Welcome back! This post is all about how to configure and extend a web application, it contains quite a few sub topics such as, working with users, debugging an application and HTTP handlers. Firstly I’m going to be talking about working with users and profiles, so here goes!
The ASP.NET membership is a class that contains a wizard based configuration of user management capabilities, includes browser based management and uniquely identifies users who visit your website. It contains a set of ASP.NET controls that allow the user to;
- Log On
- Log Off
- Create a User
- Recover lost passwords
Using the Website Administration Tool which comes bundled with Visual Studio you can;
- Define and Manage Users
- Configure Roles
- Configure Security
I will now go on to talk about the different features within the membership class.
- You can create users using the user configuration under the Security Tab within WSAT.
- You firstly need to select one of the following authentication types;
- Windows Based Authentication
- Active Directory Based Authentication (Usually used when the website is being accessed from a local network.)
- Web Based Forms Authentication (Usually used when the website is being accessed for the internet.)
- Once you have set up the authentication type you can;
- Create Users
- Manage Users
- Define Roles
- Control Access
- When choosing web based forms security, ASP.NET automatically creates ASPNETDB.mdf database, which is stored in the App_Data folder. It will also update the Web.Config to add an <authentication> element.
- Roles are groups within ASP.NET that contain users.
- Allows you to apply authorization at role level rather than at user level.
- Makes management easier.
- To Enable roles on WSAT you need to;
- Click on Security.
- Click the Enable Roles link, which edits the Web.Config adding <roleManager Enabled=”true” />.
- You can now use the Create or Manage Roles options.
- Using Roles does not enforce security, to do this you need to add code to query the IsUserInRole method or/and create role based access rules in WSAT.
- You can create access rule within the security tab on WSAT.
- These allow you to define folder level access, either on a per user or roles basis.
- To apply these to your site, you;
- Click the Security Tab.
- Click the Create Access Rules link, which takes you to the “Add New Access Rule Page”.
- You can then apply rules to roles, indvidual users, all users or anonymous users.
- WSAT will then add a Web.Config file to any folder which you apply access rules to.
The set of controls below allow you to track, manage and authenticate users without creating your own schema, they provide user interface elements and are configured to work with the ASPNETDB database.
- Gathers information from a new user.
- Can be used in conjunction with user profile features.
- ContinueDestinationPageUrl Setting - Is used to set the url of the page where users will go after completion.
- EditProfileText & EditProfileUrl Setting – Is used to set the text and url if you allow your user to edit their profile after completion.
- CreatedUser Event – This is used get information after the user has been created and if required add the user to a role using Roles.AddUserToRole event.
- Prompts the users for a username, password and whether to automatically authenticate next time they visit.
- Can be used without writing any code or you can write your own authentication method.
- To use a custom login page you need to add <form loginUrl=”login.aspx” /> to the Web.Config.
- Login.LoginError Event – Can be used to perform security auditing.
- Is used for displaying different information on the screen if the user is logged in.
- Is used to link to a login page if the user is not logged in or a log off link for those who are.
- Is used to display the current users username if they are logged in.
- Password Recovery
- Is used to enable password recovery, using either retrieval (sending an email) or reset (answering a security question).
- PasswordRecovery.UserLookupError & PasswordRecovery.AnswerLookupError Events – Can be used to log attempts for an administrator to check for excessive use.
- Is used to allow a user to change their password.
Forms Authentication Class…
This is a base class for all forms authentication, it includes the following read-only properties;
- FormCookieName – Returns the configured cookie name.
- FormCookiePath – Returns the configured cookie path.
- RequireSSL – Gets a value indicating whether the cookie must be transmitted using SSL.
- slidingExpiration – Gets a value indicating whether sliding expiration is enabled.
You can also call the following methods;
- Authenticate – Attempts to validate the provided credentials.
- Decrypt – Returns an instance of a FormsAuthenticationTicket class.
- Encrypt – Produces a string containing an encrypted authentication ticket.
- GetAuthCookie – Creates an authentication cookie for a specified username.
- GetRedirectUrl – Returns the URL of the original request.
- HashPasswordForStoringInConfigFile – Produces a hash password suitable for storing in config file.
- RedirectFromLoginPage – Redirects a user back to the original request URL.
- RenewTicketIfOld – Conditionally updates the sliding expiration.
