Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB-API & MVC5 - Identity & Security

Published byHorace Stokes Modified over 5 years ago

Similar presentations

Presentation on theme: "WEB-API & MVC5 - Identity & Security"— Presentation transcript:

1 WEB-API & MVC5 - Identity & Security
Asp.net Web-API Mait Poska & Andres Käver, IT Kolledž 2014

2 Transport security HTTPS == HTTP over TLS
RFC 1818 Tunnels unprotected HTTP and adds Server authentication Is it really amazon.com? Integrity protection Nobody can change your book order in the middle of communication Replay protection Nobody can take your packet and resend it 500x times Confidentiality Encryption – nobody knows what book you are buying

3 Security Architecture
Overview Hosting Message handlers Authentication filter Authorization filter Accessing client identity

4 WEB-API Overview No dependencies on specific host
IIS Self-host OWIN & Katana No ASP.NET system.web

5 Security pipeline

6 OWIN system.web hosting

7 OWIN Middleware

8 Katana Authentication Middleware

9 MessageHandler Web API, global or per-route

10 Authentication Filter

11 Authorization Filter Determines if a resource needs authentication
[AllowAnonymous] to skip authorization for an action Emits the 401 code, if unsuccessful

12 Accessing the Client Identity
RequestContext HttpRequestMessage – hosting enviroment ApiController.User is now shortcut to the request context (used to be Thread.CurrentPrincipal in WEB Api 1) Could be null

13 Summary Web API security extensibility is a pipeline Katana
Authentication filters Authorization filters Avoid host (IIS) specific dependencies HttpRequestMessage.GetRequestContext().Principal One stop shop for client identity

14 JS/Browser-based clients
Same origin policy Implicit Browser Authentication Cross Site Request Forgery (CSRF) Cross Origin Resource Sharing (CORS)

15 Same Origin Policy Sandbox
Scripts, communication, implicit browser authentication

16 Using same-domain for Auth
Web APIs inherit security settings of web host Cookies, Win/Basic auth, client certs …

17 CSRF - Cross Site Request Forgery

18 CSRF – Web API 2

19 Web API 2 Web API uses the resource owner password flow defined in OAuth2

20 Web API 2 Local Login Credential Flow

21 Web API 2 – demo - FIDDLER Get

22 Web API 2 – Register user Post Request headers Request body
Request headers Content-Type: application/json Request body { "Password": “parool”, "ConfirmPassword": “parool”, “ ”: }

23 Web API 2 – Authenticate Post Request headers Request body
No slash after! Request headers Content-Type: application/x-www-form-urlencoded Request body No linefeeds after!

24 Web API 2 – Authenticate Bearer token is a particular type of access token. An access token is a credential string that authorizes a client to access a protected resource. (RFC 6749.) A bearer token is an access token that can be used by any client. (RFC 6750.) Bearer tokens must be used with SSL.

25 Web API 2 – Authorized request
Get Request headers Authorization: Bearer mBKN9H_zaix….

26 CORS

27

28 THE END Mait Poska & Andres Käver

29 Classic/Basic authentication
Anti pattern Client must store the secret or obtain it from the user (on every request) Storage in clear text (or reversible encryption) Server has to validate the secret on every request High computational cost – brute force protection High probability of accidental exposure of the secret is increased

30 Basic authentication Base64 encoded credentials on auth header
GET /service/resource Authorization: Basic username:password

Download ppt "WEB-API & MVC5 - Identity & Security"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:

ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:

Similar presentations

Ads by Google