Evjen c20.tex V2 - 01/28/2008 3:13pm Page 988
Chapter 20: ASP.NET AJAX Control Toolkit
Figure 20-42
Finally, the properties of
DataSource
,
DataSourceID
,and
DataMember
allow you to bind to this control
from your code.
NoBot Control
The NoBot control works to determine how entities interact with your forms and to help you make sure
that actual humans are working with your forms and some automated code isn’t working through your
application.
The NoBot control is illustrated in Listing 20-36.
Listing 20-36: Using the NoBot control to limit a login form
.ASPX
<
%@ Page Language="VB" AutoEventWireup="true" CodeFile="NoBot.aspx.vb"
Inherits="NoBot" %
>
<
%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit"
TagPrefix="cc1" %
>
988
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 989
Chapter 20: ASP.NET AJAX Control Toolkit
<
html xmlns=" />>

<
head runat="server"
>
<
title
>
NoBot Control
<
/title
>
<
/head
>
<
body
>
<
form id="form1" runat="server"
>
<
div
>
<
asp:ScriptManager ID="ScriptManager1" runat="server"
>
<
/asp:ScriptManager
>
<
cc1:NoBot ID="NoBot1" runat="server" CutoffMaximumInstances="3"

CutoffWindowSeconds="15" ResponseMinimumDelaySeconds="10"
OnGenerateChallengeAndResponse="NoBot1_GenerateChallengeAndResponse" /
>
<
asp:Login ID="Login1" runat="server"
>
<
/asp:Login
>
<
asp:Label ID="Label1" runat="server"
><
/asp:Label
>
<
/div
>
<
/form
>
<
/body
>
<
/html
>
The NoBot control has three important properties to be aware of w hen controlling how your forms
are submitted. These properties include the
CutoffMaximumInstances
,

CutoffWindowSeconds
,andthe
ResponseMinimumDelaySeconds
properties.
The
CutoffMaximumInstances
is the number of times the end user is allowed to try to submit the form
within the number of seconds specified by the
CutoffWindowSeconds
property. The
ResponseMinimumDe-
laySeconds
property defines the minimum number of seconds the end user has to submit the form. If
you know the form you are working with will take some time, then setting this property to a value (even
if it is
5
seconds) will help stop submissions that are not made by humans.
The
OnGenerateChallengeAndResponse
property allows you to define the server-side method that works
with the challenge and allows you to provide a response based on the challenge. This property is used in
Listing 20-36 and posts back to the user the status of the form submission.
The code-behind for this page is represented in Listing 20-37.
Listing 20-37: The code-behind page for the NoBot control’s
OnGenerateChallengeAndResponse
VB
Imports System
Imports AjaxControlToolkit
Public partial Class NoBot
Inherits System.Web.UI.Page

Protected Sub NoBot1_GenerateChallengeAndResponse(ByVal sender As Object, _
ByVal void As AjaxControlToolkit.NoBotEventArgs) _
Handles NoBot1.GenerateChallengeAndResponse
Continued
989
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 990
Chapter 20: ASP.NET AJAX Control Toolkit
Dim state As NoBotState
NoBot1.IsValid(state)
Label1.Text = state.ToString()
End Sub
End Class
C#
using System;
using AjaxControlToolkit;
public partial class NoBot : System.Web.UI.Page
{
protected void NoBot1_GenerateChallengeAndResponse(object sender,
AjaxControlToolkit.NoBotEventArgs e)
{
NoBotState state;
NoBot1.IsValid(out state);
Label1.Text = state.ToString();
}
}
Running this page and trying to submit the form before the ten-second minimum time results in an
invalid submission. In addition, trying to submit the form more than three times within 15 seconds
results in an invalid submission.
PasswordStrength Control
The PasswordStrength control allows you to check the contents of a password in a TextBox control and

validate its strength. It will also then give a message to the end user about whether the strength is rea-
sonable. A simple example of the PasswordStrength control is presented in Listing 20-38.
Listing 20-38: Using the PasswordStrength control with a TextBox control
<
%@ Page Language="C#" %
>
<
%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit"
TagPrefix="cc1" %
>
<
html xmlns=" />>
<
head runat="server"
>
<
title
>
Password Strength Control
<
/title
>
<
/head
>
<
body
>
<
form id="form1" runat="server"