- SetAuthCookie – Creates an authentication ticket and attaches it to a cookie.
- SignOut – Removes the authentication ticket.
The following methods within the membership class allow you to add, remove, and find users.
- CreateUser – Adds user to the database.
- DeleteUser – Removes a user from the database.
- FindUsersByEmail – Gets a collection of membership users with the specified e-mail address.
- FindUsersByName - Gets a collection of membership users with the specified usernames.
- GeneratePassword – Creates a random password of the specified length.
- GetAllUsers – Returns a collection of all users in the database.
- GetNumberOfUsersOnline – Returns the number of users currently logged in.
- GetUser – Returns a MembershipUser object representing the current logged on user.
- GetUserNameByEmail – Gets the username with a specified e-mail address.
- UpdateUser – Updates the database with information suppied.
- ValidateUser – Verifies that the supplied username and password are valid.
The following methods within the roles class allow you to create, add and modify roles.
- AddUserToRole, AddUserToRoles, AddUsersToRole, AddUsersToRoles – Adds a user or users to role or roles.
- CreateRole – Creates a new role.
- DeleteRole – Deletes an existing role.
- FindUsersInRole – Returns a collection of users in a role.
- GetAllRoles – Returns a collection of all roles.
- GetRolesForUser – Returns a collection of roles for the current user.
- IsUserInRole – Returns true is the user is a member of the specified role.
- RemoveUserFromRole, RemoveUserFromRoles, RemoveUsersFromRole, RemoveUsersFromRoles – Removes a user or users from a role or roles.
Restricting Access to Webpages, Files or Folders…
- By default the Machine.config file allows all users who pass the authentication method.
- To override this you need to change it in the website ASP.NET web.config file.
- You must allow those that should need access, then deny all others.
- If you use windows authentication then the roleManager must be disabled by removing it from the web.Config.
Authorization for Files and Folders Using config files…
- You should use authorization for restricting specific files and folders by adding a <location> section to your web.config file.
- When doing this you must use a relative path as absolute paths are not allowed.
- When multiple locations are used, they inherit from their parents.
- To restrict access to certain users you must explicitly use <deny users=”*”>.
Impersonation using config files…
- By default all requests for system resources are done using ASPNET account in IIS 5 or NETWORKSERVICE account in IIS 6, 7 and 7.5.
- This is defined in the machine.config under <processModel>.
- You can set the impersonation to either the clients authenticated windows account or the IIS account IUSER_MachineName.
Working With User Profiles…
- A profile is a set of properties that you define on a per user basis.
- They allow you to quickly create a means to define, store, retrieve and use user profile information.
- The following steps are involved when setting up a user profile;
- Configure a user profile provider – The default provider is Microsoft SQL Server.
- Define the user profile – Set up the fields in the web.config that you want to track.
- Uniquely identify users - You use a unique value to return a user profile.
- Set and save a user profile – Allow users to set their profile information.
- Recognize a returning visitor – Allows you to retrieve the user profile information as a strongly typed class.
- You store and retrieve user profiles in a database by using a provider class.
- ASP.NET provides a default, configured provider, which is the SQLProfileProviderClass.
- To configure a new profile provider you;
- Generate a database schema using ASPNET_regsql.exe this can either be run using the command line tool or a user interface. When using the command line tool there are many switches, some of which are below;
- -d – Sets the Database name.
- -S – Sets the server location.
- -U – Sets the username.
- -P – Sets the password.
- -A – Sets all the tables to be created, you can also you -A p or -A c to create either profile or personalization tables only.
Defining a User Profile…
- You define a user profile by determining the individual fields you want to track, such as FirstName and LastName.
- Each value is defined as a profile property and can be set as any type.
- You define properties within the Web.config file using the <profile> element.
Anonymous User Profiles…
- By default user profiles and properties are only for authenticated users.
- You can define the properties to allow anonymous users to set properties using “allowAnonymous” attribute within the properties.
- By default cookies are set to expire after 70 days.
Profile Property Groups…
- You can group profile properties into groups using the “GroupName” attribute within the web.config file.
- You then access them using Profile.Group.Property.
Custom Profile Property Types…
- You can create your own classes and use them as profile properties. To do this you mark the class as serializable.
- If your site doesn’t require or implement authentication then you need to explicitly enable user profiles using <anonymousIdentification=”true” />
- Users are identified when visiting your website using cookies or stored within URL.
