Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB ppt

Professional

ASP.NET 3.5 Security, Membership, and

Role Management

with C# and VB

Enhance Your Knowledge

Advance Your Career

Professional ASP.NET 3.5 Security, Membership, and

Role Management

978-0-470-37930-1

As the first book to address ASP.NET 3.5, AJAX, and IIS 7.0 security from

the developer’s point of view, this book begins with a look at the new

features of IIS 7.0 and then goes on to focus on IIS 7.0 and ASP.NET 3.5

integration. You’ll walk through a detailed explanation of the request

life cycle for an ASP.NET application running on IIS 7.0 under the classic

mode, from the moment it enters IIS 7.0 until ASP.NET generates a corre￾sponding response.

Professional ASP.NET 3.5 MVC

978-0-470-38461-9

The ASP.NET 3.5 MVC Framework enables Microsoft developers to

create dynamic data-driven web sites. Packed with real-world examples,

this authoritative guide is written by the Microsoft team behind the

technology and uses a real-world sample application using MVC in order

to explain the tools and technologies that compliment MVC, such as

SubSonic, LINQ, jQuery, and REST.

Professional ASP.NET 3.5 AJAX

978-0-470-39217-1

The ASP.NET AJAX toolkit is an excellent way to immediately start using

AJAX features in applications in that it offers both excitement and enter￾prise appeal to developers. Professional ASP.NET 3.5 AJAX explains how

you can use these features to build amazing Web sites. Coverage of the

client library, the ScriptManager server control, ASP.NET AJAX applica￾tion services and networking, databases and Web services, testing and

debugging, and deploying applications demonstrates how the client and

server need to interact in order to produce a better Web application.

Professional ASP.NET 3.5

978-0-470-18757-9

Professional ASP.NET 3.5 helps the experienced programmer put the latest ASP.NET technologies into action. Greatly expanded

from the original best-selling Professional ASP.NET 2.0, Professional ASP.NET 3.5 covers all the key technologies retained from

2.0 in new depth alongside the hundreds of pages of coverage of the important new 3.5 features. Written by 3 of the most well￾known and influential ASP.NET developers, Professional ASP.NET 3.5 is the book you’ll learn the language from and turn to day

after day as you write Web applications. And as always, Professional ASP.NET 3.5 features language examples in the book and

in the code download in both C# and VB.

Beginning ASP.NET 3.5

978-0-470-18759-3

Imar Spaanjaar’s book for programmers new to ASP.NET 3.5 has been widely praised as a well-organized tome of information

written by a Web developer for Web developers. Throughout the book the author works through the steps of creating an actual,

fully-functional ASP.NET 3.5 Web site. Each chapter builds on skills learned in the previous sections of the book, allowing the

reader to gain confidence working with ASP.NET 3.5 as they progress through the book.

Get more out of

WROX.com

Programmer to Programmer™

Interact

Take an active role online by participating in

our P2P forums

Wrox Online Library

Hundreds of our books are available online

through Books24x7.com

Wrox Blox

Download short informational pieces and

code to keep you up to date and out of

trouble!

Chapters on Demand

Purchase individual book chapters in pdf

format

Join the Community

Sign up for our free monthly newsletter at

newsletter.wrox.com

Browse

Ready for more Wrox? We have books and

e-books available on .NET, SQL Server, Java,

XML, Visual Basic, C#/ C++, and much more!

Contact Us.

We always like to get feedback from our readers. Have a book idea?

