Presentation is loading. Please wait.

Presentation is loading. Please wait.

Created by : Asst. Prof. Ashish Shah

Published byBudi Sugiarto Modified over 6 years ago

Similar presentations

Presentation on theme: "Created by : Asst. Prof. Ashish Shah"— Presentation transcript:

1 Created by : Asst. Prof. Ashish Shah
ASP.NET SECURITY

2 THREE INTERLIKED CONCEPT OF SECURITY W.R.T. ASP.NET
Created by : Asst. Prof. Ashish Shah THREE INTERLIKED CONCEPT OF SECURITY W.R.T. ASP.NET VIZ. AUTHENTICATION, AUTHORIZATION,IMPERSONATE. AUTHENTICATION: IT IS A PROCES OF SOME SORT OF IDENTIFICATION ARE OBTAINED FROM THE USERS AND USING IDENTIFICATION TO VERIFY OF HIM. THE DIFF. MODES OF IT ARE ACCEPTED THROUGH SETTINGS THAT CAN BE APPLIED TO THE APPLICATIONS WEB.CONFIG FILE, WHICH IS XML-BASED & ALLOW CHANGING OF ASP.NET BEHAVIOR EASILY.

3 THREE DIFF. PROVIDERS OF AUTHENTICATION
Created by : Asst. Prof. Ashish Shah THREE DIFF. PROVIDERS OF AUTHENTICATION GENERAL SYNTAX OF IT IS: <system.web> <authentication mode=“Windows|Forms|Passport”> </authentication> </system.web> WINDOWS: IT ALLOWS TO AUNTICATE USER BASED ON THEIR WINDOWS ACCOUNTS. THIS PROVIDER USES IIS TO PERFORM THE AUTHENTICATION AND THEN PASSES THE AUTHENTICATED IDENTITY TO YOUR CODE. IT IS A DEFAULT PROVIDED BY ASP.NET. Syntex for it is as follows. <authentication mode=“Windows” > </authentication> <authorization> <allow users=“*” /> </authorization> note : if the user has supplied valied credentials access is only granted.

4 Windows authentication
Created by : Asst. Prof. Ashish Shah Windows authentication Four diff. Kinds of this options are as follows. Anonymous: in this, IIS does not perform any authentication check & allows any user to access the application. Basic: in this, windows user name and password have to be provided to connect. Digest: this is same as basic but the password is hashed before it is sent across the network. Integrated windows: in this password is not sent across the network and some protocols are used to authenticate users. It provides tools for strong cryptography which is used to secure information through out the network.

5 Created by : Asst. Prof. Ashish Shah
Forms Authentication It provides a way to handle authentication using custom logic with application. It uses the cookie concept for authentication. Configuration of web.xml for this type is : <system.web> <authentication mode=“Forms” > <forms loginUrl-”login.aspx” name=“loginform” /> </authentication> <authorization> <deny users=“?” /> </authorization> </system.web> Note: for the anonymous user, acess is denied in the authorization section of above code. All users must enter their credentials using login form.

6 Passport Authentication
Created by : Asst. Prof. Ashish Shah Passport Authentication It allows microsoft passport service to authenticate users for application. If users have signed up with passport and if authentication mode of application also passport then all authentication duties are offloaded to the passport servers. It uses an encrypted cookie mechanism to indicate authenticate users. If users have already signed into passport when they visit site then they will be considered as a authenticated users. Otherwise it will be redirected to the passport server to login. When they are successfully login then only they will be redirected to your web site. Web.cofing is configured as follows: <system.web> <authentication mode=“Passport”> <passport RedirectionUrl=“login.aspx” /> </authentication> </system.web>

7 Created by : Asst. Prof. Ashish Shah
Authorization Authentication & Authorization are two interconnected security concepts. First is process of identifying a user and authorization is the process of checking whether authenticated user has access to the resource which they requested. Two form of Authorization: File: it is performed by the File Authorization Module . It uses the access control list (ACL) of the .aspx file to resolve whether a user should have access to the file. ACL permissions are confirmed for the users windows identity. 2) URL: in the web.config file you can specify the authorization rules for various directories of files using the <authorization> element. Systex is : <system.web> <authorization> <allow users=“abc” /> <deny users=“*” /> </authorization>

8 Created by : Asst. Prof. Ashish Shah
Impersonation It is the process of executing code in the frame work of another user entity. By default all asp.net code is executed using a fixed machin-specific account. To execute code using another identity you can use the built-in impresonation capabilities of asp.net. This technique allows the asp.net process to act as the authenticated user or as an arbitrary specified user. It is controlled by <identity> tag in the applications web.config file. The default setting of impersonation as false, as shown <identity impersonate=“false” />

9 Created by : Asst. Prof. Ashish Shah
Impersonation Now asp.net does not performs imporsnation. It means that asp.net will runs with its own previlliges. The second possible setting is to turn on impersonation as <identity impersonate=“true” /> To impersonate a specific user for all the requests on all the pages of asp.net application, you can specify username and password attributes in the <identity> tag of the web.config file for that application as follows. <identity impersonate=“true” username=“domain\username” password=“password” />

Download ppt "Created by : Asst. Prof. Ashish Shah"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.

Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google