WEB-API & MVC5 - Identity & Security

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Enabling Secure Internet Access with ISA Server
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Prabath Siriwardena | Johann Nallathamby.
Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Fraser Technical Solutions, LLC
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Understanding SharePoint 2013 Add-In Security Vulnerabilities
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Module 11: Securing a Microsoft ASP.NET Web Application.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.
Web2.0 Secure Development Practice Bruce Xia
Web Services Security Patterns Alex Mackman CM Group Ltd
Securing Angular Apps Brian Noyes
Automatic and Precise Client-Side Protection against CSRF Attacks.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Web Security CS-431.
Ask the Experts – Building Login-Based Sites in AEM
NodeJS Security Using PassportJS and HelmetJS:
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Azure Identity Premier Fast Start
Open standard based Identity Provisioning for Cloud
WMarket For Developers API && Authorization.
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
Migrating SharePoint Add-ins from Azure ACS to Azure AD
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Dominik Pinter, CMS.IO, Authentication Dominik Pinter,
BY: SHIVI AGRAWAL ( ) CSE-(6)C
An Introduction to Web Application Security
Riding Someone Else’s Wave with CSRF
Authorization in Asp.Net Core
1/16/2019 8:14 PM SAC-863T Delivering notifications with the Windows Push Notification Service and Windows Azure Darren Louie, Nick Harris Program Manager,
Office 365 Development.
TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Token-based Authentication
Building production-ready APIs with ASP.NET Core 2.2
CS5220 Advanced Topics in Web Programming Secure REST API
Web Server Design Week 11 Old Dominion University
Louis DeJardin | Software Developer, Microsoft
Advanced Computer Networks
Getting more out of Flow connectors
Presentation transcript:

WEB-API & MVC5 - Identity & Security Asp.net Web-API Mait Poska & Andres Käver, IT Kolledž 2014

Transport security HTTPS == HTTP over TLS RFC 1818 Tunnels unprotected HTTP and adds Server authentication Is it really amazon.com? Integrity protection Nobody can change your book order in the middle of communication Replay protection Nobody can take your packet and resend it 500x times Confidentiality Encryption – nobody knows what book you are buying

Security Architecture Overview Hosting Message handlers Authentication filter Authorization filter Accessing client identity

WEB-API Overview No dependencies on specific host IIS Self-host OWIN & Katana No ASP.NET system.web

Security pipeline

OWIN system.web hosting

OWIN Middleware

Katana Authentication Middleware

MessageHandler Web API, global or per-route

Authentication Filter

Authorization Filter Determines if a resource needs authentication [AllowAnonymous] to skip authorization for an action Emits the 401 code, if unsuccessful

Accessing the Client Identity RequestContext HttpRequestMessage – hosting enviroment ApiController.User is now shortcut to the request context (used to be Thread.CurrentPrincipal in WEB Api 1) Could be null

Summary Web API security extensibility is a pipeline Katana Authentication filters Authorization filters Avoid host (IIS) specific dependencies HttpRequestMessage.GetRequestContext().Principal One stop shop for client identity

JS/Browser-based clients Same origin policy Implicit Browser Authentication Cross Site Request Forgery (CSRF) Cross Origin Resource Sharing (CORS)

Same Origin Policy Sandbox Scripts, communication, implicit browser authentication

Using same-domain for Auth Web APIs inherit security settings of web host Cookies, Win/Basic auth, client certs …

CSRF - Cross Site Request Forgery

CSRF – Web API 2

Web API 2 Web API uses the resource owner password flow defined in OAuth2 http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html

Web API 2 Local Login Credential Flow

Web API 2 – demo - FIDDLER Get http://localhost:3456/api/Values

Web API 2 – Register user Post Request headers Request body http://localhost:3456/api/Account/Register Request headers Content-Type: application/json Request body { "Password": “parool”, "ConfirmPassword": “parool”, “Email”: “user@akaver.com” }

Web API 2 – Authenticate Post Request headers Request body http://localhost:3456/Token No slash after! Request headers Content-Type: application/x-www-form-urlencoded Request body grant_type=password&username=user@akaver.com&password=parool No linefeeds after!

Web API 2 – Authenticate Bearer token is a particular type of access token. An access token is a credential string that authorizes a client to access a protected resource. (RFC 6749.) A bearer token is an access token that can be used by any client. (RFC 6750.) Bearer tokens must be used with SSL.

Web API 2 – Authorized request Get http://localhost:3456/api/Values Request headers Authorization: Bearer mBKN9H_zaix….

CORS

THE END Mait Poska & Andres Käver

Classic/Basic authentication Anti pattern Client must store the secret or obtain it from the user (on every request) Storage in clear text (or reversible encryption) Server has to validate the secret on every request High computational cost – brute force protection High probability of accidental exposure of the secret is increased

Basic authentication Base64 encoded credentials on auth header GET /service/resource Authorization: Basic username:password

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.