Building and Installing the Smart Card HttpModule
Page 2 of 9
Previous Page: Introduction Next Page: IIS Configuration
The IHttpModule interface we need to implement is very simple. Here is the interface, as defined by Microsoft in the .NET Framework. IHttpModule is in the System.Web namespace:
C#
1 interface IHttpModule
2 {
3 // called to attach module to app events
4 void Init(HttpApplication app);
5 // called to clean up
6 void Dispose();
7 }
8
VB.Net
1 Interface IHttpModule
2 ' called to attach module to app events
3 Sub Init(ByVal app As HttpApplication);
4 ' called to clean up
5 Sub Dispose()
6 End Interface
7
To get a basic HTTP Module up and functioning is incredibly trivial. There are really only three steps involved:
1. Create a class that Implements IHttpModule
C#
1 public class SmartCardAuthenticationModule : IHttpModule
2 public void Init(HttpApplication context)
3 {
4 }
5
6 public void Dispose()
7 {
8 }
9 }
10
VB.Net
1 Public Class SmartCardAuthenticationModule
2 Implements System.Web.IHttpModule
3
4 Public Sub Init(ByVal context As System.Web.HttpApplication) _
5 Implements System.Web.IHttpModule.Init
6 End Sub
7
8 Public Sub Dispose() Implements System.Web.IHttpModule.Dispose
9 End Sub
10 End Class
11
2. Next wire up the events to handle in the Init() method of the class – compile it in an assembly that you reference in your web project (or include it in your web project directly).
C#
1 public void Init(HttpApplication context)
2 {
3 context.AuthenticateRequest += new EventHandler(Me.OnAuthenticateRequest);
4 }
5
6 private void OnAuthenticateRequest(object sender, EventArgs e)
7 {
8 // Here's where the work of authentication takes place.
9 }
10
VB.Net
1 Public Sub Init(ByVal context As System.Web.HttpApplication) _
2 Implements System.Web.IHttpModule.Init
3
4 AddHandler context.AuthenticateRequest, _
5 New EventHandler(AddressOf Me.OnAuthenticateRequest)
6 End Sub
7
8 Private Sub OnAuthenticateRequest(ByVal source As Object, ByVal eventArgs _
9 As EventArgs)
10 ' Here's where the work of authentication takes place.
11 End Sub
12
3. Install the Smart Card HttpModule into your ASP.NET application using the Web.Config and deny all anonymous users in the authorization section.
1 <configuration>
2 <system.web>
3 <httpModules>
4 <add name="SmartCardAuthentication"
5 type="SmartCardAuthentication.SmartCardAuthenticationModule,
6 SmartCardAuthentication" />
7 </httpModules>
8 <authorization>
9 <!-- Deny all Anonymous Users -->
10 <deny users="?" />
11 </authorization>
12 </system.web>
13 </configuration>
14
Once added to the web.config, re-run the code that displays installed HTTP Modules. The SmartCardAuthentication module should show up in the pipeline:
Figure 3 – ASPX page shows that the Smart Card module is installed.
In Figure 2, the addition of SmartCardAuthentication in the list. This is how you can tell if your module is installed and running correctly.
Above is the most basic skeleton of code I’ll be working from, but before getting into the details of the code, IIS must be configured to support Smart Card Authentication.
Two Important Points about IIS Configuration as it relates to Smart Cards/Client Certificates:
- If IIS is not configured to actually accept and present the Client/Smart Card Certificate (by way of the HttpCertificate object) to ASP.NET, it is critical that the SmartCardAuthenticationModule code deny access to anyone accessing the site – using the principal of failing securely.
- On the flip side, if IIS is not configured to limit what Certificates are acceptable through the Certificate Trust Lists (CTL), the web server will inappropriately grant permissions to more users then expected. We can do some extra checks in code as well to fail securely in this case as well.
Previous Page: Introduction Next Page: IIS Configuration
Page 2 of 9
Secure Coding in .NET: Developing Defensible Applications
Posts
3 comments:
Hey, j. montgomery,
One question please,how do i compile an .aspx file in to assembly?
How do i make the referrence to my web project?
I am new to ASP.NET,thanks a lot in advance!
I'm not sure I completely follow.
"How do I compile an .aspx file in to assembly"
The aspx pages get compiled into assemblies automatically by ASP.NET on the web server.
"How do I make the reference to my web project."
What exactly are you trying to reference?
hello sir,
i have a scenario like this.when the user clicks on the url of my web application it should ask for a smart card login.as soon as the user swipes/insert the card.it should bring up a screen for entering the pin.once the pin is entered the user is now successfully logged in.
Post a Comment