Need community support? Let us know by e-mailing [email protected]

spine=1.872"

Professional ASP.NET 3.5 Security, Membership,

and Role Management with C# and VB

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Chapter 1: Introducing IIS 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2: IIS 7.0 and ASP.NET Integrated Mode. . . . . . . . . . . . . . . . . . . . . . 29

Chapter 3: HTTP Request Processing in IIS 7.0 Integrated Model. . . . . . . . . . 79

Chapter 4: A Matter of Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 5: Configuration System Security. . . . . . . . . . . . . . . . . . . . . . . . . . 223

Chapter 6: Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 7: Integrating ASP.NET Security with Classic ASP. . . . . . . . . . . . . . 373

Chapter 8: Session State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Chapter 9: Security for Pages and Compilation. . . . . . . . . . . . . . . . . . . . . . 449

Chapter 10: The Provider Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Chapter 11: Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Chapter 12: SqlMembershipProvider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

Chapter 13: ActiveDirectoryMembership Provider. . . . . . . . . . . . . . . . . . . . . 639

Chapter 14: Role Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691

Chapter 15: SqlRoleProvider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735

Chapter 16: AuthorizationStoreRoleProvider. . . . . . . . . . . . . . . . . . . . . . . . . 763

Chapter 17: Membership and Role Management in ASP.NET AJAX 3.5. . . . . . 791

Chapter 18: Best Practices for Securing ASP.NET Web Applications. . . . . . . 823

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879

79301ffirs.indd 1 10/7/08 12:39:21 PM

79301ffirs.indd 2 10/7/08 12:39:22 PM

Professional

ASP.NET 3.5 Security, Membership,

and Role Management with C# and VB

79301ffirs.indd 3 10/7/08 12:39:22 PM

79301ffirs.indd 4 10/7/08 12:39:22 PM

Professional

ASP.NET 3.5 Security, Membership,

and Role Management with C# and VB

Bilal Haidar

Stefan Schackow

79301ffirs.indd 5 10/7/08 12:39:22 PM

Professional ASP.NET 3.5 Security, Membership,

and Role Management with C# and VB

Published by

Wiley Publishing, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

www.wiley.com

Copyright © 2009 by Wiley Publishing, Inc., Indianapolis, Indiana

Portions based on the previous work Professional ASP.NET 2.0 Security, Membership, and Role Management, by Stefan Schackow,

copyright © 2006 Stefan Schackow, published by Wiley Publishing, Inc.

Published simultaneously in Canada

ISBN: 978-0-470-37930-1

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Library of Congress Cataloging-in-Publication Data

Haidar, Bilal.

Professional ASP.NET 3.5 security, membership, and role management with C# and VB / Bilal Haidar,

Stefan Schackow.

p. cm.

Includes index.

ISBN 978-0-470-37930-1 (paper/website)

1. Active server pages. 2. Microsoft .NET. 3. Computer security. 4. Web site development.

I. Schackow, Stefan, 1970- II. Title.

QA76.9.A25H344 2008

005.8—dc22

2008036129

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, elec￾tronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976

United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of

the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax

(978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,

10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/

permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to

the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation

warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The

advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the

publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the

services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages

arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of

further information does not mean that the author or the publisher endorses the information the organization or Web site may

provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have

changed or disappeared between when this work was written and when it is read.

For general information on our other products and services please contact our Customer Care Department within the United

States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Wrox Programmer to Programmer, and related trade dress are trade￾marks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may

not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc.,

is not associated with any product or vendor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in elec￾tronic books.

79301ffirs.indd 6 10/7/08 12:39:22 PM

About the Author

Bilal Haidar has a BE in Computer Engineering and a BS in Computer Science with a minor in Math￾ematics from the Lebanese American University (LAU). He has authored several online articles for

www.aspalliance.com, www.code-magazine.com, and www.aspnetpro.com, and is one of the top post￾ers at the ASP.NET forums. Bilal has been a Microsoft MVP in ASP.NET since 2004, as well as a Microsoft

Certified Trainer, and currently works as a senior developer for Consolidated Contractors Company (CCC),

a multinational company whose headquarters are based in Athens, Greece (www.ccc.gr). Bilal runs his

own blog, where he shares his technical experience and can be reached at http://www.bhaidar.net.