Migrating Anonymous User Profiles…
- You can avoid losing an anonymous users settings when they register by responding to the “migrateAnonymous” event.
Setting and Saving User Profiles…
- You can save a user profile by setting the values of individual properties and then adding the Profile.Save method.
Recognizing a Returning Visitor…
- ASP.NET automatically loads a user profile based on identification, you can then add code to various methods to initialize form fields with information from the profile.
That’s user profiles dealt with, I am now going to be talking about creating and configuring HttpHandlers and HttpModules.
HttpHandlers and HttpModules…
Http Handlers and Http Modules allow you to write code to handle the actual HTTP request sent to the server. A Http Handler is an endpoint on the server that responds to requests for different resources. A Http Module is code that gets called for every request of response that is routed to your application.
- When a user requests an ASPX page from IIS, the ASP.NET page handler is executed. When an ASMX file is accessed, the ASP.NET service handler is called.
- You create a synchronous HTTP handler by implementing the IHttpHandler interface. This interface requires you to use the IsReusable property, to indicate if the handler can be reused.
- The IHttpHandler interface requires you to implement the ProcessRequest method, which is called by ASP.NET when your handler executes.
- You have to register you handler with IIS by;
- Opening the IIS Manager.
- Expanding the nodes until you get to your site.
- Opening Handler Mappings.
- Clicking Add Managed Handler.
- Setting the Request Path – The file name or extension you want to map.
- Setting the Type – Choose the class name of the HTTP handler.
or by adding the following code within your web.config.
- IIS 6.0 – <system.Web> –> <httpHandlers>
- IIS 7.0 – <system.WebServer> –> <handlers>
- You can also create a page with a .ashx extension that points to your custom HTTP handler, and you will not have to register the handler.
Asynchronous Handlers and Pages…
- An asynchronous handler returns the request processing thread to ASP.NET and enables it to perform additional actions while the asynchronous task executes.
- You create an asynchronous handler by using an interface called IHttpAsyncHandler and override the IsReusable property and the BeginProcess method. You then write code inside the EndProcessRequest method to perform clean-up when the process is complete.
- When working with asynchronous handlers, you need to add the Async=”true” attribute to the @Page directive.
- Custom HTTP modules are executed every time a page is requested from the server or a respone is sent back to the requester.
- You create a HTTP Module by writing code that implements the IHttpModule interface. The code can be created as a separate assemble and shared across multiple web applications or within a class file.
- You then override the Init method and add the appropriate application events.
- You register a HTTP Module within the web.config file.
- IIS 6.0 & 7.0 (In Classic Mode) - <system.Web> –> <httpModules>
- IIS 7.0 (Integrated Mode) - <system.webServer> –> <Modules>
That’s custom handlers and module’s out of the way, let’s move onto web services.
- Web services give us the ability to implement interoperability between systems that would otherwise have no connectivity.
- ASP.NET provides a model for building and consuming XML web services.
- You can define a web service as an ASMX file and ASP.NET will wrap the code as a web service object.
- ASP.NET takes care of deserializing SOAP requests.
- Web services are exposed through URL’s.
- You add an ASMX file to your site for each web service you want to expose. An ASMX file contains the @WebService directive to tell ASP.NET that it is a web service.
- This represents a base class for creating XML web services.
- Provides access to ASP.NET objects such as Application and Session.
- You do not need to inherit from this class to create XML web services.
- This class is used to provide information about your web service. The information is used by client application that want to reference the web service.
- It can provide both namespace and a description of your web service, this is done through passing parameters to the attribute class.
- Description Parameter – Is text you write to identify the high-level intent of your web service.
- Namespace Parameter – Sets the namespace of your web service, and should be the domain name where your web service is hosted.
- Your web service will expose web method and each of these methods provide some sort of functionality. You class identifies these methods through the use of the WebMethod attribute.
- If you do not set any parameters then it will be identified as a web service method. The WebMethod attribute class has several constructors that can be used for various groups of parameter values, including the following;
- enableSessionState – Used to indicate whether session state is enabled.
- transactionOption – Used to indicate whether your web method supports transactions.
- cacheDuration – Used to define the number of seconds for which the response should be cached.
- bufferResponse – Used to indicate whether the web service response should be buffered back to the client.
