Title: INT422 Internet III Web Programming on Windows
1INT422 Internet III Web Programming on
Windows
2Learning objectives
- Security
- Learn about the concepts and classes that allow
you to control access to your web apps and data
3Security components overview
ASP.NET security
Your web app
IIS security
NTFS perms.
4Security what and why
- What is it about security that we are interested
in? - What parts of the Windows / IIS / ASP.NET provide
security features - How and where to configure security
- Code examples
- Why are we interested in security?
- Protect applications
- Protect data
5Security terminology
- We need to learn (or review) some basic security
terminology - Credentials
- Credential Store
- Authentication
- Authentication Provider
- Authorization
6Terminology credentials
- Credentials
- A form of identification
- User name
- Password
- May be other(s), including biometric
- Shared secret
- You share this secret identification information
with a computer system - That is you must have an account on that
system!
7Terminology credential store
- Credential Store
- A location on a computer system where credentials
are stored / located - Examples can include
- Windows Directory (NT/Domain Directory, Active
Directory) - Configuration files (may or may not be plain
text) - Databases
8Terminology authentication
- Authentication
- A process that assures a user is in fact who they
claim to be - The user provides credentials to the application
- The application uses an Authentication Provider
(next page) that validates the user against a
credential store - If the credentials are valid, the user is
considered to be authenticated - Example whenever you logon to an application on
a Seneca server, the server is authenticating
you
9Terminology auth. provider
- Authentication Provider
- A program / code module that knows how to
validate credentials with a credential store - Sometimes this authentication provider is part of
the computers operating system - Other times you create the authentication
provider using (for example) Visual Basic .NET
and classes found in the .NET Framework
10Terminology authorization
- Authorization
- A process that determines whether an
authenticated user has access to a resource (such
as a file) - The fundamental method used by this process is to
examine file system permissions (ACLs) - Other methods may be available too
- For example, ASP.NET can use URL Authorization,
that can determine access based on the URL path
and the HTTP protocol methods (verbs) used on the
URLs
11The basics
- Security is (or can be) provided by
- Windows operating system
- IIS
- ASP.NET
12Security in the Windows operating system
13Security in the Windows OS
- Windows has been designed from the ground up to
be a secure operating system - Clarification Windows NT / 2000 / XP / 2003
only - Not the consumer Windows 9x/Me versions
- To use Windows, and gain access to applications
or data, you must have a valid user ID - NTFS file system permissions are most interesting
to us because they can control access to file
system objects
14Security in IIS
15Security in IIS
- As IIS matured from version 1.0 through the
current version 5.0 (Windows 2000), version 5.1
(Windows XP), and version 6.0 (Windows Server
2003), its security features grew more numerous
and complex - Are we going to cover them in-depth here? NO
- Well focus on what you should know, and what you
need to know
16Security in IIS (continued)
- Brief list of IIS security features
- IP address grant / restrict
- Domain name grant / restrict
- Anonymous access enabled / disabled
- This will be the focus of our INT422 course work
- Basic (clear / plain text) authentication
- Digest authentication for Windows servers
- Integrated Windows authentication
- SSL (https//) communication
- Custom solutions
17Security in ASP.NET
18Security in ASP.NET
- So although the Windows operating system and IIS
are full-featured when it comes to security, we
will be programming our security needs with
features provided by ASP.NET
19ASP.NET Authentication Providers
- ASP.NET offers three authentication providers to
you - Forms authentication
- Passport authentication
- Windows authentication
- Well use Forms authentication
20Forms authentication how it works
- Leave Windows operating system and IIS security
settings at their public website defaults - Activate and configure ASP.NET forms
authentication in your application - When you do this, all pages/forms in your
application (folder) are automatically protected - A user must provide credentials to view the
content
21How it works
- Your application must include a page (a login
page) that will gather credentials - This page can be the default entry point into
your application, but not necessarily - Why? Any unauthenticated request to a page in
your apps folder will automatically redirect
the user to this login page - After the user authenticates, they are
automatically redirected back to the
originally-requested page
22How it works
23How to implement
- Change the Web.config file
- Create a login page
- Code this page for authentication
24Web.config file changes
- The Web.config file is a plain text file that
holds XML-formatted configuration settings for
your ASP.NET Web Application - Default settings for all apps are located in a
Machine.config file in your C\Windows\Microsoft
.NET folder - The settings you put in your Web.config file
over-ride the default settings
25Web.config file format
- Heres the skeletal outline of Web.config
26Other Web.config info
- The XML must be well-formed
- If you make a mistake, you will get an error
- If you have an error, how do you find and fix it?
