Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig."— Presentation transcript:

1 ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig

2 Overview Today Security Concepts & Terminology Security Concepts & Terminology Authentication and Authorization Role-based security ASP.NET approaches: ASP.NET approaches: 1.Do it yourself 2.Windows authentication 3.Forms authentication 4..NET membership provider

3 Security Terminology Authentication Process of identifying the user Process of identifying the user User provides credentials User provides credentials Username / Password Username / Password ID card, key, finger print, eye scan… ID card, key, finger print, eye scan… Authentication done once at login Authentication done once at login

4 Security Terminology Authorization Permissions Permissions Which resources user is allowed to access Type of access Read, write, modify, delete, change permissions… Read, write, modify, delete, change permissions… Performed with every request Performed with every request

5 Example - WWU Library Authentication Who are you? Who are you? WWU student Lost Canadian Authorization What are you allowed to do? What are you allowed to do? WWU student Checkout books, laptops, IIL services… Checkout books, laptops, IIL services… Lost Canadian Look at books, use restrooms, stay warm Look at books, use restrooms, stay warm

6 Security Terminology Principle of least privilege Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. Benefits: Benefits: Protects data Protects organization Protects individuals

7 Role-based Security Permissions assigned based upon role of job function

8 Role-based Security Create roles AdministratorUserStudent Anonymous user etc, etc. … Roles are assigned specific permissions Principle of least privilege Principle of least privilege People are assigned to roles

9 Role-Based Security Benefit Simplifies management of permissions Example: Roles in WWU Banner system Students Students Faculty Faculty Administrators Administrators Many types, each with specific permissions Enforced at both application & DB level Enforced at both application & DB level

10 ASP.NET Security Approaches: Do-it-yourself Do-it-yourself Forms authentication Forms authentication Windows authentication Windows authentication ASP.NET Membership Provider ASP.NET Membership Provider

11 Do-it-yourself Authentication Each.aspx page checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) Response.Redirect("Login.aspx");

12 Do it yourself Authentication Advantages Simple Simple Flexible – page-by-page Flexible – page-by-page Database access Database accessDisadvantages Need to include code in every.aspx page Need to include code in every.aspx page Pages need to be executable Pages need to be executable Excludes.html pages, images, etc.

13 Windows Authentication Authenticate against Windows user accounts Username/password managed with Windows (Active Directory) Username/password managed with Windows (Active Directory)

14 Windows Authentication Authorization Specify in web.config Specify in web.config First match algorithm Set on each directory Set on each directory Sample Page Sample Page

15 Windows Authentication Benefits: Secures every file type Secures every file type Use existing Windows accounts Use existing Windows accountsIntranet Not public web Fine-level control of permissions Fine-level control of permissionsLimitations Users need permissions on server Users need permissions on server

16 Forms Authentication Create login page Authenticate against any data source Authenticate against any data source database, LDAP, web service, CAS… database, LDAP, web service, CAS… Login page.aspx file.aspx file access database, other data sources Authentication ticket issued Authentication ticket issued Encrypted cookie Redirects back to requested page Redirects back to requested page

17 Forms Authentication How to Configure Web.config file Web.config file Authentication mode=“Forms” Root directory of application Create Login Page Create Login PageExample: Sample Sample Sample

18 ASP.NET Membership Drag & Drop controls Implements Forms authentication Implements Forms authentication No code required No code required Automatically creates SQL Server Database Can define users & roles Quite sophisticated

19 ASP.NET Membership Provider

20

21

22 No code “Magical” “Magical” Many configuration options Password recovery Password recovery Change password control Change password control Sends email Sends email Create groups (programmatically) Create groups (programmatically) Assign users to groups Assign users to groups

23 Summary Application Security options: Do-it-yourself Do-it-yourself Windows authentication Windows authentication Forms authentication Forms authentication ASP.NET Membership provider ASP.NET Membership providerSecurity Complex topic Complex topic Discuss other aspects later Discuss other aspects later

Download ppt "ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Configuring Applications MacDonald Ch. 9 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Configuring Applications MacDonald Ch. 9 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:

Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Navigation Controls MacDonald Ch. 11 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Navigation Controls MacDonald Ch. 11 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.

11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.

CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Similar presentations

Ads by Google