Upload
api-19796528
View
178
Download
0
Tags:
Embed Size (px)
Citation preview
ASP.NET Security
By
SRIRAM. B
ASP.NET Security Overview Authentication & Authorization
Login Controls
Membership & Role Management
Authentication & Authorization
Authentication Modes
Windows Authentication
Forms Authentication
Passport Authentication
User Class
Authorization
Impersonation
Authentication & Authorization
Authentication & Authorization
Authentication is the process of obtaining some credential from users and using those credentials to verify the users identity.
Authorization is the process of allowing an authenticated user access to resources.
Authentication always procedded to Authorization.
Authentication Modes
Authentication Modes Windows
ASP.NET authentication services attach a WindowsPrincipal
(System.Security.Principal.WindowsPrincipal) to the current request to enable
authorization against NT users or groups.
Forms
ASP.NET authentication services manage cookies and redirect unauthenticated
users to a logon page. This is often used in conjunction with the IIS option to
allow anonymous access to an application.
Passport
ASP.NET authentication services provide a convenient wrapper around the
services provided by the Passport SDK, which must be installed on the machine.
Windows Authentication
Windows Authentication
It can be enabled by default. Users can be identified by the windows account names, the roles corresponds to windows groups.
It delegates the responsibility of identifying users to IIS. IIS can be configured to
use the following authentications:- <authentication mode = “Windows”/>
Anonymous
If any one is allowed to access the ASP.NET application , IIS does not perform any
authentication
Basic
User must provide a windows username and password to connect. However the
information is sent over the network in clear text, It become in-secure for internet
based applications.
Windows Authentication Digest
The user can provide the windows username and password to connect. However
the password is in hashed format before it is sent across the network. The windows
accounts to be stored in the active directory.
Windows Integrated
In windows integrated authentication, passwords never cross the network. Users
must still have a username and password, but the application uses either Kebros /
Challenge response protocols authenticate the user. It will be used for intranet
based applications.
Forms Authentication
Forms Authentication
ASP.NET authenticates users, redirects unauthenticated users to the logon page, and performs all the necessary cookie management. This sort of authentication is a popular technique used by many Web sites and handle your own custom logic.
In web.config <authentication mode = “Forms”/>
Using Form based authentication to denying access to anonymous users
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?" /> </authorization>
</system.web>
</configuration>
Forms Authentication..
Administrators use forms-based authentication to configure the name of the cookie to use, the protection type, the URL to use for the logon page, length of time the cookie is in effect, and the path to use for the issued cookie.
<authentication mode="Forms">
<forms name=".ASPXCOOKIEDEMO" loginUrl="login.aspx" defaultUrl="default.aspx"
protection="All" timeout="30" path="/" requireSSL="false"
slidingExpiration="true" enableCrossAppRedirects="false"
cookieless="UseDeviceProfile" domain="">
<!-- protection="[All|None|Encryption|Validation]" -->
<!-- cookieless="[UseUri | UseCookies | AutoDetect | UseDeviceProfile]" -->
</forms>
</authentication>
Forms Authentication..
After the application has been configured, you need to provide a logon page. When it is run, it requests the Default.aspx page. Unauthenticated requests are redirected to the logon page (Login.aspx), which presents a simple form that prompts for an e-mail address and a password. (Use Username="[email protected]" and Password="password" as credentials.)
Default.aspx
Page Load -> Label1.Text = "Hello, " + User.Identity.Name;
Signout -> FormsAuthentication.SignOut(); Response.Redirect("login.aspx");
Login.aspx
if ((UserEmail.Value == "[email protected]") && (UserPass.Value == "password")) {
FormsAuthentication.RedirectFromLoginPage(UserEmail.Value, PersistCookie.Checked); }
else { Msg.Text = "Invalid Credentials: Please try again"; }
Forms Authentication Attributes :-
Cookieless (UseDeviceProfile(default), Autodetect)
DefaultUrl
Domain
EnableCrossAppRedirects
LoginUrl
Name
Path
Protection
RequireSSL
SlidingExpiration
timeout
Forms Authentication.. Authentication Against Values in web.config file
<System.web><authentication mode = “Forms”>
<credentials passwordFormat="clear" > <user name="Bill" password="secret"/> </credentials> </authentication>
<authorization> <deny users=”?”/> </System.web>
You can change the Login.aspx to work with web.config file
if (formsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text)) {
FormsAuthentication.RedirectFromLoginPage((TextBox1.Text, True); }
else { Respose. Write( "Invalid Credentials: Please try again"); }
The following values of the passwordFormat attribute:
Hash Type Description
Clear Passwords are stored in cleartext
SHA1 Passwords are stored as SHA1 digests
MD5 Passwords are stored as MD5 digests
Forms Authentication.. Using Encrypted Passwords
<authentication>
<credentials passwordFormat="SHA1" >
<user name="Mary" password="94F85995C7492EEC546C321821AA4BECA9A3E2B1"/>
<user name="John" password="5753A498F025464D72E088A9D5D6E872592D5F91"/> </credentials>
</authentication>
You can generate the hashed representation of the password by using
FormsAuthentication.HashPasswordForStoringInConfigFile((TextBox1.Text,”SHA1”);
Passport Authentication
Passport Authentication
Passport uses encrypted cookie mechanism to indicate authenticated users.
When your application is enabled for passport authentication, the request is
redirected to the Microsoft Passport Site where the user can enter his credentials
If the authentication is successful the user is authorized to proceed and the request
is redirected back to your application.
User Class
User Class
Page.User Class or HtttpContext.User property to retrieve the information about the current user.
The principal object also includes an Identity Property that enables you to get the
information about the current users identity. It supports the following properties:-
AuthenticationType string authType = User.Identity.AuthenticationType;
IsAuthenticated bool authUser = User.Identity.IsAuthenticated();
Name string UserName = User.Identity.Name;
The principal object supports the following Method: -
IsInRole()-> Enables you to check whether the user is a member of a particular role.
If (User.IsInRole(“BUILTIN\Administrators”) ){ // Private Information }else { // Public Information }
Authorization
Authorization
Process of identifying the resources that you are allowed to access. You can control authorization by adding an authorization element to a web.config file. You can use authorization in the same way for Windows, Forms & Passport
To block the unauthenticated user
<authorization> <deny users=”?”/> </authorization>
Authorization allows only for Bill and denies for others
<authorization> <allow users=”Bill”/> <deny users=”?”/> <authorization>
Authorizing by Role for Administrator
<authorization> <allow roles=”Administrator”/> <deny users=”*”/> <authorization>
Authorizing Files by Location
<location path = “Secret.aspx”>
Impersonation
Impersonation
ASP.NET can execute the request using the identity of the client, who is making the request is called impersonation.
<IDENTITY impersonate="true" />
Identity is a webconfig declaration under System.web, which helps to control the
application Identity of the web applicaton.
It can be at any level(Machine,Site,application,subdirectory,or page), attribute
impersonate with "true" as value specifies that client impersonation is used.
Demo
Session Ends
Exercise
Relax