Professional ASP.NET 2.0 security, membership, and role management

Professional

ASP.NET 2.0 Security,

Membership, and Role

Management

Stefan Schackow

01_596985 ffirs.qxp 12/14/05 7:45 PM Page i

Professional

ASP.NET 2.0 Security,

Membership, and Role

Management

Stefan Schackow

01_596985 ffirs.qxp 12/14/05 7:45 PM Page i

Professional ASP.NET 2.0 Security, Membership, and

Role Management

Published by

Wiley Publishing, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

www.wiley.com

Copyright © 2006 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN-13: 978-0-7645-9698-8

ISBN-10: 0-7645-9698-5

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

1MA/QV/QR/QW/IN

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by

any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted

under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis￾sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright

Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests

to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,

10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://

www.wiley.com/go/permissions.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF

THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING

WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY

MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND

STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS

SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING

LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS

REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT.

NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HERE￾FROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A

CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT

THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR

WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE

AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED

BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services please contact our Customer Care Department

within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Programmer to Programmer, and related trade

dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United

States and other countries, and may not be used without written permission. All other trademarks are the

property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor

mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not

be available in electronic books.

01_596985 ffirs.qxp 12/14/05 7:45 PM Page ii

Credits

Senior Acquisitions Editor

Jim Minatel

Development Editor

Sydney Jones

Technical Editors

Jeffrey Palermo

Scott Spradin

Production Editor

Pamela Hanley

Copy Editor

Foxxe Editorial Services

Editorial Manager

Mary Beth Wakefield

Vice President & Executive Group Publisher

Richard Swadley

Vice President and Publisher

Joseph B. Wikert

Graphics and Production Specialists

Denny Hager

Alicia B. South

Quality Control Technicians

Amanda Briggs

John Greenough

Joe Niesen

Proofreading and Indexing

TECHBOOKS Production Services

01_596985 ffirs.qxp 12/14/05 7:45 PM Page iii

01_596985 ffirs.qxp 12/14/05 7:45 PM Page iv

To the ASP.NET group that gave me the opportunity to work

on a great product with a great team!

01_596985 ffirs.qxp 12/14/05 7:45 PM Page v

01_596985 ffirs.qxp 12/14/05 7:45 PM Page vi

About the Author

Stefan Schackow currently works as a program manager at Microsoft on the ASP.NET product team.

He has worked extensively with the new application services delivered in ASP.NET 2.0, including

Membership and Role Manager. Currently he is working on future directions for extending these fea￾tures via Web Services and the Windows Communication Foundation. Prior to joining the ASP.NET

product team, he worked in Microsoft’s consulting services designing web and database applications

for various enterprise clients.

01_596985 ffirs.qxp 12/14/05 7:45 PM Page vii

01_596985 ffirs.qxp 12/14/05 7:45 PM Page viii

Acknowledgments

I started out writing this book with the intent of setting down in words a brain dump of some of the

more esoteric areas of features I either “own” or work on in conjunction with other folks. However, as

the book took shape I found myself diving into areas that were important from a security perspective

but that dealt with aspects of features that very few people really understood (myself included). I would

like to thank the following folks for answering my sometimes off-the-wall security questions: Pat, Shai,

Erik, Mike, Simon, Adam, Manu, Helen, Mark, Laura, Dmitry, Ting, DaveM, Sudheer, Richa, Smitha, and

DavidE. Now that it’s all written down I promise to stop pestering you, maybe. . . .

I would also like to thank Jim Minatel for walking up to me at a DevConnections conference in 2004 and

broaching the idea of writing a security book. Without his suggestion and support this project never

would have occurred!