- The data that is going to be returned must be serialized.
Consuming an ASP.NET Web Service…
- You can consume an ASP.NET web service in any application capable of making a HTTP call.
- A proxy objext is generated for you when you reference a web service.
- The proxy object takes care of serialization, SOAP messaging and the related processes.
- The web service can be published on a server or can be another project in your solution.
Calling a Web Service…
- You call a web service through the generated proxy class.
- You can also bind to the web service call using object data binding.
- As mentioned in an earlier post you can use AJAX to call a web service, to do this you need to mark the web service class with “ScriptServiceAttribute”.
- The web service must be in the same domain as you website.
- You add a <services> –> <asp:ScriptReference> within a script tag on your client web page.
- You also need to create a callback function to display the results of the web service call.
Authentication and XML Web Services…
- You can use either the standard authentication features or the Web Services Enhancements (WSE) 3.0 to build secure XML web services.
- To pass basic authentication credentials from your web server to a web service you first need to create a NetworkCredentials class. You can then create a CredentialCache object to which you add the NetworkCredentials instance.
- If you are using Windows Integrated Security you set the credentials property to System.Net.CredentialCache.
- WCF (Windows Communication Foundation) enables message based communication to and from end points.
- You write your service then attach, or configure, the endpoints. A service can have one or more endpoints attached to it. This location contains an address, a binding and a contract.
- Address – The endpoint’s address is the URI, that defines the location of the service. Each endpoint must have it’s own unique address.
- Binding – This defines how the service communicates, via protocols such as HTTP, TCP, TCP, MSMQ etc.
- Contract – This represents the public definition, or interface of the service. It defines things such as the namespace of the service and how messages should be sent.
- Once your web service has been created, you must host it.
- A WCF application has multiple layers that work together, the core layers are;
- Contract – Defines the contract your service exposes to end clients including receiving results and managing errors.
- Runtime – Controls how your service is executed and how the message body is processed.
- Messaging – Represents the WCF channel stack in terms of transport and protocol.
- Hosting Layer – Defines the host, or executable file, that runs the service in process.
Creating a WCF Service with ASP.NET
- Define the service contract.
- ServiceContract – This is used to indicate that an interface is a WCF service.
- OperationContract – This is used to mark methods inside an interface as service operations.
- DataContract – This is used to mark types (classes, enumerations and structures) that you write as participating in WCF serialization.
- DataMember – This is used to mark individual fields and properties that you was to serialize.
- Implement (or write) the service contract.
- You start by defining the contract via the interface.
- You then define the methods of you interface, marking them with OperationContract.
- Configure a service endpoint or endpoints.
- Host the service in an application.
- Reference and call the service from a client application.
- After exporting your service methods, you can add a reference from a client to the service.
- The Add Service reference task generates the appropriate endpoint information automatically within the Web.Config file.
WCF Service Using AJAX (REST and JSON)
- A REST service is web service that you crate that response to HTTP GET requests.
- You can call a REST service the same way as a page, using a URL and query string.
- ASP.NET includes a template called the AJAX-Enabled WCF Service template.
- A WebInvoke method indicates that the method can be called by a HTTP request, you should use this method if you are sending data to the server to be written or if you do not want your request to be cached.
- If your service is to return data then you should mark it with the WebGet method.
- Using this method simplifies the creating of WCF services based on REST and JSON.
- You use the ScriptManager to set a service reference.
Creating WCF Data Services
- WCF Data Services allow you to expose and work with data by using the Open Data Protocol (OData).
- Data is exposed over REST based services.
- The standard set of steps for creating OData services are;
- Define a data model using an EDM.
- Create a Data Service using the WCF Data Service template.
- Add code to the data service to enable access to the EDM.
- Create a client application to access the exposed data service.
- Add a service reference to the client application.
- Write code to work with the exposed data.
That’s all on web service, now its on to Debugging and Deploying a Web application.
- You can debug an ASP.NET application by using the standard features of the Visual Studio debugger, such as breakpoints, watch windows, code-step through and error information.
- You first need to configure the ASP.NET debugger, within the project’s property page. You;
- Right click on the website in the Solution Explorer and then click the Property Pages.
- Select Start Options.
- Enable the ASP.NET debugger.
- By default websites created in Visual Studio have the debugger disabled.
