Tải bản đầy đủ (.pdf) (640 trang)

asp net 2.0 security membership and role management

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (11.49 MB, 640 trang )

Professional
ASP.NET 2.0 Security,
Membership, and Role
Management
Stefan Schackow
01_596985 ffirs.qxp 12/14/05 7:45 PM Page i
Professional
ASP.NET 2.0 Security,
Membership, and Role
Management
Stefan Schackow
01_596985 ffirs.qxp 12/14/05 7:45 PM Page i
Professional ASP.NET 2.0 Security, Membership, and
Role Management
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2006 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN-13: 978-0-7645-9698-8
ISBN-10: 0-7645-9698-5
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1MA/QV/QR/QW/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright


Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests
to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,
10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at
http://
www.wiley.com/go/permissions
.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO
REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF
THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY
MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND
STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS
SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING
LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS
REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT.
NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HERE-
FROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A
CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT
THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR
WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE
AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED
BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services please contact our Customer Care Department
within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Programmer to Programmer, and related trade
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United
States and other countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor
mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not

be available in electronic books.
01_596985 ffirs.qxp 12/14/05 7:45 PM Page ii
Credits
Senior Acquisitions Editor
Jim Minatel
Development Editor
Sydney Jones
Technical Editors
Jeffrey Palermo
Scott Spradin
Production Editor
Pamela Hanley
Copy Editor
Foxxe Editorial Services
Editorial Manager
Mary Beth Wakefield
Vice President & Executive Group Publisher
Richard Swadley
Vice President and Publisher
Joseph B. Wikert
Graphics and Production Specialists
Denny Hager
Alicia B. South
Quality Control Technicians
Amanda Briggs
John Greenough
Joe Niesen
Proofreading and Indexing
TECHBOOKS Production Services
01_596985 ffirs.qxp 12/14/05 7:45 PM Page iii

01_596985 ffirs.qxp 12/14/05 7:45 PM Page iv
To the ASP.NET group that gave me the opportunity to work
on a great product with a great team!
01_596985 ffirs.qxp 12/14/05 7:45 PM Page v
01_596985 ffirs.qxp 12/14/05 7:45 PM Page vi
About the Author
Stefan Schackow currently works as a program manager at Microsoft on the ASP.NET product team.
He has worked extensively with the new application services delivered in ASP.NET 2.0, including
Membership and Role Manager. Currently he is working on future directions for extending these fea-
tures via Web Services and the Windows Communication Foundation. Prior to joining the ASP.NET
product team, he worked in Microsoft’s consulting services designing web and database applications
for various enterprise clients.
01_596985 ffirs.qxp 12/14/05 7:45 PM Page vii
01_596985 ffirs.qxp 12/14/05 7:45 PM Page viii
Acknowledgments
I started out writing this book with the intent of setting down in words a brain dump of some of the
more esoteric areas of features I either “own” or work on in conjunction with other folks. However, as
the book took shape I found myself diving into areas that were important from a security perspective
but that dealt with aspects of features that very few people really understood (myself included). I would
like to thank the following folks for answering my sometimes off-the-wall security questions: Pat, Shai,
Erik, Mike, Simon, Adam, Manu, Helen, Mark, Laura, Dmitry, Ting, DaveM, Sudheer, Richa, Smitha, and
DavidE. Now that it’s all written down I promise to stop pestering you, maybe. . . .
I would also like to thank Jim Minatel for walking up to me at a DevConnections conference in 2004 and
broaching the idea of writing a security book. Without his suggestion and support this project never
would have occurred!
01_596985 ffirs.qxp 12/14/05 7:45 PM Page ix
01_596985 ffirs.qxp 12/14/05 7:45 PM Page x
Contents
Acknowledgments ix
Introduction xix