01_596985 ffirs.qxp 12/14/05 7:45 PM Page ix

01_596985 ffirs.qxp 12/14/05 7:45 PM Page x

Contents

Acknowledgments ix

Introduction xix

Who Is This Book For? xix

What Does This Book Cover? xix

What You Need to Run the Examples xxi

Conventions xxii

Customer Support xxiii

How to Download the Sample Code for the Book xxiii

Errata xxiii

Email Support xxiii

p2p.wrox.com xxiv

Chapter 1: Initial Phases of a Web Request 1

IIS Request Handling 2

Http.sys 3

aspnet_filter.dll 5

Processing Headers 6

Blocking Restricted Directories 8

Dynamic versus Static Content 9

MIME Type Mappings 9

ISAPI Extension Mappings 10

Wildcard Application Mappings 13

aspnet_isapi.dll 14

Starting Up an Application Domain 15

First Request Initialization 23

Summary 28

Chapter 2: Security Processing for Each Request 31

IIS Per-Request Security 32

ASP.NET Per-Request Security 33

Where Is the Security Identity for a Request? 34

Establishing the Operating System Thread Identity 38

The ASP.NET Processing Pipeline 41

Thread Identity and Asynchronous Pipeline Events 43

AuthenticateRequest 48

02_596985 ftoc.qxp 12/14/05 7:45 PM Page xi

xii

Contents

DefaultAuthentication and Thread.CurrentPrincipal 54

PostAuthenticateRequest 57

AuthorizeRequest 58

PostAuthorizeRequest through PreRequestHandlerExecute 65

Blocking Requests during Handler Execution 66

Identity during Asynchronous Page Execution 69

EndRequest 74

Summary 75

Chapter 3: A Matter of Trust 77

What Is an ASP.NET Trust Level? 78

Configuring Trust Levels 80

Anatomy of a Trust Level 83

A Second Look at a Trust Level in Action 91

Creating a Custom Trust Level 96

Additional Trust Level Customizations 99

The Default Security Permissions Defined by ASP.NET 105

Advanced Topics on Partial Trust 118

Summary 141

Chapter 4: Configuration System Security 143

Using the <location /> Element 143

The Path Attribute 145

The AllowOverride Attribute 146

Using the lock Attributes 146

Locking Attributes 147

Locking Elements 149

Locking Provider Definitions 151

Reading and Writing Configuration 153

Permissions Required for Reading Local Configuration 155

Permissions Required for Writing Local Configuration 157

Permissions Required for Remote Editing 159

Using Configuration in Partial Trust 161

The requirePermission Attribute 163

Demanding Permissions from a Configuration Class 165

FileIOPermission and the Design-Time API 166

Protected Configuration 166

What Can’t You Protect? 168

Selecting a Protected Configuration Provider 169

Defining Protected Configuration Providers 172

DpapiProtectedConfigurationProvider 172

02_596985 ftoc.qxp 12/14/05 7:45 PM Page xii

xiii

Contents

RsaProtectedConfigurationProvider 175

Aspnet_regiis Options 181

Using Protected Configuration Providers in Partial Trust 182

Redirecting Configuration with a Custom Provider 184

Summary 190

Chapter 5: Forms Authentication 191

Quick Recap on Forms Authentication 192

Understanding Persistent Tickets 192

How Forms Authentication Enforces Expiration 194

Securing the Ticket on the Wire 198

How Secure Are Signed Tickets? 198

New Encryption Options in ASP.NET 2.0 201

Setting Cookie-Specific Security Options 204

requireSSL 204

HttpOnly Cookies 206

slidingExpiration 208

Using Cookieless Forms Authentication 208

Cookieless Options 210

Replay Attacks with Cookieless Tickets 215

The Cookieless Ticket and Other URLs in Pages 216

Payload Size with Cookieless Tickets 218

Unexpected Redirect Behavior 221

Sharing Tickets between 1.1 and 2.0 222

Leveraging the UserData Property 224

Passing Tickets across Applications 226

Cookie Domain 226

Cross-Application Sharing of Ticket 227

Enforcing Single Logons and Logouts 247

Enforcing a Single Logon 248

Enforcing a Logout 255

Summary 257

Chapter 6: Integrating ASP.NET Security with Classic ASP 259

IIS5 ISAPI Extension Behavior 260

IIS6 Wildcard Mappings 261

Configuring a Wildcard Mapping 261

The Verify That File Exists Setting 268

DefaultHttpHandler 268

Using the DefaultHttpHandler 270

Authenticating Classic ASP with ASP.NET 272

02_596985 ftoc.qxp 12/14/05 7:45 PM Page xiii