ASP.Net Security - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

ASP.Net Security

Description:

asp:Button Text='View Secret Message' OnClick='OnViewSecret' RunAt='server' / /form ... asp:Button Text='Log In' OnClick='OnLogIn' RunAt='server' / /td td ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 25
Provided by: muk1
Learn more at: https://www.cs.odu.edu
Category:
Tags: asp | net | onclick | security

less

Transcript and Presenter's Notes

Title: ASP.Net Security


1
ASP.Net Security
  • Chapter 10
  • Jeff Prosises Book

2
Authentication
  • To ascertain the callers identity
  • Windows authentication
  • Forms authentication
  • Passport authentication
  • Windows authentication Here, IIS does the
    authentication and makes the callers identity
    available to ASP.Net (via a token)
  • Most suitable when everyone that uses the
    application can login to the local machine
  • Uses the built-in security features of the OS

3
  • Passport authentication
  • Passport serves as a front-end to a large group
    of users registered with Microsoft Passport
  • Such users can be authenticated anywhere on the
    Internet by applications that present long
    credentials to Passport.
  • If Passport validates them, it returns an
    authentication ticket to the application that in
    turn stores it as an encoded cookie

4
  • Forms authentication
  • Relies on login forms in web pages to
    authenticate users
  • In an e-commerce application such as e-bays
    bidding, windows authentication is not viable
    since it is impractical to create windows
    accounts for all millions
  • In web.config, we set ltauthentication mode
    Forms /gt
  • Other modes are None, Windows, and Passport

5
Authorization
  • Determines what resources a user can access
  • ASP.Net supports
  • ACL authorization or file authorization---e.g.,
    using NTFS file systems ACL
  • URL authorization---relies on configuration
    directives in web.config using the
    ltauthorizationgt element
  • Authorization link

6
Windows Authentication
  • Maps incoming requests to accounts on the web
    server
  • Used to serve a well defined user group that may
    be controlled through windows accounts
  • Basic authentication transmits a user name and
    password in each request IIS maps them to an
    account on the web server and generates a token.
  • Suppose a web page is placed in the virtual
    directory
  • Suppose IIS is configured to disallow anonymous
    access to that directory and to require basic
    authentication
  • When a user attempts to access it for the first
    time (via HTTP request, a 401 is returned
    indicating that it requires basic authentication
  • The users browser then prompts the user for
    windows user name/password
  • Problem User name/password sent in plain text
    between the browser and the web server with each
    request user needs a windows account
  • Digest authentication User name/password are
    sent as an encrypted token with each request
    integrated windows authentication

7
IIS Security
  • Internet Information Services---a web server
  • IIS protects a server in four ways
  • Web applications are deployed in virtual
    directories that are URL-addressable on the
    server Remote clients cannot automatically access
    files outside this directory.
  • IIS assigns every request a token---a windows
    security principal OS and .Net check this token
    prior to allowing access
  • It can enable/disable requests based on IP
    addresses and domains
  • Supports SSL and HTTPs
  • IIS supports four types of authentication
  • Basic authentication (user name/password)
  • Digest authentication (user name/password)
  • Integrated windows authentication
  • SSL client authentication

8
Forms Authenticatrion
  • Authenticates a user by asking the user to type
    credentials (e.g., user name/password) into a web
    form.
  • Entries in web.config can identify login page
  • When a user accesses for the 1st time, ASP.Net
    redirects the user to the login page.
  • If the login is successful, ASP.Net issues a
    ticket in the form of a cookie and redirects the
    user to the page originally requested.
  • The cookie enables the user not to login
    everytime. Lifetime of a cookie is dictated by
    your application.

9
Example Application with Forms Authentication
  • Application contains two pages
  • PublicPage.aspx --- viewed by any one
  • ProtectedPage.aspx --- available only to
    authenticated users (validated by login page)
  • LoginPage.aspx---asks for a user name and a
    password
  • Web.config---stores valid user names and
    passwords

10
PublicPage.aspx
  • lthtmlgt
  • ltbodygt
  • lth1gtPublic Pagelt/h1gt
  • lthrgt
  • ltform runat"server"gt
  • ltaspButton Text"View Secret Message"
    OnClick"OnViewSecret"
  • RunAt"server" /gt
  • lt/formgt
  • lt/bodygt
  • lt/htmlgt
  • ltscript language"C" runat"server"gt
  • void OnViewSecret (Object sender, EventArgs e)
  • Response.Redirect ("Secret/ProtectedPage.asp
    x")
  • lt/scriptgt

11
LoginPage.aspx
  • lthtmlgt
  • ltbodygt
  • lth1gtPlease Log Inlt/h1gt
  • lthrgt
  • ltform runat"server"gt
  • lttable cellpadding"8"gt
  • lttrgt
  • lttdgt
  • User Name
  • lt/tdgt
  • lttdgt
  • ltaspTextBox ID"UserName"
    RunAt"server" /gt
  • lt/tdgt
  • lt/trgt
  • lttrgt
  • lttdgt
  • Password
  • lt/tdgt
  • lttdgt

