IBuySpy Store, Part II: JScript Components: Authorization and Authentication - Doc JavaScript | WebReference

IBuySpy Store, Part II: JScript Components: Authorization and Authentication - Doc JavaScript


IBuySpy Store, Part II: JScript Components

Authorization and Authentication

The file Web.config is used for setting parameters that you don't want to set in your JScript .NET code. You want to keep your code as flexible as possible, and set frequently-changed values outside your code. In this way, you can change the behavior of the application without recompilation of your code. You can deploy your code to your target machine, and leave some options open for change at the last minute just by changing a single file: Web.config.

Web.config is an XML file. The outer tag is <configuration>. Several tags can go inside the <configuration> statement. IBuySpy Store uses <appSettings>, <authentication>, <customErrors>, <sessionState>, and <authorization>. The <appSettings> statement defines keys for the application. You can define arbitrary keys in your JScript .NET code and set their values in Web.config. IBuySpy Store uses the connectionString key, and this is how its value is set:


<appSettings>
   <add key="ConnectionString"
      value="server=HAW2L1800\NetSDK;Trusted_Connection=true;
        database=StoreDOCJS" />
</appSettings>

The <authentication> tag defines the ASP.NET page that is used for authentication. The specified page will pop up whenever the user tries to load a page that requires authorization. Below, we show you how to specify a page that needs authorization. This is how you define the page that will pop up for authentication, login.aspx:

<authentication mode="Forms">
   <forms name="IBuySpyStoreAuth" loginUrl="login.aspx"
     protection="All" path="/" />
</authentication>

The <customErrors> tag specifies the page that will pop up whenever there is an error in your code and will apologize to the user, ErrorPage.aspx:


<customErrors mode="RemoteOnly"
  defaultRedirect="ErrorPage.aspx" />

We also want to turn off session mode, so users will always get in through the main page when they come in to the store:

<sessionState mode="Off" />

The last three statements, <authentication>, <customErrors>, and <sessionState> all relate to the whole Web site, and therefore are inside the <system.web> tag:

<system.web>
  <authentication mode="Forms">
    <forms name="IBuySpyStoreAuth" loginUrl="login.aspx"
      protection="All" path="/" />
  </authentication>
  <customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx" />
  <sessionState mode="Off" />
</system.web>

When you want certain pages to have limited access to authorized users only, you use the <authorization> tag within the <system.web> tag within the <location> tag. The following code snippet denies unauthorized users from entering the Checkout.aspx ASP.NET page:

<location path="Checkout.aspx">
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</location>

IBuySpy Store requires authorization before loading Checkout.aspx, OrderList.aspx, and OrderDetails.aspx. Here is the full Web.config file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <!-- application specific settings -->
  <appSettings>
    <add key="ConnectionString"
       value="server=HAW2L1800\NetSDK;Trusted_Connection=true;
         database=StoreDOCJS" />
  </appSettings>
  <!-- forms based authentication -->
  <system.web>
    <!-- enable Forms authentication -->
    <authentication mode="Forms">
      <forms name="IBuySpyStoreAuth" loginUrl="login.aspx"
        protection="All" path="/" />
    </authentication>
    <!-- enable custom errors for the application -->
    <customErrors mode="RemoteOnly" defaultRedirect="ErrorPage.aspx" />
    <!-- disable session state for application -->
    <sessionState mode="Off" />
  </system.web>
    <!-- set secure paths -->
  <location path="Checkout.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="OrderList.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="OrderDetails.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
</configuration>

Next: How the files interact


Produced by Yehuda Shiran and Tomer Shiran
All Rights Reserved. Legal Notices.
Created: October 7, 2002
Revised: October 7, 2002

URL: http://www.webreference.com/js/column120/3.html