INT422 Internet III Web Programming on Windows

1
INT422 Internet III Web Programming on
Windows

• Security

2
Learning objectives

• Security
• Learn about the concepts and classes that allow
  you to control access to your web apps and data

3
Security components overview
ASP.NET security
Your web app
IIS security
NTFS perms.
4
Security what and why

• What is it about security that we are interested
  in?
• What parts of the Windows / IIS / ASP.NET provide
  security features
• How and where to configure security
• Code examples
• Why are we interested in security?
• Protect applications
• Protect data

5
Security terminology

• We need to learn (or review) some basic security
  terminology
• Credentials
• Credential Store
• Authentication
• Authentication Provider
• Authorization

6
Terminology credentials

• Credentials
• A form of identification
• User name
• Password
• May be other(s), including biometric
• Shared secret
• You share this secret identification information
  with a computer system
• That is you must have an account on that
  system!

7
Terminology credential store

• Credential Store
• A location on a computer system where credentials
  are stored / located
• Examples can include
• Windows Directory (NT/Domain Directory, Active
  Directory)
• Configuration files (may or may not be plain
  text)
• Databases

8
Terminology authentication

• Authentication
• A process that assures a user is in fact who they
  claim to be
• The user provides credentials to the application
• The application uses an Authentication Provider
  (next page) that validates the user against a
  credential store
• If the credentials are valid, the user is
  considered to be authenticated
• Example whenever you logon to an application on
  a Seneca server, the server is authenticating
  you

9
Terminology auth. provider

• Authentication Provider
• A program / code module that knows how to
  validate credentials with a credential store
• Sometimes this authentication provider is part of
  the computers operating system
• Other times you create the authentication
  provider using (for example) Visual Basic .NET
  and classes found in the .NET Framework

10
Terminology authorization

• Authorization
• A process that determines whether an
  authenticated user has access to a resource (such
  as a file)
• The fundamental method used by this process is to
  examine file system permissions (ACLs)
• Other methods may be available too
• For example, ASP.NET can use URL Authorization,
  that can determine access based on the URL path
  and the HTTP protocol methods (verbs) used on the
  URLs

11
The basics

• Security is (or can be) provided by
• Windows operating system
• IIS
• ASP.NET

12
Security in the Windows operating system
13
Security in the Windows OS

• Windows has been designed from the ground up to
  be a secure operating system
• Clarification Windows NT / 2000 / XP / 2003
  only
• Not the consumer Windows 9x/Me versions
• To use Windows, and gain access to applications
  or data, you must have a valid user ID
• NTFS file system permissions are most interesting
  to us because they can control access to file
  system objects

14
Security in IIS
15
Security in IIS

• As IIS matured from version 1.0 through the
  current version 5.0 (Windows 2000), version 5.1
  (Windows XP), and version 6.0 (Windows Server
  2003), its security features grew more numerous
  and complex
• Are we going to cover them in-depth here? NO
• Well focus on what you should know, and what you
  need to know

16
Security in IIS (continued)

• Brief list of IIS security features
• IP address grant / restrict
• Domain name grant / restrict
• Anonymous access enabled / disabled
• This will be the focus of our INT422 course work
  
• Basic (clear / plain text) authentication
• Digest authentication for Windows servers
• Integrated Windows authentication
• SSL (https//) communication
• Custom solutions

17
Security in ASP.NET
18
Security in ASP.NET

• So although the Windows operating system and IIS
  are full-featured when it comes to security, we
  will be programming our security needs with
  features provided by ASP.NET

19
ASP.NET Authentication Providers

• ASP.NET offers three authentication providers to
  you
• Forms authentication
• Passport authentication
• Windows authentication
• Well use Forms authentication

20
Forms authentication how it works

• Leave Windows operating system and IIS security
  settings at their public website defaults
• Activate and configure ASP.NET forms
  authentication in your application
• When you do this, all pages/forms in your
  application (folder) are automatically protected
• A user must provide credentials to view the
  content

21
How it works

• Your application must include a page (a login
  page) that will gather credentials
• This page can be the default entry point into
  your application, but not necessarily
• Why? Any unauthenticated request to a page in
  your apps folder will automatically redirect
  the user to this login page
• After the user authenticates, they are
  automatically redirected back to the
  originally-requested page

22
How it works
23
How to implement

• Change the Web.config file
• Create a login page
• Code this page for authentication