>
<
div
>
<
asp:ScriptManager ID="ScriptManager1" runat="server"
>
990
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 991
Chapter 20: ASP.NET AJAX Control Toolkit
<
/asp:ScriptManager
>
<
cc1:PasswordStrength ID="PasswordStrength1" runat="server"
TargetControlID="TextBox1"
>
<
/cc1:PasswordStrength
>
<
asp:TextBox ID="TextBox1" runat="server"
><
/asp:TextBox
>
<
/div
>
<
/form

>
<
/body
>
<
/html
>
This simple page produces a single text box and when end users start typing in the text box, they will be
notified on the strength of the submission as they type. This is illustrated in Figure 20-43.
Figure 20-43
Some of the important properties to work with here include
MinimumLowerCaseCharacters
,
Minimum-
NumericCharacters
,
MinimumSymbolCharacters
,
MinimumUpperCaseCharacters
,and
PreferredPass-
wordLength
.
Rating Control
The Rating control gives your end users the ability to view and set ratings (such as star ratings). You have
control over the number of ratings, the look of the filled ratings, the look of the empty ratings, and more.
Listing 20-39 shows you a page that shows a five-star rating system that gives end users the ability to set
the rating themselves.
Listing 20-39: A rating control that the end user can manipulate
<

%@ Page Language="C#" %
>
<
%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit"
TagPrefix="cc1" %
>
<
html xmlns=" />>
<
head runat="server"
>
<
title
>
Rating Control
<
/title
>
Continued
991
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 992
Chapter 20: ASP.NET AJAX Control Toolkit
<
style type="text/css"
>
.ratingStar {
font-size: 0pt;
width: 13px;
height: 12px;
margin: 0px;

padding: 0px;
cursor: pointer;
display: block;
background-repeat: no-repeat;
}
.filledRatingStar {
background-image: url(Images/FilledStar.png);
}
.emptyRatingStar {
background-image: url(Images/EmptyStar.png);
}
.savedRatingStar {
background-image: url(Images/SavedStar.png);
}
<
/style
>
<
/head
>
<
body
>
<
form id="form1" runat="server"
>
<
div
>
<

asp:ScriptManager ID="ScriptManager1" runat="server"
>
<
/asp:ScriptManager
>
<
cc1:Rating ID="Rating1" runat="server" StarCssClass="ratingStar"
WaitingStarCssClass="savedRatingStar"
FilledStarCssClass="filledRatingStar" EmptyStarCssClass="emptyRatingStar"
>
<
/cc1:Rating
>
<
/div
>
<
/form
>
<
/body
>
<
/html
>
Here, the Rating control uses a number of CSS classes to define its look and feel in various states. In
addition to the CSS class properties (
StarCssClass
,
WaitingStarCssClass

,
FilledStarCssClass
,and
EmptyCssClass
), you can also specify rating alignments, the number of rating items (the default is
5
), the
width, the current rating, and more. T he code presented in Listing 20-39 produces the results shown in
Figure 20-44.
Figure 20-44
992
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 993
Chapter 20: ASP.NET AJAX Control Toolkit
TabContainer Control
Tabs are another great way to control a page that has a lot of content to present. The
T
abContainer control
can contain one or more TabPanel controls that provide you with a set of tabs that show content one tab
at a time.
You are able to control the width and the height o f the panels and to specify whether there are
scrollbars as well. Each
TabPanel
control has <
HeaderTemplate
> and <
ContentTemplate
> subelement
that you can define. Listing 20-40 shows an example of a TabContainer control with three TabPanel
controls.
Listing 20-40: Showing three tabs in a TabContainer control

