005. Windows Workflow Foundation is available (currently in beta) for both client and server versions of Windows. Windows Workflow Foundation includes support for both system workflow and human workflow across a wide range of scenarios including: workflow within line of business applications, user interface page-flow, document-centric workflow, human workflow, composite workflow for service oriented applications, business rule driven workflow and workflow for systems management.
The Windows Workflow Foundation namespace in WinFX is called System.Workflow. Windows Workflow Foundation provides a consistent and familiar development experience with other WinFX technologies such as ASP.NET, Windows Communication Foundation and Windows Presentation Foundation. Windows Workflow Foundation provides full support for Visual Basic .NET and C#, debugging, a graphical workflow designer and the ability to develop your workflow completely in code. Windows Workflow Foundation also provides an extensible model and designer to build custom activities which encapsulate workflow functionality for end-users or for re-use across multiple projects. Windows Workflow Foundation will be used across many future Microsoft products including The Microsoft Office System, BizTalk Server and the Microsoft Dynamics Products (previously known as Microsoft Business Solutions products). Most applications can benefit from the asynchronous state management features of the workflow model, the rapid development features of the designer, the potential for end-user flexibility, and the increased visibility into run-time code execution.
A workflow is a set of activities stored as a model that describe a real world process. Work passes through the model from start to finish and activities might be executed by people or by system functions. Workflow provides a way of describing the order of execution and dependent relationships between pieces of short or long running work. While it is possible to write a workflow completely in code, workflow is often best viewed graphically. Once a workflow model is compiled it can be executed inside any Windows process including console apps, forms- based apps, Windows Services, ASP.NET web sites and web services.
Introducing Windows Workflow FoundationDescribes the functionality and benefits of Microsoft Windows Workflow Foundation, soon to be a standard part of the Microsoft Windows platform. Windows Workflow Foundation provides a general framework for defining workflow, one that can be used in many kinds of applications.
Getting Started with Windows Workflow FoundationLearn about the technologies and features of Microsoft Windows Workflow Foundation that will be of interest to developers in need of creating workflow-driven applications for the Microsoft .NET platform.
Press Release Announcing Windows Workflow Foundation Microsoft announced Windows Workflow Foundation on Sept. 14, 2005, as the programming model, engine and tools for quickly building workflow-enabled applications on Windows. Read the entire press release here.
Try out Windows Workflow Foundation online at MSDN VirtualLabThe Visual Studio Hosted Experience lets you quickly evaluate developing with Windows Workflow Foundation with an online 1 hour hands on lab. You can work through this lab without installing anything on your local computer.
Download the Beta 1 of the Microsoft Visual Studio 2005 Extensions for Windows Workflow FoundationThe Microsoft Visual Studio 2005 Extensions for Windows Workflow Foundation are the tools you need to develop workflow based applications now. Visual Studio 2005 Beta 1 is required for this download. The download page also has links to the full WinFX download which includes Windows Workflow Foundation.
Join WebCasts on Windows Workflow FoundationCome join our planned (and past) webcasts for Windows Workflow Foundation. These start the week of the PDC with an introduction talk and continue shortly thereafter with the Week of Workflow WebCasts later in September 2005.
Download a set of 12 Hands-On Labs to try on your machineAt the Professional Developers Conference we had 12 labs for attendees to try Windows Workflow Foundation. These labs have been made available for you to download and use on your machine.
Take a DevelopMentor Training CourseGet an in-depth look at developing software using Microsoft's new workflow framework at DevelopMentor's "Essential Windows Workflow Foundation" course (4 days).
Presenting Windows Workflow Foundation published by Sams Publishing This introductory book covers Windows Workflow Foundation at an introductory level for a current .NET developer. All code examples are explained so that you can read the book without a computer, or you can download the samples and work through them while you read.
Participate in the Windows Workflow Foundation CommunityJoin the community of developers building workflow based applications. The community web site includes forums, downloads and many other interesting things.
Microsoft Employee Workflow Centric BlogsScott Woodgate: http://blogs.msdn.com/scottwoo Paul Andrew: http://blogs.msdn.com/pandrew
Come to the Business Process Integration & Workflow ConferenceYou are invited to our Business Process Integration & Workflow conference where we will have an entire track dedicated to Windows Workflow Foundation. This conference is October 4–7, 2005, in Redmond, Washington. It is open to Microsoft System Integration Partners and Customers accompanied by System Integration Partners. Partners should use the registration code "MSP-01" and customers should use the registration code "MSC-01". Space is limited; see the linked Web page for full details.

