Upload
jolie
View
41
Download
0
Embed Size (px)
DESCRIPTION
Module – Deploying Your Site. Objectives. Web Application Security Overview Working with Windows Based Authentication and Securing Web site using Windows Based Authentication Working with Forms Based Authentication and Securing Web site using Forms Based Authentication - PowerPoint PPT Presentation
Citation preview
Company Confidential
1
Module – Deploying Your Site
Objectives
• Web Application Security Overview• Working with Windows Based Authentication and
Securing Web site using Windows Based Authentication• Working with Forms Based Authentication and Securing
Web site using Forms Based Authentication• Overview of MS Passport Authentication• Securing a MS ASP.NET Web Application• Configuring an ASP.NET Web Application• Deploying an ASP.NET Web Application
Objectives (Cont…)
• Configuring, Optimizing and Deploying a MS ASP.NET Application
• Registering New Users• Permitting Users to Sign Out
Web Application Security Overview
• Website Security – – Preventing unauthorized users NOT to access the
portion of website or web store or web front Database.
– This has certainly become a seemingly important aspect for ecommerce based websites, where customers confidential data such as personal information, credit card information that would be stored in the Database need to be thoroughly secured.
– The security features of ASP.NET addresses the above, besides many other security issues, that are related.
Web Application Security Overview (Cont…)
• Microsoft’s ASP.NET, addresses these web security issues in combination with its Web server layer.
• Microsoft Internet Information Server (MS IIS), where the user’s identification viz names and passwords that can be authenticated using –– Windows Based Authentication– Forms Based Authentication– Microsoft Passport Authentication
Lets understand the scenario with the terms
Authentication and Authorization
Web Application Security Overview (Cont…)
Authentication versus Authorization• The terms Authentication and Authorization seems to be synonyms
for many of them, however they aren’t the same• The process of Authentication
– identifies the users of the system whereas • The Authorization defines
– the level of access the authenticated user has, to the systems and its resources.
Note: In many host-based systems and client/server systems, both
these Authentication and Authorization processes are performed by
the same physical hardware and, in some cases, the same software.
Working with Windows Based Authentication
• ASP.NET uses Windows authentication in combination with its Web server layer Microsoft Internet Information Services (IIS) authentication.
• This process can be performed by IIS using one of the following ways:– Basic – Digest or – Integrated Windows Authentication (default
mechanism)• Once the above process is complete, ASP.NET uses the
authenticated identity to authorize access.
Working with Windows Based Authentication (Cont…)
• To enable an authentication provider for an ASP.NET application, we need to create an entry for the application’s ‘web.config’ configuration file as follows:
– <authentication mode= "[Windows]"/>
Working with Windows Based Authentication (Cont…)
Working with Windows Based Authentication (Cont…)
• Click on Website menu and select ASP.net Configuration and click it
Working with Windows Based Authentication (Cont…)
• You will see the following screen
Working with Windows Based Authentication (Cont…)
• Click on security tab to create Users (for authentication) and Roles (to authorize an authenticated user)
Working with Windows Based Authentication (Cont…)
• Select ‘From Internet Option’ if the application is hosted on Internet to facilitate users from Internet or Select ‘From a local network’ if the application is hosted on intranet.
Working with Windows Based Authentication (Cont…)
• Users being ‘0’ initially, this is highlighted for your reference
Working with Windows Based Authentication (Cont…)
• Creating role, you need to enable the option
Working with Windows Based Authentication (Cont…)
• Existing roles being ‘0’ initially, this is highlighted for your reference
Registering New User (ASP.NET Web Administration Tool)
• Registering New Users –using ASP.NET Website Administration Tool
Registering New User (ASP.NET Web Administration Tool) (Cont…)
• Registering New Users –using ASP.NET Website Administration Tool (Cont…)
• User created Successfully
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Existing user is 1, highlighted for your reference
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Creation of new role that can be managed later
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Creating a New Role called ‘Power User’
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Power User created that can be managed later using the manage link
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Role is changed to 1 as a new role is defined and highlighted for your reference
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Users can be managed
Registering New User (ASP.NET Web Administration Tool) Create or Managing Role… (Cont…)
• Initially all the users will be alphabetically arranged and a selection can be narrowed down if the number of users list grows
Working with Windows Based Authentication
• Adding a new item (Web form) in the solution explorer
Working with Windows Based Authentication (Cont…)
• A new web form called login.aspx is about to get created
Working with Windows Based Authentication (Cont…)
• A new web form called login.aspx is created and from the Login palette on the toolbox of the IDE, a login control is dragged and dropped on the web form (login.aspx)
Working with Windows Based Authentication (Cont…)
• Highlight the login control and click on the tiny little arrow to open a diglog box as shoen below to format the control to have a naet look-n-feel
Working with Windows Based Authentication (Cont…)
• Formatted login control on the login.aspx web form
Working with Windows Based Authentication (Cont…)
• Usage of other login controls such as ‘login view’• On the default.aspx page, pull a login view control and
place it
Working with Windows Based Authentication (Cont…)
• Usage of other login controls such as ‘login view’(Cont…)
• On the default.aspx page, pull a login view control and place it
• The login view control has the ability to show an anonymous user and a user who is already logged on
Working with Windows Based Authentication (Cont…)
• Usage of other login controls such as ‘login view’(Cont…)
• On the default.aspx page, pull a login view control and place it (Cont…)
• The login status control is a toggle control that toggles between login and log out (sign out)
Working with Windows Based Authentication (Cont…)
• Usage of other login controls such as ‘user name’
• On the default.aspx page, pull a user name control and place it
• The username control has the ability to show a user who is already logged on
Working with Windows Based Authentication (Cont…)
• Running the application by hitting the F5 function key
Working with Windows Based Authentication (Cont…)
• About to get to run mode and display the web form
Working with Windows Based Authentication (Cont…)
• Run mode of login.aspx
Working with Windows Based Authentication (Cont…)
• Administrator is authenticated and the corresponding controls behave as per norms
Working with Windows Based Authentication (Cont…)
• User ‘Administrator’ NOT authenticated as a password was wrongly supplied to test the application
Working with Forms Based Authentication
• In Forms Based Authentication– unauthenticated requests will be re-directed to a
HTML form using the client side redirection object.– If the user’s identity is authenticated, the process
issues an authentication ticket in a cookie that contains the credentials or a key to re-acquire the identity.
