October 2, 2002 - IBuySpy's Authorization and Authentication
 |
October 2, 2002 IBuySpy's Authorization and Authentication  Tips: October 2002
Yehuda Shiran, Ph.D.
|
Web.config is used for setting parameters that you don't want to set in your JScript .NET code. You want to keep your code as flexible as possible, and set frequently-changed values outside your code. In this way, you can change the behavior of the application without recompilation of your code. You can deploy your code to your target machine and leave some options open for change at the last minute, just by changing a single file, Web.config.
Web.config is an XML file. The outer tag is <configuration>. Several tags can go inside the <configuration> statement. IBuySpy Store uses <appSettings>, <authentication>, <customErrors>, <sessionState>, and <authorization>.
The <appSettings> statement defines keys for the application. You can define arbitrary keys in your JScript .NET code and set their values in Web.config. IBuySpy Store uses the connectionString key, and this is how its value is set:
<appSettings>
<add key="ConnectionString"
value="server=HAW2L1800\NetSDK;Trusted_Connection=true;database=StoreDOCJS" />
</appSettings><authentication> tag defines the ASP.NET page that is used for authentication. The specified page will pop up whenever the user tries to load a page that requires authorization. Below, we show you how to specify a page that needs authorization. This is how you define the page that will pop up for authentication, login.aspx:
<authentication mode="Forms">
<forms name="IBuySpyStoreAuth" loginUrl="login.aspx" protection="All" path="/" />
</authentication><customErrors> tag specifies the page that will pop up whenever there is an error in your code and will apologize to the user, ErrorPage.aspx:
<customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx" />
<sessionState mode="Off" /><authentication>, <customErrors>, and <sessionState> all relate to the whole Web site, and therefore are inside the <system.web> tag:
<system.web>
<authentication mode="Forms">
<forms name="IBuySpyStoreAuth" loginUrl="login.aspx" protection="All" path="/" />
</authentication>
<customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx" />
<sessionState mode="Off" />
</system.web><authorization> tag within the <system.web> tag within the <location > tag. The following code snippet denies unauthorized users from entering the Checkout.aspx ASP.NET page:
<location path="Checkout.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>Checkout.aspx, OrderList.aspx, and OrderDetails.aspx. Here is the full Web.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<!-- application specific settings -->
<appSettings>
<add key="ConnectionString"
value="server=HAW2L1800\NetSDK;Trusted_Connection=true;database=StoreDOCJS" />
</appSettings>
<!-- forms based authentication -->
<system.web>
<!-- enable Forms authentication -->
<authentication mode="Forms">
<forms name="IBuySpyStoreAuth" loginUrl="login.aspx" protection="All" path="/" />
</authentication>
<!-- enable custom errors for the application -->
<customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx" />
<!-- disable session state for application -->
<sessionState mode="Off" />
</system.web>
<!-- set secure paths -->
<location path="Checkout.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="OrderList.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="OrderDetails.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Find a programming school near you