Data Protection API in .NET 2.0

2005-09-11T01:09:00.000-07:00

Protecting sensitive Data through Managed DPAPI

While developing a web or windows application, developers often make use of the web.config file to store sensitive data like passwords and connection strings. In most cases, this data is protected from unauthorized access for e.g. IIS forbidding the download of web.config file placed in the virtual directory where the application resides.

The data in the config files should nevertheless be in encrypted format for the safe storage of username/passwords and connection strings. Most developers including me were quite intent to use the Cryptography classes provided in .NET to encrypt and decrypt the strings, but all or most of them require the management of public/ private key pairs which doesn't make life easier anyway.
Using DPAPI (Data protection API) is thus a better option which provides automatic key management. This key management can be either based on the user's credentials or the machine.

User Level Encryption

When using user level encryption, DPAPI generates a session key which is derived from the user's credentials and the optional entropy that is discussed later. This session key is then used to do the actual encryption. With user level encryption, the encryption and decryption should be performed by the same user.

Machine Level Encryption

Machine level encryption (although not much secure) allows the encrypted data to be decrypted by any application running on the same machine. This can be used in a server scenario where there are no unauthorized logins.

Support in Previous Versions

.NET version 1.1 did not provide any wrappers to use the DPAPI hence we had to make use of DLLImport to import Crypt32.dll and use the APIs CryptProtectData and CryptUnprotectData for encryption and decryption respectively.

ProtectedData class in Whidbey

Starting from version 2.0, Whidbey provides a class called ProtectedData having two static members Protect and UnProtect. The signatures of these methods are:

1. byte[] Protect(byte[] dataToEncrypt, byte[] optionalEntropy,
DataProtectionScope scope)

2. byte[] UnProtect(byte[] dataToDecrypt, byte[] optionalEntropy,
DataProtectionScope scope)

dataToEncrypt is the data to encrypt
optionalEntropy is an additional entropy added to the key generation step. Without knowing this byte array no one can decrypt the data.
Setting the scope to DataProtectionScope.CurrentUser allows user level encryption while DataProtectionScope.LocalMachine allows machine level encryption as discussed earlier.

DataProtectionPermission

Whidbey also provides with DataProtectionPermission that can be used to grant/deny permission to the code on the call stack for ProtectedData to work. This can be used to limit permission to only encrypting or decrypting the data or both.

Code sample

static void Main()
{

byte[] entropyBytes = new byte[] {0x00,0x01,0x23, 0x34,0x0A};
byte[] myDataBytes;
string myData = "My sensitive data";
myDataBytes= System.Text.Encoding.Unicode.GetBytes(myData);
byte[] encryptedData = ProtectedData.Protect(
myDataBytes,entropyBytes,DataProtectionScope.CurrentUser);

//print the encrypted bytes
////////////////////////////

//decrypt the data
byte[] decryptedData = ProtectedData.UnProtect(
encryptedData,entropyBytes,DataProtectionScope.CurrentUser);

//print the decrypted bytes which should be the same as myData
////////////////////////////////////////////////

Console.ReadLine();

}

Accessing LDAP from ASP.NET

2005-09-10T05:33:00.000-07:00

This article will not only guide you how to access LDAP from asp.net application but it will also try to shed light on some of the issues you will face while accessing LDAP from web application. We have to take care of some security issues while accessing LDAP from asp.net. For winform application it’s not problematic but in web application we have to take into account impersonation also. My class contain two member variable

private string _path;
private string _filterAttribute

Construtor of this will form path string which will be passed to while making DirectoryEntry object. Below is the code of constructor

public LdapAuthentication(string domain)
{
_path = "GC://";
string[] aSubdomain = domain.Split('.');
foreach (string strDomain in aSubdomain)
{
_path += "DC=" + strDomain + ",";
}
_path = _path.Substring(0, _path.Length-1);
}
This will produce path of following format
_path = "LDAP://DC=HO,DC=ABC-COMPANY,DC=COM"
Now the gist of whole class is IsAuthenticated method which is
///

