Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

Published byValentine Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport."— Presentation transcript:

1 ASP.Net Security Chapter 10 Jeff Prosise’s Book

2 Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport authentication Windows authentication: Here, IIS does the authentication and makes the caller’s identity available to ASP.Net (via a token) –Most suitable when everyone that uses the application can login to the local machine –Uses the built-in security features of the OS

3 Passport authentication: –Passport serves as a front-end to a large group of users registered with Microsoft Passport –Such users can be authenticated anywhere on the Internet by applications that present long credentials to Passport. –If Passport validates them, it returns an authentication ticket to the application; that in turn stores it as an encoded cookie

4 Forms authentication –Relies on login forms in web pages to authenticate users –In an e-commerce application such as e-bay’s bidding, windows authentication is not viable since it is impractical to create windows accounts for all millions –In web.config, we set –Other modes are: None, Windows, and Passport

5 Authorization Determines what resources a user can access ASP.Net supports: –ACL authorization or file authorization---e.g., using NTFS file system’s ACL –URL authorization---relies on configuration directives in web.config using the element –Authorization linkAuthorization link

6 Windows Authentication Maps incoming requests to accounts on the web server Used to serve a well defined user group that may be controlled through windows accounts –Basic authentication: transmits a user name and password in each request; IIS maps them to an account on the web server and generates a token. Suppose a web page is placed in the virtual directory Suppose IIS is configured to disallow anonymous access to that directory and to require basic authentication When a user attempts to access it for the first time (via HTTP request, a 401 is returned indicating that it requires basic authentication The user’s browser then prompts the user for windows user name/password Problem: User name/password sent in plain text between the browser and the web server with each request; user needs a windows account –Digest authentication: User name/password are sent as an encrypted token with each request integrated windows authentication

7 IIS Security Internet Information Services---a web server IIS protects a server in four ways: –Web applications are deployed in virtual directories that are URL-addressable on the server. Remote clients cannot automatically access files outside this directory. –IIS assigns every request a token---a windows security principal; OS and.Net check this token prior to allowing access –It can enable/disable requests based on IP addresses and domains –Supports SSL and HTTPs –IIS supports four types of authentication: Basic authentication (user name/password) Digest authentication (user name/password) Integrated windows authentication SSL client authentication

8 Forms Authenticatrion Authenticates a user by asking the user to type credentials (e.g., user name/password) into a web form. Entries in web.config can identify login page When a user accesses for the 1 st time, ASP.Net redirects the user to the login page. If the login is successful, ASP.Net issues a ticket in the form of a cookie and redirects the user to the page originally requested. The cookie enables the user not to login everytime. Lifetime of a cookie is dictated by your application.

9 Example Application with Forms Authentication Application contains two pages: –PublicPage.aspx --- viewed by any one –ProtectedPage.aspx --- available only to authenticated users (validated by login page) LoginPage.aspx---asks for a user name and a password Web.config---stores valid user names and passwords

10 PublicPage.aspx Public Page <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); }

11 LoginPage.aspx Please Log In User Name: Password: <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> void OnLogIn (Object sender, EventArgs e) { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }

12 Web.config in the main directory

13 Web.config in the secret subdirectory (to deny unauthenticated users)

14 Why is the earlier example not realistic? Unreasonable to store passwords in clear text Storing a large number of names/passwords in Web.config is unrealistic. Instead, store them in a database. Modified Login.aspx is in the next few slides

15 Please Log In User Name: Password: <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" />

16 <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> <asp:CheckBox Text="Keep me signed in" ID="Persistent" RunAt="server" />

17 void OnLogIn (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, Persistent.Checked); else Output.Text = "Invalid login"; } bool CustomAuthenticate (string username, string password) { SqlConnection connection = new SqlConnection ("server=localhost;database=weblogin;uid=sa;pwd="); try { connection.Open (); StringBuilder builder = new StringBuilder (); builder.Append ("select count (*) from users " + "where username = \'"); builder.Append (username); builder.Append ("\' and cast (rtrim (password) as " + "varbinary) = cast (\'"); builder.Append (password); builder.Append ("\' as varbinary)"); SqlCommand command = new SqlCommand (builder.ToString (), connection); int count = (int) command.ExecuteScalar (); return (count > 0); } catch (SqlException) { return false; } finally { connection.Close (); }

18 New Web.config in main directory

19 Authentication Cookie Lifetime Timeout value is controlled by: –In Machine.config file: –In local Web.config file: configuration>

20 Forms Authentication and Role- based Security Previous example, all authenticated users have access; what if we want to restrict access to a few? (Here, * means all; ? means unauthenticated users) –In Web.config of the secret page:

21 Alternately, deny access to Jeff, Bob, and Mary explicitly. Order sensitive statement execution Still not practical when a large number of users are involved Solution: Role based control

22 Using role-based authorization: Step 1 In Web.config file of the secret directory:

23 Step 2: Mapping users to roles void Application_AuthenticateRequest (Object sender, EventArgs e) { HttpApplication app = (HttpApplication) sender; if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity) { FormsIdentity identity = (FormsIdentity) app.User.Identity; // Find out what role (if any) the user belongs to string role = GetUserRole (identity.Name); //From DB // Create a GenericPrincipal containing the role name // and assign it to the current request if (role != null) app.Context.User = new GenericPrincipal (identity, new string[] { role }); }

24 Multiple roles? if (role != null) app.Context.User = new GenericPrincipal (identity, new string[] { role }); The 2 nd parameter is a string and hence could be: new string[] { “Manager”, “Developer”}); In Web.config we can say:

Download ppt "ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.

Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Similar presentations

Ads by Google