<
%@ Page Language="C#" %
>
<
%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit"
TagPrefix="cc1" %
>
<
html xmlns=" />>
<
head runat="server"
>
<
title
>
TabContainer Control
<
/title
>
<
/head
>
<
body
>
<
form id="form1" runat="server"
>
<
div

>
<
asp:ScriptManager ID="ScriptManager1" runat="server"
>
<
/asp:ScriptManager
>
<
cc1:TabContainer ID="TabContainer1" runat="server" Height="300px"
>
<
cc1:TabPanel runat="server"
>
<
HeaderTemplate
>
Tab 1
<
/HeaderTemplate
>
<
ContentTemplate
>
Here is some tab one content.
<
/ContentTemplate
>
<
/cc1:TabPanel
>

<
cc1:TabPanel runat="server"
>
<
HeaderTemplate
>
Tab 2
<
/HeaderTemplate
>
<
ContentTemplate
>
Here is some tab two content.
<
/ContentTemplate
>
<
/cc1:TabPanel
>
<
cc1:TabPanel runat="server"
>
<
HeaderTemplate
>
Tab 3
<
/HeaderTemplate
>

<
ContentTemplate
>
Here is some tab three content.
<
/ContentTemplate
>
<
/cc1:TabPanel
>
<
/cc1:TabContainer
>
<
/div
>
<
/form
>
<
/body
>
<
/html
>
The result of this simple page is presented in Figure 20-45.
993
Evjen c20.tex V2 - 01/28/2008 3:13pm Page 994
Chapter 20: ASP.NET AJAX Control Toolkit
Figure 20-45

Summary
As you can see, there are a ton of new controls at your disposal. The best thing about this is that this is a
community effort along with Microsoft and the list of available ASP.NET AJAX controls is only going to
grow over time.
This chapter looked at the lot of the new ASP.NET AJAX controls and how to use them in your ASP.NET
applications. Remember to visit the CodePlex page for these controls often and take advantage of the
newest offerings out there.
994
Evjen c21.tex V2 - 01/28/2008 3:15pm Page 995
Security
Not every page that you build with ASP.NET is meant to be open and accessible to everyone on the
Internet. Sometimes, you want to build pages or sections o f an application that are accessible to only
a select group of your choosing. For this reason, you need the security measures explained in this
chapter. They can help protect the data behind your applications and the applications themselves
from fraudulent use.
Security is a very wide-reaching term. During every step of the application-building process, you
must, without a doubt, be aware of how mischievous end users might attempt to bypass your
lockout measures. You must take steps to ensure that no one can take over the application or
gain access to its resources. Whether it involves working with basic server controls or accessing
databases, you should be thinking through the level of security you want to employ to protect
yourself.
How security is applied to your applications is truly a measured process. For instance, a single
ASP.NET page on the Internet, open to public access, has different security requirements than
does an ASP.NET application that is available to only selected individuals because it deals with
confidential information such as credit card numbers or medical information.
The first step is to apply the appropriate level of security for the task at hand. Because you can
take so many different actions to protect your applications and the resources, you have to decide
for yourself which of these measures to employ. This chapter looks at some of the possibilities for
protecting your applications.
Notice that security is discussed throughout this book. In addition, a couple chapters focus on