/// Check if the provided information is authenticated or not
///

/// Domain
/// user name to be verified
/// password corresponding to the user name
/// true in case of authentication else false
public bool IsAuthenticated(string domain, string username, string pwd)
{
string domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry( _path, domainAndUsername, pwd);
// Bind to the native AdsObject to force authentication.
Object obj = entry.NativeObject;
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if(null == result)
{
return false;
}
else
{
// Update the new path to the user in the directory
_path = result.Path;
_filterAttribute = (string)result.Properties["cn"][0];
return true;
}
}

Previously I was using same function but then I came across some article which pointed out that FindOne method has memory leak under certain condition for example, it will produce memory leak if it wont find any result, therefore I would recommend you to replace findOne with findAll which is not buggy. Now the method will be like
SearchResult result = null; using (SearchResultCollection src = search.FindAll()){ if (src.Count > 0) result = src[0];}
if (result != null){ // Update the new path to the user in the directory
_path = result.Path;
_filterAttribute = (string)result.Properties["cn"][0];
return true;
}
else
{
return false;
}

This method will update the path string in case of success of authentication. Now the string will be like
_path = "GC://CN=SAJWANI Rameez,OU=Users,OU=DUBAI,DC=ho,DC=cma-cgm,DC=com"
We will also store cn property from LDAP which will be helpful in retrieving other information. Like email , last name etc.
To find out FirstName we will use following method

public string GetFirstName()
{
DirectoryEntry entry = new DirectoryEntry( _path);
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(cn=" + _filterAttribute + ")";
search.PropertiesToLoad.Add("givenName");
try
{
SearchResult result = null; using (SearchResultCollection src = search.FindAll()){ if (src.Count > 0) result = src[0];}
if (result != null){ // Update the new path to the user in the directory
return result.Properties["givenName"][0].ToString();
}
}
catch
{
return "";
}
}

Similarly to get email address we will use following:
return result.Properties["mail"][0].ToString();
In this way we can load any property we want. Now the real thing come to run this code under asp.net. One thing to remember is that we are connecting to LDAP by providing username and password we can also connect under the security context of the ASP.NET Web user.
Before addressing the security issue we wil first look at how LDAP actually works.

The Active Directory (AD) relies on the security mechanism of the Windows 2000 server. To access most information in the AD, you must provide credentials to the Windows 2000 server when requesting the AD information. The credentials you provide must be in a primary token, which just means that the IIS server has a password (not just a hash of the password) to pass to the AD.

Double-Hop Issue
The double-hop issue is when the ASPX page tries to use resources that are located on a server that is different from the IIS server. In our case, the first "hop" is from the web browser client to the IIS ASPX page; the second hop is to the AD. The AD requires a primary token. Therefore, the IIS server must know the password for the client to pass a primary token to the AD. If the IIS server has a secondary token, the NTAUTHORITY\ANONYMOUS account credentials are used. This account is not a domain account and has very limited access to the AD. The double-hop using a secondary token occurs, for example, when the browser client is authenticated to the IIS ASPX page by using NTLM authentication. In this example, the IIS server has a hashed version of the password as a result of using NTLM. If IIS turns around and passes the credentials to the AD, IIS is passing a hashed password. The AD cannot verify the password and, instead, authenticates by using the NTAUTHORITY\ANONYMOUS LOGON. On the other hand, if your browser client is authenticated to the IIS ASPX page by using Basic authentication, the IIS server has the client password and can make a primary token to pass to the AD. The AD can verify the password and does authenticate as the domain user.
How to acquire Primary Token
If the IIS server has a primary token to pass on, the IIS server can pass a primary token to the AD on behalf of the client requesting the ASPX page. To acquire a primary token by using ASPX, use one of the following methods.

Method A
When the Web.config file is set to identity impersonate="true"/ and authentication mode="Windows", use the Anonymous account with the following settings:
On the ASPX page, set the security mechanism to Anonymous only.
Clear the Allow IIS to control the password check box.
Set the Anonymous account to be a domain user.

