INT422 Internet III Web Programming on Windows - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

INT422 Internet III Web Programming on Windows

Description:

What parts of the Windows / IIS / ASP.NET provide security features ... For example, ASP.NET can use URL Authorization, that can determine access based ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 40
Provided by: team61
Category:

less

Transcript and Presenter's Notes

Title: INT422 Internet III Web Programming on Windows


1
INT422 Internet III Web Programming on
Windows
  • Security

2
Learning objectives
  • Security
  • Learn about the concepts and classes that allow
    you to control access to your web apps and data

3
Security components overview
ASP.NET security
Your web app
IIS security
NTFS perms.
4
Security what and why
  • What is it about security that we are interested
    in?
  • What parts of the Windows / IIS / ASP.NET provide
    security features
  • How and where to configure security
  • Code examples
  • Why are we interested in security?
  • Protect applications
  • Protect data

5
Security terminology
  • We need to learn (or review) some basic security
    terminology
  • Credentials
  • Credential Store
  • Authentication
  • Authentication Provider
  • Authorization

6
Terminology credentials
  • Credentials
  • A form of identification
  • User name
  • Password
  • May be other(s), including biometric
  • Shared secret
  • You share this secret identification information
    with a computer system
  • That is you must have an account on that
    system!

7
Terminology credential store
  • Credential Store
  • A location on a computer system where credentials
    are stored / located
  • Examples can include
  • Windows Directory (NT/Domain Directory, Active
    Directory)
  • Configuration files (may or may not be plain
    text)
  • Databases

8
Terminology authentication
  • Authentication
  • A process that assures a user is in fact who they
    claim to be
  • The user provides credentials to the application
  • The application uses an Authentication Provider
    (next page) that validates the user against a
    credential store
  • If the credentials are valid, the user is
    considered to be authenticated
  • Example whenever you logon to an application on
    a Seneca server, the server is authenticating
    you

9
Terminology auth. provider
  • Authentication Provider
  • A program / code module that knows how to
    validate credentials with a credential store
  • Sometimes this authentication provider is part of
    the computers operating system
  • Other times you create the authentication
    provider using (for example) Visual Basic .NET
    and classes found in the .NET Framework

10
Terminology authorization
  • Authorization
  • A process that determines whether an
    authenticated user has access to a resource (such
    as a file)
  • The fundamental method used by this process is to
    examine file system permissions (ACLs)
  • Other methods may be available too
  • For example, ASP.NET can use URL Authorization,
    that can determine access based on the URL path
    and the HTTP protocol methods (verbs) used on the
    URLs

11
The basics
  • Security is (or can be) provided by
  • Windows operating system
  • IIS
  • ASP.NET

12
Security in the Windows operating system
13
Security in the Windows OS
  • Windows has been designed from the ground up to
    be a secure operating system
  • Clarification Windows NT / 2000 / XP / 2003
    only
  • Not the consumer Windows 9x/Me versions
  • To use Windows, and gain access to applications
    or data, you must have a valid user ID
  • NTFS file system permissions are most interesting
    to us because they can control access to file
    system objects

14
Security in IIS
15
Security in IIS
  • As IIS matured from version 1.0 through the
    current version 5.0 (Windows 2000), version 5.1
    (Windows XP), and version 6.0 (Windows Server
    2003), its security features grew more numerous
    and complex
  • Are we going to cover them in-depth here? NO
  • Well focus on what you should know, and what you
    need to know

16
Security in IIS (continued)
  • Brief list of IIS security features
  • IP address grant / restrict
  • Domain name grant / restrict
  • Anonymous access enabled / disabled
  • This will be the focus of our INT422 course work
  • Basic (clear / plain text) authentication
  • Digest authentication for Windows servers
  • Integrated Windows authentication
  • SSL (https//) communication
  • Custom solutions

17
Security in ASP.NET
18
Security in ASP.NET
  • So although the Windows operating system and IIS
    are full-featured when it comes to security, we
    will be programming our security needs with
    features provided by ASP.NET

19
ASP.NET Authentication Providers
  • ASP.NET offers three authentication providers to
    you
  • Forms authentication
  • Passport authentication
  • Windows authentication
  • Well use Forms authentication

20
Forms authentication how it works
  • Leave Windows operating system and IIS security
    settings at their public website defaults
  • Activate and configure ASP.NET forms
    authentication in your application
  • When you do this, all pages/forms in your
    application (folder) are automatically protected
  • A user must provide credentials to view the
    content

21
How it works
  • Your application must include a page (a login
    page) that will gather credentials
  • This page can be the default entry point into
    your application, but not necessarily
  • Why? Any unauthenticated request to a page in
    your apps folder will automatically redirect
    the user to this login page
  • After the user authenticates, they are
    automatically redirected back to the
    originally-requested page

