ASP.

Net Authentication & Authorization Competency Building Asset

CONSULTANCY SERVICES LIMITED

1. Part A: Authentication & Authorization Requirements...................................................................3 a. Functional Requirements.........................................................................................................3 b. Critical Quality Requirements...................................................................................................3 1.2.1 Security (Criticality: High).............................................................................................3 1.2.2 Interoperability (Criticality: High)...................................................................................3 1.2.3 Reliability (Criticality: High)...........................................................................................3 1.2.4 Performance (Criticality: High).......................................................................................4 1.2.5 Maintainability (Criticality)..............................................................................................4 1.2.6 Portability (Criticality).....................................................................................................4 2. Part B: Navigation Control Process Steps....................................................................................5 2.1 ASP .Net Common Design and Development Details............................................................5 2.2 Process Steps for Development ............................................................................................5 2.3 Mapping of Other Quality Characteristics...............................................................................7 2.3.1 Interoperability..................................................................................................................7 2.3.2 Security............................................................................................................................7 2.3.3 Reliability..........................................................................................................................8 2.3.4 Performance.....................................................................................................................8 3. Part C: Acceptance Criteria.........................................................................................................9

1. Part A: Authentication & Authorization Requirements

a. Functional Requirements (Suitability) Requirements Statement Implement Authentication and Authorization by using the Membership feature provided by ASP .net with Forms authentication. The coding shall be done in C#. We will use SqlMembershipProvider along with Forms authentication to create and authenticate users. Steps to implement:

Step 1. Configure forms authentication. Step 2. Install the SQL Server membership database. Step 3. Configure the SqlMembershipProvider. Step 4. Create users. Step 5. Authenticate users.

Context Where does the requirement fit in the system? Most of the forums, ecommerce sites, online email websites, portal websites, and social network sites all have Authentication and Authorization. Security is an important aspect of any application that spans physical, technological, and policy decisions and requires a high degree of planning and domain knowledge. The application will ask the user to provide login credentials. The user will be able to see the Home page. only if the login provided by the user is correct. Otherwise, an appropriate error message would be displayed to the user.

b. Critical Quality Requirements CTQ- Critical to Quality, Criticality: High/ Medium/ Low 1.2.1 Security (Criticality: High) The Application should not allow any user to access the application without authentication. The navigation to the respective pages should be based on the users roles assigned to the user. Interoperability (Criticality: High) The Application should allow the user to enter their User Name and Password by using standard IO operation Reliability (Criticality: High) The Application should not allow the user to do any injection to bypass the login. The connection and command timeout and exceptions also need to be maintained

1.2.2

1.2.3

1.2.4

Performance (Criticality: High) (Time Behavior, Resource utilization) The Application should respond to the user instantly.. Based on the timeout the other exceptions also need to be handled. Maintainability (Criticality)

1.2.5

NA
1.2.6 Portability (Criticality)

NA

2. Part B: Navigation Control Process Steps

ASP .Net Common Design and Development Details Refer to the document ASP.Net Common Design and Development Details for all common design and development details related to environment details, reusable framework, reusable routines etc. 2.2 Process Steps for Development Functional Requirements (Suitability) Configure forms authentication Configure Form Authentication in web.config

Code for the same:

<authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" timeout="30" name="AppNameCookie" path="/FormsAuth" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false" /> </authentication>

Where:

loginUrl points to the login page. You should place this in a folder that requires Secure Sockets (SSL) for access. protection is set to "All" to specify privacy and integrity for the forms authentication ticket. timeout is used to specify a limited session lifetime. name and path are set to unique values for the current application.

Layer

requireSSL is set to "false". This configuration means that authentication cookie can be transmitted over channels that are not SSL-protected. If you are concerned with session hijacking, you should consider setting this to "true". For more information, see Additional Considerations in this document.

slidingExpiration is set to "true" to enforce a sliding session lifetime. This means that the timeout is reset after each request to your application. defaultUrl is set to the Default.aspx page for the application. cookieless is set to "UseCookies" to specify that the application uses cookies to send the authentication ticket to the client. enableCrossAppRedirects is set to "false", to indicate that the application cannot redirect the request outside the application scope.

