70-340 Implementing Security for Applications with Microsoft Visual C# .NET Exam Questions

Demo Question 9.

You are an application developer for EliteCertify.com. You develop an ASP.NET Web application that uses a database to keep track of hours worked by each employee. The application stores the account name of the interactive user in a variable named userName. The application uses the value of userName and data entered by each user to record the user name and hours worked. The application is configured to use Integrated Windows authentication in IIS. The Web.config file has Windows authentication configured and impersonation enabled. During a security review, you find out that the application is running under a user context that has more permissions than necessary. You need to increase the security of the application while maintaining current functionality. What should you do?

A. Ask a network administrator to enable basic authentication for the application in IIS and prompt the user to enter the user's user name and password.
B. Ask a network administrator to enable digest authentication for the application in IIS and prompt the user to enter the user's user name and password.
C. Change the Web.config file to set impersonation to False. Add the following code to populate the userName variable with the user name of the interactive user. string userName; userName = HttpContext.Current. User. Identity . Name . ToString ( ) ;
D. Change the Web.config file to set impersonation to false. Add the following code to populate the userName variable with the user name of the interactive user. WindowsIdentity myIdentity ;


Display Answer

Answer: C

Explanation: Principal objects implement the IPrincipal interface and represent the security context of the user on whose behalf the code is running. The principal object includes the user's identity (as a contained IIdentity object) and any roles to which the user belongs. ASP.NET provides the following principal and identity object implementations: * WindowsPrincipal and WindowsIdentity objects represent users who have been authenticated with Windows authentication. With these objects, the role list is automatically obtained from the set of Windows groups to which the Windows user belongs. * GenericPrincipal and GenericIdentity objects represent users who have been authenticated using Forms authentication or other custom authentication mechanisms. With these objects, the role list is obtained in a custom manner, typically from a database. * FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms and Passport authentication respectively. The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table: * HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client. * WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread. * Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread. Table 1.IIS anonymous authentication Table 2.IIS basic authentication Table 3.IIS digest authentication Table 4: IIS integrated Windows HttpContext.User Property Gets or sets security information for the current HTTP request. Public Property User As IPrincipalProperty ValueSecurity information for the current HTTP request. RemarksSetting this property requires the ControlPrincipal flag to be set in Flags. The HttpContext.User property provides programmatic access to the properties and methods of the IPrincipal interface. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpContext on an .aspx page without the fully qualified class reference to HttpContext. For example, you can use just User.Identity.Nameto get the name of the user on whose behalf the current process is running. If you want to use the members of IPrincipal from an ASP.NET code-behind module, however, you must include a reference to the System.Web namespace in the module and also fully qualify the reference to the currently active request/response context and the class in System.Web you want to use. For example, in a code-behind page you must specify the full name HttpContext.Current.User.Identity.Name.