synapseindia dotnet website security development.ppt
TRANSCRIPT
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
1/14
Website Security
ASP.NET is compiled to managed code beforeexecuting, so web pages can utilize the samerole-based features as other .NET applications.
Web.config can define built-in ASP.NET securityproviders such as Forms, Windows or setevent handlers for custom providers.
Web.config is an application level security policyfile. Settings in higher level policy files takeprecedent, so administrators of shared webservers can breath.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
2/14
Security & Managed Code
Evidence-based security means that there is noguarantee your code has sufficient permission to
run when the user executes it!
.NET classes are free-threaded.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
3/14
ASP.NET
Programming model can handle client-side events onthe server as if they happened on the server.
Design-time provides GUI configuration of controlson the page. Microsoft provides controls that are
fast and scalable for .NET (vs. VS6).
Compiled code means 2-5 times faster execution.
Session State is now fast and scalable.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
4/14
ASP.NET Change Management
Version code just like any other .NET application! Debug Using Trace! (instead of Response.Write)
Automated Unit Testing!
Deploy Assemblies Without Source Code!
Protect your Intellectual Property! Publish web applications with simple XCopy!
Goodbye FrontPage Extensions!
Dynamic Code Replacement - Without Rebooting!
Concurrently Run Different Versions of BusinessObjects Side-By-Side!
Script Builds from Source Control
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
5/14
ASP.NET Cool Features
Output Caching is automatic, but configurable byuser, query, time or underlying data source AND ateither the page or control level.
ASP and ASP.NET can run in the same directory butdo not share state.
Use any .NET language. Use structured exceptionhandling as implemented in the language.
Debug from web pages down into business objects.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
6/14
Writing XML Web Services
Use the WebService directive in .ASMX pages. Code behinduses the WebMethod attribute and inherits fromSystem.Web.Services.WebService.
.NET will use reflection to automatically generate a WSDL anda simple human-readable testing and documentation page.
Also, you can publish any COM+ object or .NET assembly byregistering it in COM+ and checking a box. COM+ can use.NET remoting instead of HTTP for .NET to .NET calls.
SQL and Exchange 2000 both provide XML Web Servicesaccess methods to their data.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
7/14
Web Services
Imports System.Web.Services
_
Public Class Service1
Inherits System.Web.Services.WebService
Public Function HelloPerson(ByValYourName As String) As String
HelloPerson = "Hello, " & YourName & "."End Function
End Class
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
8/14
Consuming XML Web Services
All Web Services are late-binding.
Static bindings are Web References. Use them justlike a referenced assembly. IntelliSense works!
Dynamically bind to services at run-time by usingUDDI and/or Disco.
If necessary, configure proxy server and credentialsin machine.config.
Consume .NET Web Services from any platform.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
9/14
Consuming Web Services
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
10/14
ASP.NET Web Form
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
11/14
Web Services
Private Sub Button_Click(ByVal sender AsSystem.Object, ByVal e As System.EventArgs)
Handles Button.Click
Dim ws As New HelloService.Service1()
Results.Text &= ws.HelloPerson(strName.Text)
& "
"End Sub
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
12/14
Touchless Desktop Deployment
DEMO
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
13/14
Issues
Only Windows 2000 and XP as servers.Windows 98 or better as clients. CE support
is in beta and will be a subset.
Transparency of Source CodeMSIL isrelatively easy to reverse engineer to source
code. Obfuscators and encryption will solve
this in the future.Security of .NET is still questioned based on
past experience with Microsoft.
-
8/10/2019 SynapseIndia DOTNET Website Security Development.ppt
14/14
.NET Myths
Myth: Passport is required for authentication in .NET. BizTalkis required for XML Web Services. Windows CALs arerequired for access to authenticated IIS applications.
Myth: J# is another Microsoft attempt to corrupt Java.
Myth: The Microsoft .NET Pet Store benchmark provesASP.NET is 15-28 times faster, requires the CPU, thecode and supports 6-8x as many users as J2EE.
Related Myth: Oracles latest Java Pet Store proves J2EE onOracle is faster than .NET
Myth: .NET is a huge mental leap for VB developers.