Add the following <authorization> element after the <authentication> element. This permits only authenticated users to access the application. The previously established loginUrl attribute of the <authentication> element redirects unauthenticated requests to the Login.aspx page.

<authorization> <deny users="?" /> <allow users="*" /> </authorization>

Install the Membership Database Open Visual Studio 2005 command prompt, and run the following command: aspnet_regsql.exe -E -S localhost -A m

Where:

-E indicates authenticate using the Windows credentials of the currently logged on user. -S (server) indicates the name of the server where the database will be installed or is already installed. -A m indicates add membership support. This creates the tables and stored procedures required by the membership provider.

Configure the SqlMembershipProvider The Machine.config file contains a default SqlMembershipProvider instance named AspNetSqlMembershipProvider that connects to the SQL Server Express instance on the local computer. You can use this instance of the provider if you are running SQL Server locally. Alternatively, you can specify provider details in your application's Web.config file Code for the same:
<connectionStrings> <add name="MySqlConnection" connectionString="Data Source=MySqlServer;Initial Catalog=aspnetdb;Integrated Security=SSPI;" /> </connectionStrings> <system.web> ... <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15"> <providers> <clear /> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="MySqlConnection" applicationName="MyApplication" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" passwordFormat="Hashed" /> </providers> </membership>

Create Users New user can be created using either ASP.NET Configuration on the Website menu.
Or Using Code.

Membership.CreateUser("Username", "P@ssw0rd", "userName@emailAddress");

Authenticate Users To authenticate users, you must provide a login form. This could be a separate page or a special area on your application's home page. You can create the login form in the following ways:
Use the ASP.NET 2.0 login controls. The ASP.NET login controls encapsulate

nearly all of the logic required to obtain credentials from users and to validate them against a user store. They use the configured membership provider. You do not need to write any additional code. After the user is validated, the login controls automatically save information about the user; for example, by using an encrypted cookie if the user's browser accepts cookies.
Create a custom login form by using ASP.NET TextBox controls. If you create a

custom login form with simple TextBox controls, you can prompt the user for a user name and password, and then call the ValidateUser method of the Membership class to perform the validation.

2.3

Mapping of Other Quality Characteristics

2.3.1 Interoperability Criticality: High Requirement: The Application should allow the user to enter their User Name and Password by using standard IO operation Process Steps: 1. Create Login.aspx 2. Use ASP.NET Login control for Login 3. Validated the User Name and Password by checking not less than 6 letter and for password at least one special character, one Alphabets should be capital and one numeric value 2.3.2 Security Criticality: High Requirement: The Application should not allow any user to access the application without authentication. The navigation to the respective pages should be based on the users roles assigned to the user.

Process Steps: 1. Implement Forms Authentication in the Web.config 2. Use Membership Provider to validated the user in the database 3. Use Role Provider to Authorize the user against his authentication 2.3.3 Reliability Criticality: High Requirement: The Application should not allow the user to do any injection to bypass the login. The connection and command timeout and exceptions also need to be maintained Process Steps: 2. Validation to avoid SQL injection 3. The user name and password should be validated in the database using Stored Procedure only. 2.3.4 Performance Criticality: High Requirement: The Application should respond to the user within 2 seconds. Based on the timeout the other exceptions also need to be handled. Process Steps: 1. Set Connection Timeout 2. Set Command Time out Catch the Exception in One place

3. Part C: Acceptance Criteria

Criteria a) b) Ability to build quality Execute the CBA correctly Time to build quality Productivity Benchmark productivity (experts) Minimum acceptable productivity Time to build competence in associate range UOM % hours Hours Hours Days Target Value 100

c)