24
Web.config file changes

• The Web.config file is a plain text file that
  holds XML-formatted configuration settings for
  your ASP.NET Web Application
• Default settings for all apps are located in a
  Machine.config file in your C\Windows\Microsoft
  .NET folder
• The settings you put in your Web.config file
  over-ride the default settings

25
Web.config file format

• Heres the skeletal outline of Web.config

26
Other Web.config info

• The XML must be well-formed
• If you make a mistake, you will get an error
• If you have an error, how do you find and fix it?
• Make a copy of it, rename it with an xml
  filename extension, and then view it in a browser
  
• If you really mess up badly, can you start over?
• Yes
• Delete (or rename) your Web.config file
• From the Add New Item dialog, select Web
  Configuration File (make sure it is called
  Web.config)

27
Web.Config file changes

• Example credentials in Web.config(replace
  NameOfYourWebApp with a string concatenation of
  your hermes ID and the name of your web
  application)
• ltauthentication mode"Forms" gt
• ltforms name"NameOfYourWebApp" loginUrl
  "login.aspx" gt
• ltcredentials passwordFormat"Clear" gt
• ltuser namefardad" password"password" /gt
• ltuser name"peter" password"password" /gt
• lt/credentialsgt
• lt/formsgt
• lt/authenticationgt

28
Web.Config and authorization

• In our examples, we want an authenticated user to
  have full access to the application
• We need to include this code, so that anonymous
  users (the ?) are first challenged to login,
  but allowed access after theyve authenticated
• ltauthorizationgt
• ltdeny users"?" /gt
• ltallow users"" /gt
• lt/authorizationgt

29
Example login page
30
C program code (in login.aspx)

• A .NET Framework class called FormsAuthentication
  provides the helper methods you need
• FormsAuthentication.Authenticate
• FormsAuthentication.RedirectFromLoginPage
• FormsAuthentication.SetAuthCookie
• FormsAuthentication.SignOut
• (there are others too)

31
C program code

• using System.Web.Security
• In the login buttons click event (example)
• if(FormsAuthentication.
• Authenticate(tbUser.Text,
  tbPass.Text))
• FormsAuthentication.
• RedirectFromLoginPage (tbUser.Text,
  False)
• else
• lblMsg.Text "Invalid login

32
How to logout

• Add a logout or sign out button to the other
  pages in your secured web app
• In your code-beside, add code that calls the
  SignOut method, and then redirects the user
  away from the current page
• FormsAuthentication.SignOut()
• Response.Redirect(Request.UrlReferrer.ToString())
  

33
So

• What happens behind the scenes?
• Six step procedure

34
Step 1

• Client requests remote resource via web browser
• http//warp.senecac.on.ca/int422

35
Step 2

• IIS on Remote machine receives request and
  determines if client is allowed to contact server
• IIS allows the Administrator to Block certain IP
  Addresses or Domains, or to Allow only known IP
  Addresses or Domains
• If the clients IP/Domain is ok, things keep
  going...

36
Step 3

• IIS checks the IIS Permissions for the requested
  resource
• IIS allows the Admin to set-up permissions
  for web content. This includes
• Read
• Write
• Directory Browsing
• If the resource is Readable, things keep going...

37
Step 4

• IIS now Authenticates the client
• Anonymous Access Allowed?
• User is Authenticated using the IUSR_MachineName
  account (your home PC), or the NETWORK SERVICE
  account (hermes) (or ASPNET account on your PC),
  which belong to the Everyone Group
• NOTE this is what happens with Forms
  Authentication
• Windows NTLM Challenge/Response Only?
• User is presented with a Login Dialog and asked
  for a valid Windows Username and Password
• If user Authenticates, things keep going...

38
Step 5

• Once Authenticated, IIS insures that the user is
  Authorized to access the requested resource
• Windows Authorization uses NTFS permissions to
  determine which users can Read, Write, etc.
  resources
• If the user is Authorized, the process keeps
  going...

39
Step 6

• If the user requests an ASP.NET (.aspx) page,
  the ASPNET Worker Process is started in the
  Context of the Authenticated User (NETWORK
  SERVICE or ASPNET)
• ASP.NET uses Impersonation to have the Code
  Behind run as though it were being run locally by
  the Authenticated User. That means that the code
  will have the same rights as the user, whatever
  that happens to be.