Who Is This Book For? xix
What Does This Book Cover? xix
What You Need to Run the Examples xxi
Conventions xxii
Customer Support xxiii
How to Download the Sample Code for the Book xxiii
Errata xxiii
Email Support xxiii
p2p.wrox.com xxiv
Chapter 1: Initial Phases of a Web Request 1
IIS Request Handling 2
Http.sys 3
aspnet_filter.dll 5
Processing Headers 6
Blocking Restricted Directories 8
Dynamic versus Static Content 9
MIME Type Mappings 9
ISAPI Extension Mappings 10
Wildcard Application Mappings 13
aspnet_isapi.dll 14
Starting Up an Application Domain 15
First Request Initialization 23
Summary 28
Chapter 2: Security Processing for Each Request 31
IIS Per-Request Security 32
ASP.NET Per-Request Security 33
Where Is the Security Identity for a Request? 34
Establishing the Operating System Thread Identity 38
The ASP.NET Processing Pipeline 41
Thread Identity and Asynchronous Pipeline Events 43

AuthenticateRequest 48
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xi
xii
Contents
DefaultAuthentication and Thread.CurrentPrincipal 54
PostAuthenticateRequest 57
AuthorizeRequest 58
PostAuthorizeRequest through PreRequestHandlerExecute 65
Blocking Requests during Handler Execution 66
Identity during Asynchronous Page Execution 69
EndRequest 74
Summary 75
Chapter 3: A Matter of Trust 77
What Is an ASP.NET Trust Level? 78
Configuring Trust Levels 80
Anatomy of a Trust Level 83
A Second Look at a Trust Level in Action 91
Creating a Custom Trust Level 96
Additional Trust Level Customizations 99
The Default Security Permissions Defined by ASP.NET 105
Advanced Topics on Partial Trust 118
Summary 141
Chapter 4: Configuration System Security 143
Using the <location /> Element 143
The Path Attribute 145
The AllowOverride Attribute 146
Using the lock Attributes 146
Locking Attributes 147
Locking Elements 149
Locking Provider Definitions 151

Reading and Writing Configuration 153
Permissions Required for Reading Local Configuration 155
Permissions Required for Writing Local Configuration 157
Permissions Required for Remote Editing 159
Using Configuration in Partial Trust 161
The requirePermission Attribute 163
Demanding Permissions from a Configuration Class 165
FileIOPermission and the Design-Time API 166
Protected Configuration 166
What Can’t You Protect? 168
Selecting a Protected Configuration Provider 169
Defining Protected Configuration Providers 172
DpapiProtectedConfigurationProvider 172
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xii
xiii
Contents
RsaProtectedConfigurationProvider 175
Aspnet_regiis Options 181
Using Protected Configuration Providers in Partial Trust 182
Redirecting Configuration with a Custom Provider 184
Summary 190
Chapter 5: Forms Authentication 191
Quick Recap on Forms Authentication 192
Understanding Persistent Tickets 192
How Forms Authentication Enforces Expiration 194
Securing the Ticket on the Wire 198
How Secure Are Signed Tickets? 198
New Encryption Options in ASP.NET 2.0 201
Setting Cookie-Specific Security Options 204
requireSSL 204

HttpOnly Cookies 206
slidingExpiration 208
Using Cookieless Forms Authentication 208
Cookieless Options 210
Replay Attacks with Cookieless Tickets 215
The Cookieless Ticket and Other URLs in Pages 216
Payload Size with Cookieless Tickets 218
Unexpected Redirect Behavior 221
Sharing Tickets between 1.1 and 2.0 222
Leveraging the UserData Property 224
Passing Tickets across Applications 226
Cookie Domain 226
Cross-Application Sharing of Ticket 227
Enforcing Single Logons and Logouts 247
Enforcing a Single Logon 248
Enforcing a Logout 255
Summary 257
Chapter 6: Integrating ASP.NET Security with Classic ASP 259
IIS5 ISAPI Extension Behavior 260
IIS6 Wildcard Mappings 261
Configuring a Wildcard Mapping 261
The Verify That File Exists Setting 268
DefaultHttpHandler 268
Using the DefaultHttpHandler 270
Authenticating Classic ASP with ASP.NET 272
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xiii
xiv
Contents
Will Cookieless Forms Authentication Work? 273
Passing Data to ASP from ASP.NET 274

