Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 11: Securing a Microsoft ASP.NET Web Application.

Published byAmi Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 11: Securing a Microsoft ASP.NET Web Application."— Presentation transcript:

1 Module 11: Securing a Microsoft ASP.NET Web Application

2 Overview Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

3 Lesson: Web Application Security Overview Authentication vs. Authorization What Are ASP.NET Authentication Methods? Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods What Are the IIS Authentication Mechanisms?

4 Authentication vs. Authorization Authentication Accepts credentials from a user Validates the credentials ( a process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority such as database ). If the credentials are valid, the entity that submitted the credentials is considered as an authenticated identity. )

5 Authentication vs. Authorization Authorization Given the authentication credentials supplied, determines the right to access a resource Can be assigned by user name or by role ( After an identity has been authenticated, the authorization process determines whether that identity has access to specifies resource. The authorization process limits access rights by granting or denying specific permission to an authenticated identity )

6 What Are ASP.NET Authentication Providers? Windows-based authentication Relies on the Windows operating system and IIS User requests a secure Web page and the request goes through IIS After credentials are verified by IIS, the secure Web page is returned The users must have valid Windows account. Forms-based authentication Use a custom ASP.NET page to collect credentials from users. If users attempt to access page for which they are not authorized, they will be automatically directed to the login page. User credentials can be stored in a variety of locations. Eg: Ms Sql Server, Access Database

7 What Are ASP.NET Authentication Methods? Microsoft Passport authentication Centralized authentication service that offers a single logon option Microsoft Passport is an XML Web service Users can use their MSN Passport to access your application/site.

8 Multimedia: ASP.NET Authentication Methods

9 Comparing the ASP.NET Authentication Methods MethodAdvantagesDisadvantages Windows-based Authentication  Uses existing Windows infrastructure  Controls access to sensitive information  Not appropriate for most Internet applications Forms-based Authentication  Good for Internet applications  Supports all client types  Based on cookies Microsoft Passport Authentication  Single sign in for many Internet sites  No need to maintain a database to store user information  Allows developers to customize the appearance of the registration page  Based on cookies  Fees involved

10 What Are the IIS Authentication Mechanisms? Mechanisms Security Level Description AnonymousNone  No authentication occurs Basic Low (Medium with SSL)  Client sends username and password as clear text  Can be encrypted by using SSL  Part of the HTTP specification and supported by most browsers DigestMedium  Sends information as encoded hash  Requires Internet Explorer 5 or later  Requires Active Directory Integrated WindowsHigh  Uses NTLM  Generally good for intranets, not Internet  Does not work through most firewalls

11 Lesson: Working with Windows- Based Authentication How to Enable Windows-Based Authentication Reading User Information Demonstration: Using Windows-Based Authentication

12 How to Enable Windows-Based Authentication Configure IIS to use one or more of the following authentication mechanisms: Basic Digest Integrated Windows security Set Windows-based authentication in Web.config 11 22

13 How to Enable Windows-Based Authentication (continued) Set up authorization in Web.config When users access the Web Form, IIS requests logon information 44 33

14 Reading User Information After authentication, the Web server can user read the identity lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated; lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated;

15 Lesson: Working with Forms- Based Authentication Overview of Forms-Based Authentication Multimedia: Forms-Based Authentication How to Enable Forms-Based Authentication Creating a Logon Page Demonstration: Using Forms-Based Authentication

16 Overview of Forms-Based Authentication Client requests page Authorized ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authentication Cookie Authorized Not Authenticated Access Denied Requested Secure Page  IIS Username Password Someone *********** Submit 1122 33 44 66 55 77

17 Multimedia: Forms-Based Authentication

18 How to Enable Forms-Based Authentication Configure IIS to use Anonymous authentication Set Forms-based authentication in Web.config Set up authorization Build a Logon Web Form11 22 33 44 < forms name=".namesuffix" loginUrl="login.aspx" /> < forms name=".namesuffix" loginUrl="login.aspx" />

19 Lesson: Overview of Microsoft Passport Authentication How Microsoft Passport Works Other Microsoft Passport Resources

20 How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host11 22 33 44 55 The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

21 Authorization for a Web Application File Authorization Available only if your application uses Ms Windows Authentication. Set permissions on files and directories by using Access Control Lists (ACLs) URL Authorization Available regardless of which authentication provider used. Use Web.config file in each directory of the application to assign permissions for the contents of the directory.

22 Review Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

23 Exercise Study on : Membership How Membership works How to configure ASP.NET Application to use Membership

24 ~ End Slides ~

Download ppt "Module 11: Securing a Microsoft ASP.NET Web Application."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Managing Identity and Permissions

Managing Identity and Permissions
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Similar presentations

Ads by Google