Method B
When Web.config and Machine.config are set as follows:
When Web.config is set to identity impersonate="false"/ and authentication mode="Windows"
When Machine.config is set to processModel username=Domain\username,password=secret
If identity impersonate="false"/ in the Web.config file, the credentials of the Base process are used. When you supply a domain user and password, you make it possible for IIS to pass a primary token to the AD.

ASP.NET Base Account
By default, all ASP.NET applications run under the base process account, MACHINENAME\ASPNET. This is a local account that does not have access to objects in Active Directory. To access Active Directory by using the credentials that are passed to IIS, you must modify your Web.config file to contain the parameters identity impersonate="true" and authentication mode="Windows". The presence of these two parameters causes ASP.NET to run the code under the credentials that are passed to it by IIS.
I case of my scenario I was using Form Base Authentication. All the user of my application are my intranet so for every request I was putting the principle object of that user in context. By using following line.

// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, null);
// Attach the new principal object to the current HttpContext object
Context.User = principal;

Some time LDAP connection works from local host but i wont if i will be access from remot machine in that case make sure that integrated login is working.

Note : In order to make sure the Integrated Login works with AD you need to two specials things Number
1: Go the domain controller of your webserver. Go to the Computers Container and Find your webserver. Go in properties and check the allow delegation option. You may have to restart the computer.
- Numebr 2 Make sure the IntegratedLogin is enabled on the InternetExplorer. You will find this option in the Tools --> Internet Options --> Advanced option

Reference.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329986
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp

XML documentation in Visual Basic.NET applications

2005-09-03T22:08:00.000-07:00

By default VB.Net in VS.net is missing support for automated generation of the documentation from with in the source, Like Recommended Tags for Documentation Comments.
Here 'VBCommenter' PowerToy from the Got Dot Net Web site can help us. With VBCommenter plug-in, they can create XML documentation as they are writing code.
To use this facility, it's first necessary to install VBCommenter. The download is a ZIP file that includes a standard Setup.exe file with an accompanying .msi file; it's trivial to unpack and install and should take no more than two minutes. Configure VBCommenter settings from the Tools VBCommenter Options menu. Here, make sure the checkboxes for both "Create .xml files when projects are built" and "Insert XML comments in source" are checked.
Once the plug-in is running and configured, simply key three apostrophes into the Start Page for any class definition, property, member variable, or method.

Because documenting as you go is the best way to make sure all the nuances of the code are captured, this technique (and the VBCommenter tool) are highly recommended for those seeking an easy way to add structured documentation to their work.

For a bit advance work, VBCommenter can be customized as described here : Customizing The VBCommenter Power Toy

MSDN TV Episode talks about "Data Access in ASP.NET 2.0"

2005-09-03T04:24:00.000-07:00

MSDN TV: Data Access in ASP.NET 2.0:

Data Access in ASP.NET 2.0

Bradley Millington shows how to build a data-driven Web site in ASP.NET 2.0 and Visual Studio 2005.
Learn how to build a database from scratch using Visual Studio built-in support for SQL Server 2005 Express,
then retrieve and render the database contents using the new data controls in ASP.NET.

--------------------------------------------------------------------------------
Hammad Rajjoub,
MVP (Windows Server System - XML Web Services),
User Group Leader - Dot Net Wizards (http://dotnetwizards.blogspot.com),
Chariman UG Relations Committee (http://www.inetapakistan.org),
Member Speakers Bureau (http://mea.ineta.org)

Web Services and other distributed technologies: Developing Distributed Services Today

2005-08-31T06:30:00.000-07:00

Web Services and other distributed technologies: Developing Distributed Services Today

This paper provides guidance on how to best use Microsoft Web service and distributed systems technologies in order to build distributed, service-oriented systems using today's platform. The impact of future technologies such as 'Indigo' is considered, and how Microsoft products such as BizTalk Server, SQL Server Notification Services, and Host Integration Server are positioned in this space

Script Callbacks in ASP.NET

2005-08-27T03:25:00.000-07:00

One of the many feature of ASP.NET 2.0 is that it allow us to call to server event from client side with out letting the page to post back and refresh. This mechanism is implemented through callbacks. This feature become very handy when you have very rich UI where refresh and post back become very hectic. For example when we have tree view control on page and we donot want our rich UI page to be post back on every expand or collaps in that scenario one option can be to implement ASP.NET Scripts callbacks. In this way request will be send asynchronously to the server and client will continue to work.