- By enabling debugging within your site, you will hamper performance and will transmit error information to the web browser, posing as a security risk.
- You enable debugging for your entire site by editing the web.config file to include <compilation debug=”true”>. If you do not want to turn debugging on for the entire site, it can be activated at page level.
Custom Error Pages…
- You can configure custom error pages within your web site by using the <customErrors> element in the web.config. The two main settings are;
- mode – on, off, RemoteOnly
- defaultRedirect – The url of the custom error page.
- On redirection, the server passes the path of the page that called the error and will become part of the query string with a parameter called “aspxerrorpath”.
- You can also set a custom error based on the error code that you receive. Common error codes are;
- 400 – The request is not understood.
- 403 – The user does not have access.
- 404 – The file is not found.
- 405 – The request method is not supported.
- 406 – The requested MIME is not accepted.
- 408 – The request timed out.
- 500 – Internal Server Error.
- 503 – The server has reached maximum capacity.
- Remote debugging Monitor is used when a site is in a production environment.
- Within the Remote debugging Monitor you;
- Set the server name.
- Use the correct authentication (windows or none).
- Set the correct permissions.
- Attach the monitor to the server that is running the server.
Debugging Client Script…
- Visual Studio allows you to debug client script running in a browser.
- To debug client side code you need to enable script debugging support in the browser.
- Tracing is the porocess of emitting data about a running application.
- The data is logged to a trace log file that you can access through a web server.
- You enable tracing within the Web.config file, which can be done manually or through the WSAT. To enable in WSAT you;
- Open the WSAT.
- Click the Application tab.
- Click Configure Debugging and Tracing.
- Select the Capture Tracing Information check box.
- There are many options that you can configure with respect to tracing which are shown below;
- enabled - Turns on tracing.
- pageOutput – Sets whether to display tracing information directly on the page.
- localOnly – Sets whether tracing is for all requests or just local requests.
- traceMode – Enables sorting of trace information.
- requestLimit – Set the number of records to hold in the log.
- mostRecent – Sets whether to hold the most recent or the oldest trace results.
- Tracing can also be enabled at page level within the @Page directive.
- To view trace data you go to the trace.axd page on your website.
- When viewing the trace data the following sections are displayed;
- Request Details – Provides general details about the request.
- Trace Information – Displays performance information.
- Control Tree – Displays information about each control.
- Session State – Displays all session variables.
- Application State – Displays all application variables.
- Request Cookies Collection – Displays the list of cookies that are passed to the server.
- Response Cookies Collection – Displays the list of cookies that were part of the response.
- Headers Collection - Displays the list of HTTP headers that sent to the web server.
- Form Collection – Displays the list of values that are posted back to the server.
- QueryString Collection – Displays the list of values that are in the query string.
- Server Variables – Displays all server variables.
- You can use the trace class in the System.Diagnostics namespace to add your own trace messages. Use the Trace.Write method to add these.
- To debug AJAX application you must use the Sys.Debug class to write out trace messages.
- You can monitor the health of your application and can be notified of certain events. You do so using the features of the Health Monitoring Classes.
- You enable events based on what you want to monitor.
- The first step is to determine which events to listen for, these events are defined as classes.
- The key event classes are;
- WebBaseEvent - The base class for creating your own web events.
- WebManagementEvent – The base class for creating web events that contain application process information.
- WebHeartbeatEvent – Serves as a periodic event that raises information about your application at set intervals.
- WebRequestEvent – The base class that contains web request information.
- WebApplicationLifetimeEvent – Raised when a significant event occurs.
- WebBaseErrorEvent – The base class for creating error based events.
- WebErrorEvent – Used to provide information about an error when it occurs.
- WebRequestErrorEvent – Contains request data for request errors.
- WebAuditEvent – The base class for creating audit (security) events.
- WebSuccessAuditEvent – Raised when a successful security operation occurs.
- WebAuthenticationSuccessAuditEvent – Used to provide information when a successful user authentication occurs on the site.
- WebFailureAuditEvent – Raised when a failed security operation occurs.
- WebAuthenticationFailureAuditEvent – Used to provide information when a failed attempt at a user authentication occurs.
- WebViewStateFailureAuditEvent – Raised when the view state fails to load.
- After knowing which events to listen for you should then enable a listener.
