ASP.NET Authorization Configuration with WIF

02.23.2011 06:45 by kbeckman | Comments

I recently ran into an issue after using Windows Identity Foundation (WIF) to modify an existing ASP.NET application as a Relying Party to use a Secure Token Service (Identity Provider) rather than using traditional ASP.NET Forms Authentication. I began by applying a very aggressive ASP.NET authorization configuration to the entire site. I locked-down the site disallowing any anonymous access using the <authorization> element in the <system.web> section. Not all areas of the site required restricted access so <location> tags were used to allow anonymous access to certain folders and page resources. Everything seemed to be functioning exactly as desired. It worked; It was secure; and it restricted access to secure areas of the application to anyone who hadn’t first authenticated against the Identity Provider. All is well!

 

Then one day a defect crosses my inbox… Our QA analyst was testing the custom errors pages on the site. Without authenticating, she purposefully entered an incorrect URL expecting to see our custom error page for HTTP 404 errors. Instead, she was redirected to our Identity Provider for authentication. After authentication, she was correctly redirected back to the site and to the 404 custom error page… This wasn’t the desired behavior as she shouldn’t have had to authenticate before redirecting to the custom error page.

 

So what’s the deal? The problem was that as a default behavior, the entire site was configured to require WIF authentication. This is also the case for non-existent resources that produce HTTP 404 errors. Following is a sample of the web.config file elements that are of interest here. This is how the site was originally configured.

 

<system.web>
    <authorization>
        <deny users="?"/>
    </authorization>
</system.web>

<location path="SomeAnonymousResource.aspx">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

<location path="SomeAnonymousFolder">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

 

Here’s what the configuration elements look like now… I’ve replaced the aggressive authorization restrictions at the site root with a more targeted approach restricting access only as necessary. Instead of <location> elements to allow anonymous access for resources, there are <location> elements for restricting secure parts of the application. Problem solved – no more redirects for authentication just to end up at the 404 custom error page.

 

<system.web>
    <authorization>
        <allow users="*"/>
    </authorization>
</system.web>

<location path="SomeSecureResource.aspx">
    <system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

<location path="SomeSecureFolder">
    <system.web>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

Maintenance Automation - Boot2VHD

02.19.2011 08:02 by kbeckman | Comments

Sorry for the repost… For some reason, this post was lost in the latest site upgrade. Since then, I’ve made a few updates.

 

I’m finally getting around to the post I promised a few weeks ago where I mentioned some automation scripts for performing maintenance on your bootable VHDs. These automation scripts come in a 2-part format – maintenance from within the context of your bootable VHD and the maintenance of the VHD file itself. I highly recommend you check out my prior post, Boot2VHD Best Practices, before using these scripts. It will give you a better idea of what operations the scripts perform (and the reasons behind them).

 

Prerequisites

There are just a few prerequisites that you need to make sure you have installed if you want to use these scripts in their entirety. Make sure to install them to the locations mentioned below or you will have additional customization work to do on these scripts…

1)   7-Zip (Host OS) – This is an awesome freeware file compression utility. The scripts use 7-Zip for archiving the VHDs before and after the maintenance cycle. The scripts assume that you are using the 64-bit version of this application and it assumes that 7-Zip is installed at: C:\Program Files\7-Zip.

2)  You need to have a backup location set up with the following file structure. ..VHD Backups\  ..VHD Backups\Old\

image_thumb

3)   SysInternals Suite  (Bootable VHD) – You’ll need to download this application suite and unzip it to C:\Program Files (x86)\Sysinternals Suite. The main application we need for this process is SDelete – it’s used for zeroing-out the free space in your VHD and is required to prep your VHD for the compression process.

4)   Just a note here… This has only been tested with Windows 7 (64-bit), however it should also work with Windows Server 2008R2.

 

Notes and Disclaimer

You’ll definitely have to customize these scripts for your own environment. As long as the prerequisite applications are installed in the locations that I’ve mentioned, you shouldn’t have to change the prep script – Prep Bootable VHD for Maintenance Cycle.bat. I highly recommend backing up your VHDs before running the scripts for the first time. This will ensure that you’re able to rollback if something wasn’t configured properly. Be sure to read the comments included within the scripts. They should give you a good idea of what’s about to happen and how you should configure it for your own environment. Lastly, I want to mention that DiskPart requires that its scripts are in separate files when you’re automating anything. There are two text files included in the Host OS directory that contain the DiskPart tasks.