Many implementation has been given for out-of-band patterns i-e calling function from client side to server without letting the whole page to refresh. Few years ago microsoft realeased a interesting technology callled Remote Scripting. It uses some client side scipt to trigger a java language applet which in turns open the sockets to the destination URL. the remote URL must be a classic ASP page that include a call to server side layer of Remote scripting and exposes an object with a given name - public_description. The return value of call must be a string.

Another implementation of out-of-bond pattern is webservice , We know that we can call websevice through java script also. For this we have to use webservice.htc. But this behaviour is limit to only Internet Explorer 5.0 and higher version. In this case we use XmlHttp instead of java applet. Now MS tried to solve this problem in ASP.net 2.0. One good thing of this is, its fully integrated with framework. In ASP.NET 2.0 the scripting model of the page object is enriched with callback abilities that provide ASP.NET specific implementation of a kind of remote scripting.

What ever the implementation is, the pattern of out of bond is same. Which is ,new http channel for sending and getting the response is setup in parallel. the new request should be invisible to the user to avoid any interference with the displayed page. Finally the response you get from this invisible request must be merged with the current page through dynamic changes to the document object model (DOM) of the page.

To use Asp.net 2.0 script callbacks, you define a trigger element in the page (not a submit button) and bind it to some javascript code. this code will retrieve input data from the current page input fields and prepare a call to a system-provided script function name WebForm_DoCallback in Beta1. This function is expected (in the final release) to open the HTTP connection to the specific remote ASP.NET page. The ASP.NET runtime detects a callback invocation and executes a particular method on the page. The return value of the server-side method is passed back to the client as the response to the previous request. On the client, the response gets passed to a user-defined javascript callback function that can then update the user interface via DHTML. The bottom line is that a round-trip still occures, but the page is not fully refreshed. More importantly, the user can continue working with the controls in the page while the parallel request is served.

Let us now look a small implementation of it.The remote invocation begins by calling a javascript function WebForm_DoCallback , it is built in function. To call a javascript function It is essentail that clickable element not be a submit button. Therefore we cannot render it using asp:button tag because such a server control outputs the submit markup. Therefore we will use normal html button tag.
AS expected the ASP.NET runtime takes care of the request and begin processing it. By looking at the request header, body and viewstate fields it will determine the postback mode. If its figure out that page is being invodked on an out-of-band call , it will set IsCallback property to ture. Next it will figure out the callback mode by looking the _CALLBACK entry in request collection . If such entry exists then runtime conclude that callback invocation is being made. Now runtime checks if the page implements ICallbackEventHandler interface , it invokes the RaiseCallbackEvent method on the interface and prepares the response from the result of the call. A page that implements this interface have following directive
<%@ Implements Interface="System.Web.UI.ICallbackEventHandler" %>
to add function to html button we will add runat server tag to it so that it will be available in code behind.

The remote invocation begins when a call is made to a built-in JavaScript function named WebForm_DoCallback. You don't necessarily need to know the name and signature of this function, as you can get it from a new member of the Page class—the etCallbackEventReference method. So in code behind we will add following

string js = GetCallbackEventReference(this, "document.all['cboEmployees'].value", "UpdateEmployeeViewHandler", "null", "null");btn.Attributes["onclick"] = String.Format("javascript:{0}", js);

actual declaration of docallback is
function WebForm_DoCallback( eventTarget, eventArgument, eventCallback, context, errorCallback) { •••}

In RaiseEventHandler we will write all the code whatever to return to the client. for example

public virtual string RaiseCallbackEvent (string eventArgument)
{ // Get more info about the specified employee
int empID = Convert.ToInt32 (eventArgument);
EmployeesManager empMan = new EmployeesManager();
EmployeeInfo emp = empMan.GetEmployeeDetails (empID);
string[] buf = new string[6];
buf[0] = emp.ID.ToString ();
buf[1] = emp.FirstName;
buf[2] = emp.LastName;
buf[3] = emp.Title;
buf[4] = emp.Country;
buf[5] = emp.Notes;
return String.Join(",", buf);
}

and in javascript function we will take all back the data and update the UI Component as needed. the return value contain string. This string can actually contain everything you want and need, including XML data or Base64 data, comma-separated values, dates, numbers, and so forth.You can use callbacks to update individual elements of a page , such as a chart or a panel, provide different views of the same data, download additional information on demand, or auto-fill one or more fields, In particular, the ASP.NET2.0 TreeView control uses script callback extensively to implement its expand/collapse features and GridView control uses callbacks to page and sort without explicit postback.