About the Previous Author

Stefan Schackow is a Program Manager on the Web Platform and Tools Team at Microsoft. During

the Visual Studio 2005 cycle, he worked on the new application services stack in Visual Studio 2005

and owned the Membership, Role Manager, Profile, Personalization and Site Navigation features in

ASP.NET 2.0. He also worked on features for Microsoft’s ASP.NET hosting solution. Currently, Stefan

is working and speaking on Silverlight for Microsoft. He is a frequent speaker at Microsoft developer

conferences. Prior to joining the ASP.NET team, Stefan worked as an application development consul￾tant in Microsoft Consulting Services (MCS) with enterprise customers.

79301ffirs.indd 7 10/7/08 12:39:22 PM

79301ffirs.indd 8 10/7/08 12:39:22 PM

Credits

Acquisitions Director

Jim Minatel

Development Editors

John Sleeva

Gus Miklos

Technical Editor

Alexei Gorkov

Production Editor

Kathleen Wisor

Copy Editor

Christopher M. Jones

Editorial Manager

Mary Beth Wakefield

Production Manager

Tim Tate

Vice President and Executive Group Publisher

Richard Swadley

Vice President and Executive Publisher

Joseph B. Wikert

Project Coordinator, Cover

Lynsey Stanford

Compositor

James D. Kramer, Happenstance Type-O-Rama

Proofreader

Publication Services, Inc.

Indexer

Jack Lewis

79301ffirs.indd 9 10/7/08 12:39:22 PM

79301ffirs.indd 10 10/7/08 12:39:22 PM

Acknowledgments

The idea of working on this book started when Jim Minatel, Acquisitions Director at Wrox, emailed me

about updating the previous version of this book. Despite the fact that I have been publishing articles

for magazines and online websites for the past few years, I felt the experience of working on such a

book would be really interesting and unique. Only the days later proved me right and made me proud

that I accepted Jim’s offer.

I spent many hours researching new features and upgrades, writing down everything I learned so

that I could share it with you. Many people supported me and provided me with valuable information,

including Scott Guthrie, Billy Hoffman, Mike Volodarsky, Steve Scofield, and Anil Ruia. (I apologize if I

forgot anyone!)

I want to thank the Wiley publishing family, including Jim Minatel, John Sleeva, Gus Miklos, Carol

Kessel, Katie Wisor, and Ashley Zurcher, as well as technical editor Alexei Gorkov.

I cannot forget the support and flexibility that my company, CCC, represented by my managers and col￾leagues, showed me during all the stages of writing this book. Your support and understanding gave

me enough strength to carry on and finish this book.

Finally, a special thanks to my parents and brother and sister, who followed up with me from the begin￾ning of this work and were even more excited about this book than I myself was.

79301ffirs.indd 11 10/7/08 12:39:22 PM

79301ffirs.indd 12 10/7/08 12:39:22 PM

Contents

Introduction xxiii

Chapter 1: Introducing IIS 7.0 1

Overview of IIS 7.0 2

Modular Architecture 2

Deployment and Configuration Management 4

Improved Administration 6

ASP.NET Integration 9

Security Improvements 11

Troubleshooting Improvements 12

Application Pools 17

Integrated Mode 18

Classic Mode 18

IIS 7.0 Components 19

Protocol Listeners 19

World Wide Web Publishing Service 19

Windows Process Activation Service 20

IIS 7.0 Modules 22

Unmanaged Modules 22

Managed Modules 25

Summary 26

Chapter 2: IIS 7.0 and ASP.NET Integrated Mode 29

Advantages of IIS 7.0 and ASP.NET Integrated Mode 30

IIS 7.0 Integrated Mode Architecture 31

system.webServer Configuration Section Group 34

Migrating ASP.NET Applications to Integrated Mode 42

Extending IIS 7.0 with Managed Handlers and Modules 49

Summary 77

Chapter 3: HTTP Request Processing in IIS 7.0 Integrated Model 79

Built-in IUSR Account and IIS_IUSRS Group 80

79301ftoc.indd 13 10/6/08 12:09:54 PM