Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.

Slides:



Advertisements
Similar presentations
Malek Kemmou Technology Architect, Application Platform Microsoft Middle East and Africa Overview of ASP.NET 2.0.
Advertisements

Security for Developers Web Application Security Steven Borg & Richard Hundhausen Accentient, Inc.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Security Enhancements in.NET Framework 2.0 Rajiv Sodhi Microsoft India.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
What’s new for web developers? Mike Ormond, Developer Evangelist Manager …
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET
Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Sagar Joshi Senior Security Consultant | ACE Team, Microsoft Information Security
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Sofia, Bulgaria | 9-10 October Developing Custom ASP.NET Providers For Membership And Role Manager Goksin Bakir Yage Ltd Microsoft Regional Director, MEA.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
1 CS 3870/CS 5870: Note 11 Authentication and Authorization Membership Provider.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
Vinay Dhareshwar.  Introduction  Membership Service  Login Controls  Role Management Service 2.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
ASP.NET 2.0: A Look Inside Membership, Role Management, and Profiles in ASP.NET 2.0 Sam Spencer Program Manager Microsoft – Web Platform & Tools DEV312.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs This would be presented.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.
1 CS 3870/CS 5870: Note 12 Authentication and Authorization Membership Provider.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
A Lap Around New Enhancements for Web Developers in Visual Studio 2005 Alexander Holy Developer Evangelist, Microsoft EMEA
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Part 2.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Developing Custom ASP.NET Providers For Membership And Role Manager Stefan Schackow PRS404 Program Manager – Web Platform and Tools Microsoft Corporation.
Security In your webSite.
Unit 7 Learning Objectives
Agenda Introduction Security flow for a request Authentication
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
Security Basics and ASP.NET Support
10 – 12 APRIL 2005 Riyadh, Saudi Arabia
Jim Fawcett CSE686 – Internet Programming Summer 2005
Introduction to .net Impersonation
Created by : Asst. Prof. Ashish Shah
ASP.Net Security Framework
Role Management in .net Vinay Dhareshwar.
Security - Forms Authentication
Presentation transcript:

Security

Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management service

ASP.NET Security AuthenticationAuthentication AuthorizationAuthorization ACL Authorization URL Authorization Windows Passport Forms ImpersonationImpersonation Who did the request come from? What is the caller allowed to do? Use process identity or caller identity?

Windows Authn/File Authz ACL Bob IIS ASP.NET A ASPX A IIS creates access token identifying Bob and passes it to ASP.NET ASP.NET checks ACL on requested file and fails request if Bob lacks read permission Anonymous access disabled Authentication mode="Windows"

URL Forms Authn/URL Authz ASP. NET ASP. NET Bob ASPX Login Page Login Page T URL ASP. NET ASP. NET Bob ASPX T First access - Redirect to login page Next access - Authenticated access to ASPX Authentication ticket

Setting the Authentication Type

Security Principals Every call has an associated security principal object representing current user Page.User and HttpContext.User properties expose IPrincipal for current user GenericPrincipal WindowsPrincipal GenericPrincipal WindowsPrincipal IPrincipal FormsIdentity WindowsIdentity PassportIdentity GenericIdentity IIdentity

Getting the User Name If User.Identity.IsAuthenticated Then Dim name As String = User.Identity.Name End If

Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services MembershipUser class represents users and provides additional services Provider-based for flexible data storage

Membership Schema Membership API Membership Data Access Other Data Stores Controls Login LoginStatus LoginView AccessMembershipProvider Other Membership Providers Other Membership Providers Membership Providers Membership MembershipUser SqlMembershipProvider SQL Server Other Login Controls Other Login Controls

The Membership Class Provides static methods for performing key membership tasks Creating and deleting users Retrieving information about users Generating random passwords Validating logins Also includes read-only static properties for acquiring data about provider settings

Key Membership Methods NameDescription CreateUserAdds a user to the membership data store DeleteUserRemoves a user from the membership data store GeneratePasswordGenerates a random password of a specified length GetAllUsersRetrieves a collection of MembershipUser objects representing all currently registered users GetUserRetrieves a MembershipUser object representing a user UpdateUserUpdates information for a specified user ValidateUserValidates logins based on user names and passwords

Creating New Users Try Membership.CreateUser ("Jeff", "imbatman", Catch e As MembershipCreateUserException ' Find out why CreateUser failed Select Case e.StatusCode Case MembershipCreateStatus.DuplicateUsername... Case MembershipCreateStatus.Duplicate ... Case MembershipCreateStatus.InvalidPassword... Case Else... End Select End Try

Validating Logins If Membership.ValidateUser (UserName.Text, Password.Text) Then FormsAuthentication.RedirectFromLoginPage (UserName.Text, _ RememberMe.Checked) End If