- Make a copy of it, rename it with an xml
filename extension, and then view it in a browser
- If you really mess up badly, can you start over?
- Yes
- Delete (or rename) your Web.config file
- From the Add New Item dialog, select Web
Configuration File (make sure it is called
Web.config)
27Web.Config file changes
- Example credentials in Web.config(replace
NameOfYourWebApp with a string concatenation of
your hermes ID and the name of your web
application) - ltauthentication mode"Forms" gt
- ltforms name"NameOfYourWebApp" loginUrl
"login.aspx" gt - ltcredentials passwordFormat"Clear" gt
- ltuser namefardad" password"password" /gt
- ltuser name"peter" password"password" /gt
- lt/credentialsgt
- lt/formsgt
- lt/authenticationgt
28Web.Config and authorization
- In our examples, we want an authenticated user to
have full access to the application - We need to include this code, so that anonymous
users (the ?) are first challenged to login,
but allowed access after theyve authenticated - ltauthorizationgt
- ltdeny users"?" /gt
- ltallow users"" /gt
- lt/authorizationgt
29Example login page
30C program code (in login.aspx)
- A .NET Framework class called FormsAuthentication
provides the helper methods you need - FormsAuthentication.Authenticate
- FormsAuthentication.RedirectFromLoginPage
- FormsAuthentication.SetAuthCookie
- FormsAuthentication.SignOut
- (there are others too)
31C program code
- using System.Web.Security
- In the login buttons click event (example)
- if(FormsAuthentication.
- Authenticate(tbUser.Text,
tbPass.Text)) - FormsAuthentication.
- RedirectFromLoginPage (tbUser.Text,
False) - else
- lblMsg.Text "Invalid login
-
32How to logout
- Add a logout or sign out button to the other
pages in your secured web app - In your code-behind, add code that calls the
SignOut method, and then redirects the user
away from the current page - FormsAuthentication.SignOut()
- Response.Redirect(Request.UrlReferrer.ToString())
33So
- What happens behind the scenes?
- Six step procedure
34Step 1
- Client requests remote resource via web browser
- http//hermes.senecac.on.ca/int422
35Step 2
- IIS on Remote machine receives request and
determines if client is allowed to contact server - IIS allows the Administrator to Block certain IP
Addresses or Domains, or to Allow only known IP
Addresses or Domains - If the clients IP/Domain is ok, things keep
going...
36Step 3
- IIS checks the IIS Permissions for the requested
resource - IIS allows the Admin to set-up permissions
for web content. This includes - Read
- Write
- Directory Browsing
- If the resource is Readable, things keep going...
37Step 4
- IIS now Authenticates the client
- Anonymous Access Allowed?
- User is Authenticated using the IUSR_MachineName
account (your home PC), or the NETWORK SERVICE
account (hermes) (or ASPNET account on your PC),
which belong to the Everyone Group - NOTE this is what happens with Forms
Authentication - Windows NTLM Challenge/Response Only?
- User is presented with a Login Dialog and asked
for a valid Windows Username and Password - If user Authenticates, things keep going...
38Step 5
- Once Authenticated, IIS insures that the user is
Authorized to access the requested resource - Windows Authorization uses NTFS permissions to
determine which users can Read, Write, etc.
resources - If the user is Authorized, the process keeps
going...
39Step 6
- If the user requests an ASP.NET (.aspx) page,
the ASPNET Worker Process is started in the
Context of the Authenticated User (NETWORK
SERVICE or ASPNET) - ASP.NET uses Impersonation to have the Code
Behind run as though it were being run locally by
the Authenticated User. That means that the code
will have the same rights as the user, whatever
that happens to be.