- To configure health monitoring, you turn on web events and connect them to listeners in the web.config file by adding th <healthMonitoring> element.
- You can set the heartbeatInterval attribute to determine the number of seconds you should wait between raising the WebHeartbeatEvent events.
Deploying simple websites, simply means that you can overwrite the old files. If your website has a database, requires special web server configuration or needs different configuration setting in a release environment then you will need to use the Publish Web feature within Visual Studio.
- Web.Config transformations allow you to create separate Web.config files for different release types. You only need to specify settings that must be added, changed or removed from the base Web.Config files.
- By default Visual Studio adds Web.config transformations for the Debug and release configurations (Web.Debug.Config & Web.Release.Config).
- You can add an associated transformation by right-clicking Web.config in the solution explorer and then clicking the Add Config Transformations.
- You simply add a setting to the relevant Web.config file that should be included.
- To replace a setting you must specify the xdt:Transform=”Replace” property. Any settings with this property will replace the base Web.Config when the application is published.
- You can use the xdt:Locator property to selectively replace settings when a property matches a specified value.
- To remove a setting, you use the RemoveAttributes() method and specify the name of the attribute to remove as the parameter.
- Databases can be deployed along with your web application. To do this you;
- Right click the project in Solution Explorer.
- Click Package/Publish Settings.
- Click Package/Publish SQL
- Then you can import from the Web.Config file or Add the database manually. If the database does not exist on the server, you can “Pull Data And/Or Schema From An Existing Database”
- You can finally add your own SQL Scripts to perform additional, custom configuration.
- Once you have configured the publishing settings, you can then publish a web application, using the “Publish Web” dialog box. Using the Publish Web dialog box provides you with the following options;
- Publish Method - The communication protocol that you will use, such as, HTTP or FTP.
- Service URL - The remote server’s URL of the web service.
- Site/Application - The name of the IIS website, which can include a virtual directory.
- Mark As IIS Application On Destination - This is used if the website is the root of an IIS website or if the Virtual Directory should act as a separate application.
- Leave Extra Files On Destination - This deletes existing files in the web server directory.
- Credentials - This allows you to pass credentials to the server.
- If you do not want to deploy the website directly, it can be packaged along with database and settings, into a zip file. After configuring an application, you can use the “Build Deployment Package” feature within Visual Studio. The following options will then be available;
- <Application>.zip - This is your web applications files, database and settings.
- <Application>.deploy.cmd - The script that the IIS manager will run, the server must have Web Deploy (MSDeploy.exe) installed.
- <Application>.deploy-readme.txt - Contains instructions for installing.
- <Application>.SourceManifest.xml - Contains settings to be added to the IIS manifest.
- <Application>.SetParameters.xml - Contains IIS parameters to be added during installation.
- Also Visual Studio provides the option of using Web Setup Projects. Once these have been created, they are not automatically built when you build or run your website and must be manually selected to build.
- When using the Web Setup Project, there can be conditions that can be added using the Launch Conditions Editor and they are;
- Search Target Machine - This allows you to define the criteria, prior to installation. Typically you pair a search condition, that determines a launch condition. Search conditions include File, Registry and Windows Installer. The following search conditions are available;
- Launch Conditions - This allows you to create conditions that must be met before the installation will run. The following Launch Condition Properties are available;
- You can create pregrouped Search and Launch conditions set for common scenarios. All you have to do is adjust their properties according to your needs.
- You also have the option of installing keys into the registry or using custom pages for displaying license agreements and requesting input from the user.
- These projects also allow you to add your own custom actions, such as;
- Install - This phase performs the bulk of the work and is where all changes are made.
- Commit - Finalizes the changes made.
- Rollback - Runs only if setup is cancelled or fails.
- Uninstall - Removes all settings when selected within Add/Remove Programs.
- Once the project has been built there are two files which are created, “Setup.exe” and <WebProjectName>.msi.
- Finally there are many scenarios where you may need to copy a website between two servers, in these cases you can use the Copy Web Site tool. This tool can copy individual files or entire websites.
- When a website is loaded, generally it is compiled by the web server the first time it is loaded. Visual Studio provides you with the ability to precompile the website to stop this from happening.
I think that pretty much covers the topic that we started with. There are a lot of different options and switches when using some of the features of Visual Studio. I’ll now be moving on to “Displaying and Manipulating Data”.