The MembershipUser Class Represents individual users registered in the membership data store Includes numerous properties for getting and setting user info Includes methods for retrieving, changing, and resetting passwords Returned by Membership methods such as GetUser and CreateUser

Key MembershipUser Properties NameDescription CommentStorage for user-defined data CreationDateDate user was added to the membership data store User's address LastLoginDateDate user last logged in successfully LastPasswordChangedDateDate user's password was last changed UserIdUnique user ID generated by membership provider UserNameUser's registered user name

Key MembershipUser Methods NameDescription ChangePasswordChanges user's password ChangePassword- QuestionAndAnswer Changes question and answer used for password recovery GetPassword*Retrieves a password ResetPasswordResets a password by setting it to a new random password * Works if Membership.EnablePasswordRetrieval is true

Suspending Login Privileges If Membership.ValidateUser (UserName.Text, Password.Text) Then Dim user As MembershipUser = Membership.GetUser(UserName.Text) user.Comment = "0" RedirectFromLoginPage (UserName.Text, RememberMe.Checked) Else Dim user As MembershipUser = Membership.GetUser (UserName.Text) If Not (user Is Nothing) Then ' Get a count of consecutive failed login attempts Dim count As String = Convert.ToInt32 (user.Comment) + 1 ' If the count equals or exceeds 5, suspend login privileges If count >= 5 Then user.IsApproved = False End If ' Update the count of consecutive failed login attempts user.Comment = count.ToString () End If

Membership Providers Membership is provider-based Provider provides interface between membership service and physical data store Beta 1 ships with two providers AccessMembershipProvider (Access)* SqlMembershipProvider (SQL Server) Use custom providers for other data stores * Will be replaced by SQL Express provider in beta 2

Using the SQL Server Provider

Provider Configuration Membership providers support a number of configuration settings How should passwords be stored (cleartext, hashed, encrypted)? Should password recovery be enabled? Must each user have a unique address? Exposed as properties of provider class Initialized from CONFIG files

Changing Provider Settings <add name="AspNetSqlProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,..." connectionStringName="RemoteSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUnique ="false" passwordFormat="Hashed" description="Stores and retrieves membership data..." />

Login Controls ControlDescription LoginUI for entering and validating user names and passwords LoginNameDisplays authenticated user names LoginStatusUI for logging in and logging out LoginViewDisplays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords CreateUserWizardUI for creating new user accounts ChangePasswordUI for changing passwords

Role Management Service Role-based security in a box Declarative access via Web Site Admin Tool Programmatic access via Roles class Roles class contains static methods for creating roles, adding users to roles, etc. Maps users to roles on each request Replaces Application_AuthenticateRequest Provider-based for flexible data storage

Role Management Schema Roles API Roles Data Access Other Data Stores Controls Login LoginStatus LoginView AccessRoleProvider Other Role Providers Role Providers Roles SqlRoleProvider SQL Server Other Login Controls Other Login Controls

The Roles Class Gateway to the Role Management API Provides static methods for performing key role management tasks Creating and deleting roles Adding users to roles Removing users from roles and more Also includes read-only static properties for acquiring data about provider settings

Key Roles Methods NameDescription AddUserToRoleAdds a user to a role CreateRoleCreates a new role DeleteRoleDeletes an existing role GetRolesForUserGets a collection of roles to which a user belongs GetUsersInRoleGets a collection of users belonging to a specified role IsUserInRoleIndicates whether a user belongs to a specified role RemoveUserFromRoleRemoves a user from the specified role

Creating a New Role If Not Roles.RoleExists ("Developers") Then Roles.CreateRole ("Developers") End If

Adding a User to a Role Dim name As String = Membership.GetUser ().Username Roles.AddUserToRole (name, "Developers")

Enabling the Role Manager Role management is disabled by default Enable it via Web.config:

Role Caching Role manager offers option for caching role data in cookies Fewer accesses to data store Better performance Controlled via attributes and programmatically exposed thru Roles class Should roles be cached in cookies? Should role cookies be encrypted? How long are role cookies valid?

Enabling Role Caching <!-- Other roleManager attributes (and their defaults) include: cookieName=".ASPXROLES" // Cookie name cookieTimeout="30" // Cookie lifetime cookiePath="/" // Cookie path cookieRequireSSL="false" // Restrict cookie to SSL? cookieSlidingExpiration="true" // Renew expiring cookies? createPersistentCookie="false" // Issue persistent cookie? cookieProtection="All" /> // Cookie protection level -->

Role Management Providers Role management is provider-based Beta 1 ships with four providers AccessRoleProvider (Access)* AuthorizationStoreRoleProvider (AuthMan) SqlRoleProvider (SQL Server) WindowsTokenRoleProvider (Windows) Use custom providers for other data stores * Will be replaced by SQL Express provider in beta 2

Using the SQL Server Provider

Forms Authentication

© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.