Passing Username to ASP 276
Authorizing Classic ASP with ASP.NET 276
Passing User Roles to Classic ASP 277
Safely Passing Sensitive Data to Classic ASP 278
Full Code Listing of the Hash Helper 284
Summary 285
Chapter 7: Session State 287
Does Session State Equal Logon Session? 287
Session Data Partitioning 290
Cookie-Based Sessions 291
Cookie Sharing across Applications 292
Protecting Session Cookies 293
Session ID Reuse 294
Cookieless Sessions 294
Session ID Reuse and Expired Sessions 296
Session Denial of Service Attacks 297
Trust Levels and Session State 300
Serialization and Deserialization Requirements 302
Database Security for SQL Session State 304
Security Options for the OOP State Server 306
Summary 307
Chapter 8: Security for Pages and Compilation 309
Request Validation and Viewstate Protection 309
Request Validation 310
Securing viewstate 311
Page Compilation 314
Fraudulent Postbacks 318
Site Navigation Security 322
Summary 327
Chapter 9: The Provider Model 329

Why Have Providers? 329
Patterns Found in the Provider Model 332
The Strategy Pattern 332
Factory Method 334
The Singleton Pattern 339
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xiv
xv
Contents
Façade 341
Core Provider Classes 342
System.Configuration.Provider Classes 342
System.Web.Configuration Classes 346
System.Configuration Classes 347
Building a Provider-Based Feature 351
Summary 366
Chapter 10: Membership 367
The Membership Class 368
The MembershipUser Class 371
Extending MembershipUser 373
MembershipUser State after Updates 375
Why Are Only Certain Properties Updatable? 379
DateTime Assumptions 380
The MembershipProvider Base Class 382
Basic Configuration 383
User Creation and User Updates 384
Retrieving Data for a Single User 387
Retrieving and Searching for Multiple Users 387
Validating User Credentials 388
Supporting Self-Service Password Reset or Retrieval 390
Tracking Online Users 392

General Error Handling Approaches 393
The “Primary Key” for Membership 394
Supported Environments 396
Using Custom Hash Algorithms 399
Summary 402
Chapter 11: SqlMembershipProvider 403
Understanding the Common Database Schema 404
Storing Application Name 404
The Common Users Table 405
Versioning Provider Schemas 408
Querying Common Tables with Views 410
Linking Custom Features to User Records 410
Why Are There Calls to the LOWER Function? 414
The Membership Database Schema 415
SQL Server–Specific Provider Configuration Options 418
Working with SQL Server Express 419
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xv
xvi
Contents
Sharing Issues with SSE 424
Changing the SSE Connection String 425
Database Security 426
Database Schemas and the DBO User 428
Changing Password Formats 430
Custom Password Generation 432
Implementing Custom Encryption 435
Enforcing Custom Password Strength Rules 437
Hooking the ValidatePassword Event 439
Implementing Password History 440
Account Lockouts 451

Implementing Automatic Unlocking 454
Supporting Dynamic Applications 458
Summary 463
Chapter 12: ActiveDirectoryMembershipProvider 465
Supported Directory Architectures 465
Provider Configuration 468
Directory Connection Settings 468
Directory Schema Mappings 471
Provider Settings for Search 474
Membership Provider Settings 475
Unique Aspects of Provider Functionality 477
ActiveDirectoryMembershipUser 480
IsApproved and IsLockedOut 481
Using the ProviderUserKey Property 482
Working with Active Directory 482
UPNs and SAM Account Names 484
Container Nesting 486
Securing Containers 487
Configuring Self-Service Password Reset 494
Using ADAM 503
Installing ADAM with an Application Partition 504
Using the Application Partition 510
Using the Provider in Partial Trust 512
Summary 515
Chapter 13: Role Manager 517
The Roles Class 517
The RolePrincipal Class 521
The RoleManagerModule 531
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xvi
xvii

Contents
PostAuthenticateRequest 531
EndRequest 534
Role Cache Cookie Settings and Behavior 535
Working with Multiple Providers during GetRoles 537
RoleProvider 542
Basic Configuration 544
Authorization Methods 544
Managing Roles and Role Associations 544
WindowsTokenRoleProvider 546
Summary 551
Chapter 14: SqlRoleProvider 553
SqlRoleProvider Database Schema 553
SQL Server–Specific Provider Configuration Options 555
Transaction Behavior 556
Provider Security 556
Trust-Level Requirements and Configuration 557
Database Security 563
Working with Windows Authentication 563
Running with a Limited Set of Roles 565
Authorizing with Roles in the Data Layer 570
Supporting Dynamic Applications 571
Summary 572
Chapter 15: AuthorizationStoreRoleProvider 573
Provider Design 573
Supported Functionality 576
Using a File-Based Policy Store 578
Using a Directory-Based Policy Store 580
Working in Partial Trust 589
Using Membership and Role Manager Together 592