22
How it works
23
How to implement
  • Change the Web.config file
  • Create a login page
  • Code this page for authentication

24
Web.config file changes
  • The Web.config file is a plain text file that
    holds XML-formatted configuration settings for
    your ASP.NET Web Application
  • Default settings for all apps are located in a
    Machine.config file in your C\Windows\Microsoft
    .NET folder
  • The settings you put in your Web.config file
    over-ride the default settings

25
Web.config file format
  • Heres the skeletal outline of Web.config

26
Other Web.config info
  • The XML must be well-formed
  • If you make a mistake, you will get an error
  • If you have an error, how do you find and fix it?
  • Make a copy of it, rename it with an xml
    filename extension, and then view it in a browser
  • If you really mess up badly, can you start over?
  • Yes
  • Delete (or rename) your Web.config file
  • From the Add New Item dialog, select Web
    Configuration File (make sure it is called
    Web.config)

27
Web.Config file changes
  • Example credentials in Web.config(replace
    NameOfYourWebApp with a string concatenation of
    your hermes ID and the name of your web
    application)
  • ltauthentication mode"Forms" gt
  • ltforms name"NameOfYourWebApp" loginUrl
    "login.aspx" gt
  • ltcredentials passwordFormat"Clear" gt
  • ltuser namefardad" password"password" /gt
  • ltuser name"peter" password"password" /gt
  • lt/credentialsgt
  • lt/formsgt
  • lt/authenticationgt

28
Web.Config and authorization
  • In our examples, we want an authenticated user to
    have full access to the application
  • We need to include this code, so that anonymous
    users (the ?) are first challenged to login,
    but allowed access after theyve authenticated
  • ltauthorizationgt
  • ltdeny users"?" /gt
  • ltallow users"" /gt
  • lt/authorizationgt

29
Example login page
30
C program code (in login.aspx)
  • A .NET Framework class called FormsAuthentication
    provides the helper methods you need
  • FormsAuthentication.Authenticate
  • FormsAuthentication.RedirectFromLoginPage
  • FormsAuthentication.SetAuthCookie
  • FormsAuthentication.SignOut
  • (there are others too)

31
C program code
  • using System.Web.Security
  • In the login buttons click event (example)
  • if(FormsAuthentication.
  • Authenticate(tbUser.Text,
    tbPass.Text))
  • FormsAuthentication.
  • RedirectFromLoginPage (tbUser.Text,
    False)
  • else
  • lblMsg.Text "Invalid login

32
How to logout
  • Add a logout or sign out button to the other
    pages in your secured web app
  • In your code-beside, add code that calls the
    SignOut method, and then redirects the user
    away from the current page
  • FormsAuthentication.SignOut()
  • Response.Redirect(Request.UrlReferrer.ToString())

33
So
  • What happens behind the scenes?
  • Six step procedure

34
Step 1
  • Client requests remote resource via web browser
  • http//warp.senecac.on.ca/int422

35
Step 2
  • IIS on Remote machine receives request and
    determines if client is allowed to contact server
  • IIS allows the Administrator to Block certain IP
    Addresses or Domains, or to Allow only known IP
    Addresses or Domains
  • If the clients IP/Domain is ok, things keep
    going...

36
Step 3
  • IIS checks the IIS Permissions for the requested
    resource
  • IIS allows the Admin to set-up permissions
    for web content. This includes
  • Read
  • Write
  • Directory Browsing
  • If the resource is Readable, things keep going...

37
Step 4
  • IIS now Authenticates the client
  • Anonymous Access Allowed?
  • User is Authenticated using the IUSR_MachineName
    account (your home PC), or the NETWORK SERVICE
    account (hermes) (or ASPNET account on your PC),
    which belong to the Everyone Group
  • NOTE this is what happens with Forms
    Authentication
  • Windows NTLM Challenge/Response Only?
  • User is presented with a Login Dialog and asked
    for a valid Windows Username and Password
  • If user Authenticates, things keep going...

38
Step 5
  • Once Authenticated, IIS insures that the user is
    Authorized to access the requested resource
  • Windows Authorization uses NTFS permissions to
    determine which users can Read, Write, etc.
    resources
  • If the user is Authorized, the process keeps
    going...

39
Step 6
  • If the user requests an ASP.NET (.aspx) page,
    the ASPNET Worker Process is started in the
    Context of the Authenticated User (NETWORK
    SERVICE or ASPNET)
  • ASP.NET uses Impersonation to have the Code
    Behind run as though it were being run locally by
    the Authenticated User. That means that the code
    will have the same rights as the user, whatever
    that happens to be.
Write a Comment
User Comments (0)
About PowerShow.com