 

Script 1: Prep Bootable VHD for Maintenance Cycle.bat

Run this script as an administrator while booted into your VHD. This script is located in the Virtual Machine folder in the .zip file and is the first step in the maintenance cycle. This script opens the Disk Cleanup utility allowing you to select the clean up options to perform. Next it runs the defrag utility on your bootable VHD C: drive. Finally, it uses SDelete to zero out the free space on your VHD drive for the compression process later.

 

:: Run the DiskCleanup utility...
cleanmgr.exe /d c:

:: Run disk defrag...
defrag c: /H /U /V
defrag c: /H /X /U /V

cd "c:\program files (x86)\sysinternals suite"

:: Run SDelete to zero-out free space...
sdelete.exe -p 1 -c c:pause

  

Script 2: Run VHD Maintenance Cycle.bat

Run this script as an administrator while booted into your Host OS. This script contains the meat of the automated maintenance cycle and will require some configuration on your part to make sure you’re pointing to the right VHD and backup locations for your environment. The script assumes a single bootable VHD in the management cycle, but you can easily add the extra commands to support additional VHDs. In the section below, I explain every step of the maintenance workflow.

 

1) First the script deletes the old VHD backups in the <backup location>\old directory.

2) Next the script moves the backups from the prior maintenance cycle to the <backup location>\old directory.

 

:: Move backups from prior maintenance cycle to the ..\old directory...
del "d:\vhd backups\old\*.7z"
move "d:\vhd backups\*.7z" "d:\vhd backups\old"

 

3) Next the script uses a DiskPart command script located in the VHD Mgmt - Compact and Merge Disks.txt file to compact your disk. Be sure to edit this text file to contain the proper location of your disk.

  

[parent script]
:: Run Diskpart compact and merge tasks...
diskpart /s "D:\Git\System\Scripts\VHD Maintenance\Host OS\VHD Mgmt - Compact and Merge Disks.txt"


[diskpart script]
select vdisk file="v:\native\developer\ultimatex64.vhd"
compact vdisk

  

4) Finally, the script creates a backup of the VHD in the <backup location> directory.

 

:: Backup the VHDs...
call:ZipFile "d:\vhd backups\Ultimatex64_Development.7z" "v:\native\developer\ultimatex64_development.vhd"


::--------------------------------------------------
:: Creates a 7-Zip .7z archive.
:: Params:    %1 = destination archive
::            %2 = source file
:: http://www.dostips.com/DtTutoFunctions.php#FunctionTutorial.CreatingAFunction
::--------------------------------------------------
:ZipFile
cd "c:\program files\7-zip"
7z a -t7z %1 %2
goto:eof

 

I hope there’s some folks out there that find this script useful… It has saved me a lot of time by not having to babysit the maintenance process. Now all of my VHD maintenance runs after hours and I just check it in the morning. If anything fails, I’ve always got a backup! I’ve included links to two script packages – one that assumes a single bootable VHD (as described in this post) and another that assumes a parent bootable VHD with an associated differencing disk.

C4SC_VHD_Maintenance (Single).zip (3.34 kb)

C4SC_VHD_Maintenance (Differencing).zip (4.00 kb)

In Case Your Compiler Decides to Take the Day Off…

02.19.2011 06:24 by kbeckman | Comments

The following is noteworthy because this is the type of unit test a conscious developer would write if their C# compiler occasionally takes the day off…

 

public interface IMyInterface
{
    void MethodThatDoesntMatter();
}

public class MyClass : IMyInterface 
{ 
    public void MethodThatDoesntMatter() { return; }
}

 

using System;
using Microsoft.VisualStudio.TestTools.UnitTesting;

namespace Test.WastingYourTime
{
    [TestClass]
    public class MyClassTest 
    {
        [TestMethod]
        public void ImplementsIocInterface()
        {
            Type interfaceType = typeof(IMyInterface);
            Type concreteType  = typeof(MyClass);

            Assert.IsTrue(interfaceType.IsAssignableFrom(concreteType));
        }
    }
}

 

The problem is… Unlike the developer who wrote this unit test, the C# compiler doesn’t take days off. The .NET compiler also doesn’t waste valuable development time with senseless Internet browsing or BBQ recipe research. Just because you can test that a class implements a certain interface doesn’t mean you should waste your time doing so.