Summary 594
Index 595
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xvii
02_596985 ftoc.qxp 12/14/05 7:45 PM Page xviii
Introduction
This book covers security topics on a wide range of areas in ASP.NET 2.0. It starts with detailed coverage
of how security is applied when an ASP.NET application starts up and when a request is processed. The
book then branches out to cover security information for features such as trust levels, forms authentica-
tion, session state, page security, and configuration system security. You will also see how you can inte-
grate ASP.NET security with legacy ASP applications. Over the course of these topics, you will gain a
solid understanding of many of the less publicized security features in ASP.NET 2.0.
The book switches gears in Chapter 9 and addresses two new security services in ASP.NET 2.0:
Membership and Role Manager. You start out learning about the provider model that underlies both
of these features. Then you will get a detailed look at the internals of both features, as well as the SQL-
and Active Directory–based providers that are included with them. After reading through these topics,
you will have a thorough background on how you can work with the new providers and how you can
extend them in your applications.
Who Is This Book For?
This book is intended for developers who already have a solid understanding of ASP.NET 1.1 security
concepts in the area of forms authentication, page security, and website authorization. Where the book
addresses new functionality, such as Membership and Role Manager, it assumes that you have already
used these features and have a good understanding of the general functionality provided by both of
them. As a result, this book does not rehash widely available public information on various features or
API reference documentation.
Instead, you will find that the book has been written to “peel back the covers” of various ASP.NET secu-
rity features so that you can gain a much deeper understanding of the security options available to you.
The book also addresses lesser known security functionality such as ASP.NET trust levels and ASP.NET-
to-ASP integration so that you can take advantage of these approaches in your own applications.
If you are looking for a deep dive on general ASP.NET 2.0 security, then you will find Chapters 1–8 very
useful. If your initial focus is on the new Membership and Role Manager features, then Chapters 9–15

will be immediately useful to you. After you have read through these topics, you will definitely have a
thorough understanding of why ASP.NET security works the way it does, and you will have insights
into just how far you can “stretch” ASP.NET 2.0 to match your application’s security requirements.
What Does This Book Cover?
The subject of ASP.NET security can refer to a lot of different concepts: security features, best coding
practices, lockdown procedures, and so on. This book addresses ASP.NET security features from the
developer’s point of view. It gives you detailed information on every major area of ASP.NET security
03_596985 flast.qxp 12/14/05 7:45 PM Page xix
xx
Introduction
you will encounter while developing web applications. And it shows you how you can extend or modify
these features.
❑ Chapter 1 walks you through the internal processing ASP.NET performs when it starts up an
application domain. You will see how control passes from IIS to ASP.NET, and you will learn
about the special processing ASP.NET performs during the very first request to an app domain.
❑ Chapter 2 gives you a detailed walk through of the security processing ASP.NET performs in
its pipeline for each HTTP request. You will see how the default authentication and authoriza-
tion modules work, as well as how ASP.NET blocks access to content with special handlers.
This chapter also describes subtleties in how request identity works with ASP.NET 2.0’s asyn-
chronous pipeline events and asynchronous page model.
❑ Chapter 3 describes what an ASP.NET trust level is and how ASP.NET trust levels work to pro-
vide more secure environments for running web applications. The chapter goes into detail on
how you can customize trust levels and how to write privileged code that works in partial trust
applications.
❑ Chapter 4 covers the new security features in the 2.0 Framework’s configuration system. It dis-
cusses new configuration options for locking down configuration sections as well as protecting
configuration sections from prying eyes. It also discusses how ASP.NET trust levels and config-
uration system security work together.
❑ Chapter 5 explains new ASP.NET 2.0 features for forms authentication. You will learn about the
new integrated cookieless support and the new support forms authentication has for passing