– All the requests hence forth are issued with the cookie in the request headers (that are authenticated) and will be authorized by an ASP.NET handler.
Registering a new user using Forms Based Authentication
• Create a new webform in the solution explorer and name it ‘createuser.aspx’
Working with Forms Based Authentication (Cont…)
• A control called createnewuserwizard is pulled from the login control pallete and placed on the webform called createuser.aspx
Working with Forms Based Authentication (Cont…)
• Adding a hyperlink control on the login window
Working with Forms Based Authentication (Cont…)
• Run mode of login.aspx to use the create new userwizard control
Working with Forms Based Authentication (Cont…)
• Run mode of createuser.aspx to use the createnewuserwizard control for signing up a new user
Working with Forms Based Authentication (Cont…)
• Corresponding entries are made
Working with Forms Based Authentication (Cont…)
• New user called New Horizons is added successfully using Forms Based Authentication
Working with Forms Based Authentication (Cont…)
• Users changed to 2
Working with Forms Based Authentication (Cont…)
• You can see a user called New Horizons while you hit the manage link
Working with Forms Based Authentication (Cont…)
• Click on the hyperlink alphabet to narrow down the search criteria
Working with Forms Based Authentication (Cont…)
• Anonymous user logged in
Working with Forms Based Authentication (Cont…)
• Trying to see if we can use this control, wrong password entered
Working with Forms Based Authentication (Cont…)
• Login failed for the user New Horizons
Working with Forms Based Authentication (Cont…)
• New Horizons user authenticated
Working with Forms Based Authentication (Cont…)
• User New Horizons logged out
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication
• Create a ForgotPassword.aspx page in solution explorer
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication
• Pull a PasswordRecovery control to the form ForgotPassword.aspx
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)• Create a hyperlink called Forgot Password that can be linked to this
ForgotPassword.aspx page
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Design mode of login.aspx page to test the Forgot Password link
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Run mode of login.aspx page to test the Forgot Password link
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Wrong password entered
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Wrong password entered and failed status
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Entering correct password
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity –- Input wrong entry
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity -- Invalid answer
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity – Input Correct entry• This will lead to the ‘Password sent’ to the email at the
time of registration page
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity – Input Correct entry (Cont…)
• This will lead to the ‘Password sent’ to the email at the time of registration page
• Note: For this the FROM PROPERTY must be filled and SMTP email must be configured, if any of these is missing, it will go to a failure page as follows:
Working with Forms Based Authentication (Cont…)
• Securing your website using Forms Based Authentication (Cont…)
• Confirming the identity – Input Correct entry (Cont…)
Overview of Microsoft Passport Authentication
• Passport authentication– is a centralized authentication service provided
by Microsoft that offers a single signon* and core profile services for member sites.
– Microsoft .NET Passport, provides • a basic form with a graphical user interface (GUI) for
sign-up and login, • a database of user information, • authentication logic at the Web server, • Log-out functionality wrapped inside an easy-to-use
programmatic interface.
Overview of Microsoft Passport Authentication (Cont…)
• This Passport architecture is simple, where in which a single .NET Passport class named System.Web.Security.PassportIdentity wraps all authentication functionality.
• A Passport-enabled Web application developer need only instantiate the PassportIdentity class and use its methods to perform the complete authentication process.
Overview of Microsoft Passport Authentication (Cont…)
• * Single Sign-onSingle sign-on is yet another good feature of Microsoft. This corporate hosts its passport service on their own servers and allows an integrated single sign on identity for all passport enabled accounts viz hotmail, msn.
• This means users with Passport-enabled accounts need to remember only one login password pair to access all partner sites.
Overview of Microsoft Passport Authentication (Cont…)
• Permitting users to Sign-in using the form based login
Overview of Microsoft Passport Authentication (Cont…)
• Permitting users to Sign-out
Overview of Microsoft Passport Authentication (Cont…)
• Permitting users to Sign-in using the Login hyperlink
Thank You
Thank You