DataAccess layer with Dataset

2005-08-22T22:33:00.000-07:00

There have been few approaches that we used to follow while developing the Data Access Layer

1) Create Entity Classes and directly call Database Code to access the data
2) Introduce a DB independent data access Layer which in turn call respective Database Code to access the data. This also involves creating command and parameters, connections on higher level.

But the common thing is that there isnt much abstraction in between business and the data acces layer and we have to write too much lines of code for the CRUD operations. Also everytime we make a new application there is some dependencies created.

I personally believe in this approach which i am mentioning below. I am just presenting the idea for which implementation is upon the followers.

More Exhaustive Use of dataset

First thing an application should follow is to use Dataset as a medium of data transfer. Every layer should have supportive methods to get/set the data in Dataset form. This doesnt mean that we should not make Business Layer entities and abstracted methods. The only thing is to keep this approach in parallel to your normal archtectural design.

For each entity you should have a DataTable mapped to database table and for each conceptual module you should have a DataSet (my recommendation is to use a Typed Dataset). So we have a Dataset which contain several tables of the related module.

How To make things Simple and Generic

Now the DataAcces Layer must solely should work on Dataset. As we know that Dataset is the projection of a relational database, so it contains all those elements required for a Database operation.

Question is how it simplifies things?
Let us assume that each entity have to be saved in database and we have a datatable for each entity. Now what the only thing a programmer has to do is to check the rowstate of every row (Added,Modifed,Deleted) and do the appropiate operation on it. This will involve traversing all the DataTables in the DataSet and all the rows in the DataTable. This will also help to apply transactions more easily as the whole operation is done from a single entry point i.e save method.

e.g We have a order module. Order has a Dataset which contain order detail and its product. Assume we want to save the Order to database. Now your save function will take a dataset input which will contain all the details of the order. It will traverse each tables (OrderDetail,OrderProduct) and each row of these tables. For each row we will check the status of the row.
If it is Added, we will call insert procedure for the entity
If it is Updated, we will call update procedure for the entity
same as for delete.

If you understand me correctly what this mean is that our Data Access Layer will only contain one save method for the whole application. As this save method is enough capable for doing all the saving operations to the database.

Now questioning its Genericity, this approach is using Dataset as it main data transfer medium and dataset is a part of .Net framework. Dataset itself contain enough information to cater all types of database operations. So, it is clear enough to use this Data Access Layer in any of your application provided application should be based upon Dataset.

The amount of code will be reduced to only one function for each operation which will make it simple and highly manageable.

hello world

2005-08-22T05:23:00.000-07:00

why DotnetDubai then?

Encryption

2005-08-22T00:27:00.000-07:00

Employ the RSA encryption tools in .NET to protect your important data. RSA is a solution to digital privacy; just run your data through the cryptoservice and nobody can break the code. You can functionally guarantee that data is safe from prying eyes (unless someone gets hold of the private key). This article explains the uses of RSA and demonstrates exactly how to employ it in your VB.NET applications.

http://www.devx.com/security/Article/17455

Security Practices: ASP.NET 2.0 Security Practices at a Glance

2005-08-21T23:56:00.000-07:00

This module presents a set of consolidated practices designed to address ASP.NET version 2.0 security issues. The answers and recommendations presented in this module are tight distillations designed to supplement the companion modules and additional guidance. The practices are organized by various categories that represent those areas where mistakes are most often made. This module includes an index of practices

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGPractices0001.asp

101 Samples to Learn 2.0

2005-08-21T23:54:00.000-07:00

101 Samples, in both Visual Basic and C#, featuring many of the new features available with Visual Studio 2005 and the .NET Framework 2.0

http://lab.msdn.microsoft.com/vs2005/downloads/101samples/default.aspx

Welcome

2005-08-21T23:21:00.000-07:00

Welcome To DotNetDubai!

This blog is intended for all .Net developers to share, help , guide and learn the techonology.