authentication tickets across web applications. The chapter also presents an extensive example
of implementing a lightweight single sign-on solution using forms authentication, as well as
how to enforce a single login using a combination of forms authentication and Membership.
❑ Chapter 6 demonstrates using IIS6 wildcard mappings and ASP.NET 2.0’s support for wildcard
mappings to share authentication and authorization information with classic ASP applications.
The sample code in the chapter also shows you how you can use these features to integrate
Membership and Role Manager with classic ASP.
❑ Chapter 7 covers security features and guidance for session state. New session state security fea-
tures introduced in ASP.NET 2.0 are covered, as well as security options for out-of-process state
and the effect ASP.NET trust levels have on the session state feature.
❑ Chapter 8 describes some lesser known page security features from ASP.NET 1.1. It also
describes new ASP.NET 2.0 options for securing viewstate and postback events. Chapter 8
also covers how the new dynamic compilation model can be used with code access security.
❑ Chapter 9 gives you an architectural overview of the new provider model introduced in
ASP.NET 2.0. The chapter covers the various Framework classes that are “the provider model”
along with sample code showing you how to write your own custom provider-based features.
❑ Chapter 10 talks about the new Membership feature. The chapter goes into detail about the core
classes of the Membership feature as well as how you can extend the feature with custom hash
algorithms.
❑ Chapter 11 delves into both the
SqlMembershipProvider as well as general database design
assumptions that are baked into all of ASP.NET 2.0’s new SQL-based features. You will learn
how you can extend the provider to support automatically unlocking user accounts. The sample
code also covers custom password encryption, storing password histories, and extending the
provider to work in portal environments.
03_596985 flast.qxp 12/14/05 7:45 PM Page xx
xxi
Introduction
❑ Chapter 12 covers the other membership provider that ships in ASP.NET 2.0: the
ActiveDirectoryMembershipProvider. You will learn about how this provider maps

its functionality onto Active Directory, and you will see how to set up both Active Directory
and Active Directory Application Mode servers to work with the provider.
❑ Chapter 13 describes the new Role Manager feature that provides built-in authorization support
for ASP.NET 2.0. You will learn about the core classes in Role Manager. The chapter also details
how the
RoleManagerModule is able to automatically set up a principle for downstream autho-
rization and how the module and Role Manager’s caching work hand in hand. Chapter 13 also
covers the
WindowsTokenRoleProvider, which is one of the providers that ships with Role
Manager.
❑ Chapter 14 discusses the
SqlRoleProvider and its underlying SQL schema. You will learn
about using the provider in conjunction with Windows authentication, extending the provider
to support custom authorization logic, and how you can use its database schema for data layer
authorization logic. Although not specific to just
SqlRoleProvider, the chapter covers how to
get the provider working in a partial trust non-ASP.NET environment.
❑ Chapter 15 covers the
AuthorizationStoreRoleProvider — a provider that maps Role
Manager functionality to the Authorization Manager feature that first shipped in Windows Server
2003. You will learn how to set up and use both file-based and directory-based policy stores with
the provider. The chapter covers special Authorization Manager functionality that is supported
by the provider, as well as how to use both the
ActiveDirectoryMembershipProvider and
AuthorizationStoreRoleProvider to provide Active Directory based authentication and
authorization in your web applications.
What You Need to Run the Examples
This book was written using various Beta 2 and RC releases of the 2.0 Framework on Windows Server
2003 SP1. The sample code in the book has been verified to work with late RC builds of the 2.0
Framework. To run all of the samples in the book, you will need the following:

❑ Windows Server 2003 SP1
❑ Visual Studio 2005 RTM
❑ Either SQL Server 2000 or SQL Server 2005
❑ A Windows Server 2003 domain running at Windows Server 2003 functional level
Most of the samples should also work when using Windows XP. Note that the information in most of the
book refers to security credential configuration using IIS6 application pools as opposed to the older
<processModel /> approach used in Windows XP and IIS 5.1.
The book covers topics in Chapter 6 that require IIS6 features to work.
Chapters 11 and 14 use the SQL-based providers. You should have either SQL Server 2000 or SQL Server
2005 set up to use these samples. Scattered throughout the book are other samples that rely on the
Membership feature — these samples also require either SQL Server 2000 or SQL Server 2005.
03_596985 flast.qxp 12/14/05 7:45 PM Page xxi
xxii
Introduction
To run the samples in Chapter 12, you will need either a Windows Server 2003 domain controller,
or a machine running Active Directory Application Mode (ADAM). Chapter 12 addresses using the
ActiveDirectoryMembershipProvider in both environments.
The sample code in Chapter 15 uses the Authorization Manager functionality in Windows Server
2003 (both setting up policies as well as consuming them). As a result, to run most of the samples you
will need a Windows Server 2003 domain controller that has been set up to work with Authorization
Manager. For file-based policy stores, you do not need your own domain controller if you just want to
try out file-based policy stores with
AuthorizationStoreRoleProvider.
Conventions
Code has several styles. If I am talking about a word in the text—for example, when discussing a
For . . . Next loop — it’s in this font. If it’s a block of code that can be typed as a program and
run, then it’s also in a gray box:
Private Sub mnuHelpAbout_Click(ByVal sender As Object, _
ByVal e As System.EventArgs) Handles mnuHelpAbout.Click
Dim objAbout As New About

objAbout.ShowDialog(Me)
objAbout = Nothing
End Sub
Configuration information and the results from running code use a similar font, but do not have a back-
ground color:
<connectionStrings>
<add name=”myDatabase” connectionString=”some connection string”/>
</connectionStrings>
Sometimes you’ll see code in a mixture of styles, like this:
Private Sub mnuHelpAbout_Click(ByVal sender As Object, _
ByVal e As System.EventArgs) Handles mnuHelpAbout.Click
Dim objAbout As New About
objAbout.ShowDialog(Me)
objAbout.Dispose()
objAbout = Nothing
End Sub
In cases like this, the code with the gray background is code you are already familiar with; the line in the
bolded font is a new addition to the code.
03_596985 flast.qxp 12/14/05 7:45 PM Page xxii
xxiii
Introduction
Customer Support
We always value hearing from our readers, and we want to know what you think about this book: what
you liked, what you didn’t like, and what you think we can do better next time. You can send us your
comments either by returning the reply card in the back of the book or by email to

Please be sure to mention the book’s title in your message.
How to Download the Sample Code for the Book
When you visit the Wrox site (wrox.com) simply locate the title through our Search facility or by clicking
the Download Code link at the top of the main page, then find the book in the title list. Click the HTTP

or FTP link for the book to download the code.
The files that are available for download from our site have been archived using WinZip. When you
have saved the attachments to a folder on your hard drive, you need to extract the files using a decom-
pression program such as WinZip or PKUnzip. When you extract the files, the code is usually extracted
into chapter folders. When you start the extraction process, ensure that your software (WinZip or
PKUnzip) is set to use folder names.
Errata
We’ve made every effort to ensure that there are no errors in the text or in the code. However, no one is
perfect and mistakes do occur. If you find an error in one of our books, such as a spelling mistake or a
faulty piece of code, we would be very grateful for feedback. By sending in errata, you may save another
reader hours of frustration, and, of course, you will be helping us provide even higher-quality informa-
tion. Simply email the information to
; your information will be checked and, if cor-
rect, posted to the errata page for that title, or used in subsequent editions of the book.
To find errata on the Web site, go to
wrox.com and simply locate the title through our Advanced Search
or title list or by going to the Help Center using the link at the bottom of the main page. Click the View
Errata link, which is to the right of the book’s title.
Email Support
If you wish to directly query a problem in the book with an expert who knows the book in detail, then
email
with the title of the book and the last four numbers of the ISBN in the subject
field of the email. A typical email should include the following things:
❑ The title of the book, the last four digits of the ISBN (8000), and the page number of the problem
in the Subject field
❑ Your name, contact information, and the problem in the body of the message
We won’t send you junk mail. We need the details to save your time and ours. When you send an email
message, it will go through the following chain of support:
❑ Customer Support — Your message is delivered to our customer support staff, who are the first
people to read it. They have files on most frequently asked questions and will answer anything

general about the book or the Web site immediately.
03_596985 flast.qxp 12/14/05 7:45 PM Page xxiii

×