12
Web.config in the main directory
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms loginUrl"LoginPage.aspx"gt
  • ltcredentials passwordFormat"Clear"gt
  • ltuser name"Jeff" password"imbatman"
    /gt
  • ltuser name"John" password"redrover"
    /gt
  • ltuser name"Bob" password"mxyzptlk" /gt
  • ltuser name"Alice" password"nomalice"
    /gt
  • ltuser name"Mary" password"contrary"
    /gt
  • lt/credentialsgt
  • lt/formsgt
  • lt/authenticationgt
  • lt/system.webgt
  • lt/configurationgt

13
Web.config in the secret subdirectory (to deny
unauthenticated users)
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthorizationgt
  • ltdeny users"?" /gt
  • lt/authorizationgt
  • lt/system.webgt
  • lt/configurationgt

14
Why is it not earlier example not realistic?
  • Unreasonable to store passwords in clear text
  • Storing a large number of names/passwords in
    Web.config is unrealistic. Instead, store them in
    a database.
  • Modified Login.aspx is in the next few slides

15
  • lt_at_ Import NameSpace"System.Data.SqlClient" gt
  • lthtmlgt
  • ltbodygt
  • lth1gtPlease Log Inlt/h1gt
  • lthrgt
  • ltform runat"server"gt
  • lttable cellpadding"8"gt
  • lttrgt
  • lttdgt
  • User Name
  • lt/tdgt
  • lttdgt
  • ltaspTextBox ID"UserName"
    RunAt"server" /gt
  • lt/tdgt
  • lt/trgt
  • lttrgt
  • lttdgt
  • Password

16
  • lttdgt
  • ltaspButton Text"Log In"
    OnClick"OnLogIn"
  • RunAt"server" /gt
  • lt/tdgt
  • lttdgt
  • ltaspCheckBox Text"Keep me signed
    in" ID"Persistent"
  • RunAt"server" /gt
  • lt/tdgt
  • lt/trgt
  • lt/tablegt
  • lt/formgt
  • lthrgt
  • lth3gtltaspLabel ID"Output" RunAt"server"
    /gtlt/h3gt
  • lt/bodygt
  • lt/htmlgt

17
  • ltscript language"C" runat"server"gt
  • void OnLogIn (Object sender, EventArgs e)
  • if (CustomAuthenticate (UserName.Text,
    Password.Text))
  • FormsAuthentication.RedirectFromLoginPag
    e (UserName.Text,
  • Persistent.Checked)
  • else
  • Output.Text "Invalid login"
  • bool CustomAuthenticate (string username,
    string password)
  • SqlConnection connection new
    SqlConnection
  • ("serverlocalhostdatabasewebloginuid
    sapwd")
  • try
  • connection.Open ()
  • StringBuilder builder new
    StringBuilder ()

18
New Web.config in main directory
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms loginUrl"LoginPage.aspx" /gt
  • lt/authenticationgt
  • lt/system.webgt
  • lt/configurationgt

19
Authentication Cookie Lifetime
  • Timeout value is controlled by
  • In Machine.config file
  • ltforms timeout30gt
  • In local Web.config file
  • configurationgt
  • ltsystem.webgt
  • ltauthentication mode"Forms"gt
  • ltforms loginUrl"LoginPage.aspx" timeout
    30/gt
  • lt/authenticationgt
  • lt/system.webgt
  • lt/configurationgt

20
Forms Authentication and Role-based Security
  • Previous example, all authenticated users have
    access what if we want to restrict access to a
    few? (Here, means all ? means unauthenticated
    users)
  • In Web.config of the secret page
  • ltauthorizationgt
  • ltallow users John, Alice /gt
  • ltdeny users /gt
  • lt/authorizationgt

21
  • Alternately, deny access to Jeff, Bob, and Mary
    explicitly.
  • ltauthorizationgt
  • ltdeny users ? /gt
  • ltdeny users Jeff, Bob, Mary /gt
  • ltallow users /gt
  • lt/authorizationgt
  • Order sensitive statement execution
  • Still not practical when a large number of users
    are involved
  • Solution Role based control

22
Using role-based authorization Step 1
  • In Web.config file of the secret directory
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthorizationgt
  • ltallow roles"Manager" /gt
  • ltdeny users"" /gt
  • lt/authorizationgt
  • lt/system.webgt
  • lt/configurationgt

23
Step 2 Mapping users to roles
  • void Application_AuthenticateRequest (Object
    sender, EventArgs e)
  • HttpApplication app (HttpApplication)
    sender
  • if (app.Request.IsAuthenticated
  • app.User.Identity is FormsIdentity)
  • FormsIdentity identity
    (FormsIdentity) app.User.Identity
  • // Find out what role (if any) the user
    belongs to
  • string role GetUserRole
    (identity.Name) //From DB
  • // Create a GenericPrincipal containing
    the role name
  • // and assign it to the current request
  • if (role ! null)
  • app.Context.User new
    GenericPrincipal (identity,
  • new string role )

24
Multiple roles?
  • if (role ! null)
  • app.Context.User new
    GenericPrincipal (identity,
  • new string role )
  • The 2nd parameter is a string and hence could be
  • new string Manager, Developer)
  • In Web.config we can say
  • ltallow roles Manager, developer/gt
  • ltdeny users /gt
Write a Comment
User Comments (0)
About PowerShow.com