ASP.NET Security

ASP.NET Security

By

SRIRAM. B

ASP.NET Security Overview Authentication & Authorization

Login Controls

Membership & Role Management

Authentication & Authorization

Authentication Modes

Windows Authentication

Forms Authentication

Passport Authentication

User Class

Authorization

Impersonation



Authentication is the process of obtaining some credential from users and using those credentials to verify the users identity.

Authorization is the process of allowing an authenticated user access to resources.

Authentication always procedded to Authorization.

Authentication Modes

Authentication Modes Windows

ASP.NET authentication services attach a WindowsPrincipal

(System.Security.Principal.WindowsPrincipal) to the current request to enable

authorization against NT users or groups.

Forms

ASP.NET authentication services manage cookies and redirect unauthenticated

users to a logon page. This is often used in conjunction with the IIS option to

allow anonymous access to an application.

Passport

ASP.NET authentication services provide a convenient wrapper around the

services provided by the Passport SDK, which must be installed on the machine.



It can be enabled by default. Users can be identified by the windows account names, the roles corresponds to windows groups.

It delegates the responsibility of identifying users to IIS. IIS can be configured to

use the following authentications:- <authentication mode = “Windows”/>

Anonymous

If any one is allowed to access the ASP.NET application , IIS does not perform any

authentication

Basic

User must provide a windows username and password to connect. However the

information is sent over the network in clear text, It become in-secure for internet

based applications.

Windows Authentication Digest

The user can provide the windows username and password to connect. However

the password is in hashed format before it is sent across the network. The windows

accounts to be stored in the active directory.

Windows Integrated

In windows integrated authentication, passwords never cross the network. Users

must still have a username and password, but the application uses either Kebros /

Challenge response protocols authenticate the user. It will be used for intranet

based applications.



ASP.NET authenticates users, redirects unauthenticated users to the logon page, and performs all the necessary cookie management. This sort of authentication is a popular technique used by many Web sites and handle your own custom logic.

In web.config <authentication mode = “Forms”/>

Using Form based authentication to denying access to anonymous users

<configuration>

<system.web>

<authentication mode="Forms"/>

<authorization> <deny users="?" /> </authorization>

</system.web>

</configuration>

Forms Authentication..

Administrators use forms-based authentication to configure the name of the cookie to use, the protection type, the URL to use for the logon page, length of time the cookie is in effect, and the path to use for the issued cookie.

<authentication mode="Forms">

<forms name=".ASPXCOOKIEDEMO" loginUrl="login.aspx" defaultUrl="default.aspx"

protection="All" timeout="30" path="/" requireSSL="false"

slidingExpiration="true" enableCrossAppRedirects="false"

cookieless="UseDeviceProfile" domain="">





</forms>

</authentication>

Forms Authentication..

After the application has been configured, you need to provide a logon page. When it is run, it requests the Default.aspx page. Unauthenticated requests are redirected to the logon page (Login.aspx), which presents a simple form that prompts for an e-mail address and a password. (Use Username="[email protected]" and Password="password" as credentials.)

Default.aspx

Page Load -> Label1.Text = "Hello, " + User.Identity.Name;

Signout -> FormsAuthentication.SignOut(); Response.Redirect("login.aspx");

Login.aspx

if ((UserEmail.Value == "[email protected]") && (UserPass.Value == "password")) {

FormsAuthentication.RedirectFromLoginPage(UserEmail.Value, PersistCookie.Checked); }

else { Msg.Text = "Invalid Credentials: Please try again"; }

Forms Authentication Attributes :-

Cookieless (UseDeviceProfile(default), Autodetect)

DefaultUrl

Domain

EnableCrossAppRedirects

LoginUrl

Name

Path

Protection

RequireSSL

SlidingExpiration

timeout

Forms Authentication.. Authentication Against Values in web.config file

<System.web><authentication mode = “Forms”>

<credentials passwordFormat="clear" > <user name="Bill" password="secret"/> </credentials> </authentication>

<authorization> <deny users=”?”/> </System.web>

You can change the Login.aspx to work with web.config file

if (formsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text)) {

FormsAuthentication.RedirectFromLoginPage((TextBox1.Text, True); }

else { Respose. Write( "Invalid Credentials: Please try again"); }

The following values of the passwordFormat attribute:

Hash Type Description

Clear Passwords are stored in cleartext

SHA1 Passwords are stored as SHA1 digests

MD5 Passwords are stored as MD5 digests

Forms Authentication.. Using Encrypted Passwords

<authentication>

<credentials passwordFormat="SHA1" >

<user name="Mary" password="94F85995C7492EEC546C321821AA4BECA9A3E2B1"/>

<user name="John" password="5753A498F025464D72E088A9D5D6E872592D5F91"/> </credentials>

</authentication>

You can generate the hashed representation of the password by using

FormsAuthentication.HashPasswordForStoringInConfigFile((TextBox1.Text,”SHA1”);



Passport uses encrypted cookie mechanism to indicate authenticated users.

When your application is enabled for passport authentication, the request is

redirected to the Microsoft Passport Site where the user can enter his credentials

If the authentication is successful the user is authorized to proceed and the request

is redirected back to your application.

User Class

User Class

Page.User Class or HtttpContext.User property to retrieve the information about the current user.

The principal object also includes an Identity Property that enables you to get the

information about the current users identity. It supports the following properties:-

AuthenticationType string authType = User.Identity.AuthenticationType;

IsAuthenticated bool authUser = User.Identity.IsAuthenticated();

Name string UserName = User.Identity.Name;

The principal object supports the following Method: -

IsInRole()-> Enables you to check whether the user is a member of a particular role.

If (User.IsInRole(“BUILTIN\Administrators”) ){ // Private Information }else { // Public Information }

Authorization

Authorization

Process of identifying the resources that you are allowed to access. You can control authorization by adding an authorization element to a web.config file. You can use authorization in the same way for Windows, Forms & Passport

To block the unauthenticated user

<authorization> <deny users=”?”/> </authorization>

Authorization allows only for Bill and denies for others

<authorization> <allow users=”Bill”/> <deny users=”?”/> <authorization>

Authorizing by Role for Administrator

<authorization> <allow roles=”Administrator”/> <deny users=”*”/> <authorization>

Authorizing Files by Location

<location path = “Secret.aspx”>

Impersonation

Impersonation

ASP.NET can execute the request using the identity of the client, who is making the request is called impersonation.

<IDENTITY impersonate="true" />

Identity is a webconfig declaration under System.web, which helps to control the

application Identity of the web applicaton.

It can be at any level(Machine,Site,application,subdirectory,or page), attribute

impersonate with "true" as value specifies that client impersonation is used.

Demo

Session Ends

Exercise

Relax

Documents

ASP.NET Security