specific security frameworks provided by ASP.NET 3.5 that are not discussed in this chapter.
Chapters 15 and 16 discuss ASP.NET’s membership and role management frameworks, as well
as the personalization features in this version. These topics are aspects of security that can make
it even easier for you to build safe applications. Although these new security frameworks are
provided with this latest release of ASP.NET, you can still build your own measures as you did
in the previous versions of ASP.NET. This chapter discusses how to do so.
Evjen c21.tex V2 - 01/28/2008 3:15pm Page 996
Chapter 21: Security
An important aspect of security is how you handle the authentication and authorization for accessing
resources in your applications. Before you begin working through some of the authentication/
authorization possibilities in ASP.NET, you should know exactly what we mean b y those two terms.
Authentication and Authorization
As discussed in Chapter 16, authentication is the process that determines the identity of a user. After a user
has been authenticated, a developer can determine if the identified user has authorization to proceed. It
is impossible to give an entity authorization if no authentication process has been applied.
Authorization is the process of determining whether an authenticated user is permitted access to any part
of an application, access to specific points of an application, or access only to specified datasets that the
application provides. Authenticating and authorizing users and groups enable you to customize a site
based on user types or preferences.
Applying Authentication Measures
ASP.NET provides many different types of authentication measures to use within your applications,
including basic authentication, digest authentication, forms authentication, Passport, and Integrated
Windows authentication. Y ou also can develop your own authentication methods. You should never
authorize access to resources you mean to be secure if you have not applied an authentication process to
the requests for the resources.
The different authentication modes are established through settings that can be applied to the appli-
cation’s
web.config
file or in conjunction with the application server’s Internet Information Services
(IIS) instance.

ASP.NET is configured through a series of
.config
files on the application server. These are XML-based
files that enable you to easily change how ASP.NET behaves. This is an ideal way to work with the
configuration settings you require. ASP.NET configuration files are applied in a hierarchal manner.
The .NET Framework provides a server-level configuration file called the
machine.config
file, which
can b e found at
C:
\
Windows
\
Microsoft.NET
\
Framework
\
v2.0.50727
\
CONFIG
. The folder contains the
machine.config
file. This file provides ASP.NET application settings at a server-level, meaning that the
settings are applied to each and every ASP.NET application that resides on the particular server.
A
web.config
file is another XML-based configuration file that resides in the root of the Web applica-
tion. The settings applied in the
web.config
file override the same settings applied in the higher-level

machine.config
file.
You can even nest the
web.config
files so that the main a pplication
web.config
file is located in the
root directory of your application, b ut additional
web.config
files reside in some of the application’s
subdirectories (see Figure 21-1). The
web.config
files contained in any of the subdirectories supersede
the root directory’s
web.config
file. Therefore, any settings applied through a subdirectory’s
web.config
file change whatever was set in the application’s main
web.config
file.
In many of the examples in this chapter, you use the
web.config
file to apply the authentication and
authorization mechanics you want in your applications. You also can work with IIS to apply settings
directly to your applications.
996
Evjen c21.tex V2 - 01/28/2008 3:15pm Page 997
Chapter 21: Security
Figure 21-1
IIS is the Web server that handles all the incoming HTTP requests that come into the server. You must

modify IIS to perform as you want. IIS hands a request to the ASP.NET engine only if the page has a
specific file extension (for example,
.aspx
). In this chapter, you will work with IIS 7.0, as well.
The
<
authentication
>
Node
You use the <
authentication
> node in the application’s
web.config
file to set the type of authentication
your ASP.NET application requires:
<
system.web
>
<
authentication mode="Windows|Forms|Passport|None"
>
<
/authentication
>
<
/system.web
>
The <
authentication
> node uses the

mode
attribute to set the form of authentication that is to be used.
Options include
Windows
,
Forms
,
Passport
,and
None
. Each option is explained in the following table.
Provider Description
Windows
Windows authentication is used together with IIS authentication. Authentication is
performed by IIS in the following ways: basic, digest, or Integrated Windows
Authentication. When IIS authentication is complete, ASP.NET uses the authenticated
identity to authorize access. This is the default setting.
Forms
Requests that are not authenticated are redirected to an HTML form using HTTP
client-side redirection. The user provides his login information and submits the form.
If the application authenticates the request, the system issues a form that contains the
credentials or a key for reacquiring the identity.
Passport
A centralized authentication service provided by Microsoft that offers single login and
core profile services for member sites. This mode of authentication was de-emphasized
by Microsoft at the end of 2004.
None
No authentication mode is in place with this setting.
997