Chapter 10 ASP.NET Security - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 10 ASP.NET Security

Description:

Forms Authentication : Dynamic Behavior The first time a user accesses a protected resource, ASP.NET redirects the user to the login page. – PowerPoint PPT presentation

Number of Views:779
Avg rating:3.0/5.0
Slides: 82
Provided by: JasonBo4
Category:
Tags: asp | net | chapter | login | security | user

less

Transcript and Presenter's Notes

Title: Chapter 10 ASP.NET Security


1
Chapter 10ASP.NET Security
  • Yingcai Xiao

2
First Look _at_ A Secured Web Site
  • http//winserv1.cs.uakron.edu/xiaotest/Forms1/Publ
    icPage.aspx can be viewed by everyone.
  • http//winserv1.cs.uakron.edu/xiaotest/Forms1/Secr
    et/ProtectedPage.aspx can only be viewed by
    authorized users (wp/wp).

3
Introduction to Web SecurityCategoriesIssuesCo
mponents
4
Building a Secure Web Site
  • Three Categories of Web Security
  • Content freely available to everyone (public).
  • Serve the general population but require a login
    (application-level security, protected).
  • Intranet sites for a controlled population of
    users a companys employees (private).
  • Security Issues
  • Application-level security (users).
  • Deployment security (programmers).
  • Web Security Components
  • Authentication identifies the originator of
    requests (who).
  • Authorization defines who can access which pages
    (what).

5
Authentication
  • ASP.NET supports a few types of authentication
  • Forms (Page-wide)
  • Windows (Machine-wide)
  • None
  • Web.config
  • ltconfigurationgt  ltsystem.webgt 
  •     ltauthentication mode"Forms"/gt  
  • lt/system.webgt lt/configurationgt
  • Note
  • The authentication mode is an application-wide
    setting that can be set only in the application
    root and cant be overridden in subordinate
    Web.config files.
  • You cant use Windows authentication in one part
    of an application and forms authentication in
    another.

6
Setting authentication mode in the root Web.config
7
Authorization
  • ASP.NET supports two forms of authorization
  • ACL (access control list) authorization, also
    known as file authorization, based on file system
    permissions, typically used with Windows
    authentication.
  • URL authorization, relies on configuration
    directives in Web.config files, most often used
    with forms authentication.

8
Three Typical Security Scenarios for Web
Applications
  • Pages can be freely browsed by any no
    application-level security
  • Intranet application use Windows authentication
    and ACL authorization.
  • Internet application with secure page access use
    forms authentication and URL authorization.

9
The Internal Working of IIS and ASP.NET
Security
10
IIS Security
  • IIS (Internet Information Services) Server
  • a Web server
  • runs in process Inetinfo.exe as SYSTEM
  • accepts connections
  • responds to HTTP requests
  • Web applications are deployed in application
    directories. Remote clients cant arbitrarily
    grab files outside application directories.
  • IIS assigns every request an access token
    representing a Windows security principal. The
    access token enables the operating system to
    perform ACL checks on resources targeted.
  • IIS supports IP address and domain name
    restrictions.
  • IIS supports encrypted HTTP connections using the
    Secure Sockets Layer (SSL) family of protocols.

11
IIS Security
  • Anonymous access (access by unauthenticated
    users)
  • Request from anonymous users are tagged with
    IUSR_WIN-XXXs access token. IUSR_WIN-XXX is an
    Internet guest account created when IIS is
    installed, where XXX is a coded string.

12
The relationship between IIS and ASP.NET.
13
IIS 6.0
  • IIS 6.0 has a driver named http.sys to listen all
    HTTP requests.
  • When an ASP.NET related request comes in,
    http.sys will stat w3wp.exe as an IIS 6.0 worker
    process.
  • w3wp now loads aspnet_isapi.dll as CLR host.
  • The rest is the same as before.

14
ASP.NET Security
  • Server Side Processing
  • (1) Client accesses .ASPX files gt
  • (2) Inetinfo.exe (IIS) generates an access
    token gt Aspnet_isapi.dll sents the request and
    the token through named pipe or local procedure
    calls (LPCs) gt
  • (3) Aspnet_wp.exe (ASP.NET) makes ACL checks on
    the requested resource and passes access token to
    the targeted application gt
  • (4) Targeted application uses a HTTP pipeline
    gt HTTP modules gt HTTP handlers (mapped in
    Machine.config).

15
  • Two types of access tokens
  • Authenticated user authenticated security
    principal
  • Unauthenticated user IUSR_machinename for
    anonymous login
  • Start-gtSettings-gtControl Panel-gtAdministrative
    Tools-gtComputer Management-gtLocal Users and
    Groups-gtUsers
  • Start-gtSettings-gtControl Panel-gtAdministrative
    Tools-gtComputer Management-gtEvent Viewer-gtSecurity

16
The ASPNET Account
  • Created when ASP.NET is installed.
  • A member of the Users group (hidden now).
  • Aspnet_wp.exe runs as ASPNET by default.
  • Requests executed by ASP.NET use Aspnet_wp.exes
    identity.
  • ASP.NET can impersonate to use the requests
    access token.
  • To make Aspnet_wp.exe to run as SYSTEM, change
    processModel in Machine.config to
  • ltprocessModel userName"SYSTEM" ... /gt

17
The ASPNET Account
  • You can also run the ASP.NET worker process
    (aspnet_wp.exe or w3wp.exe) under a user account
  • https//msdn.microsoft.com/en-us/library/bakfs900.
    aspx

18
Programming Forms Authentication
19
Forms Authentication
  • Forms authentication allows applications to setup
    web authentications independently from the
    authentications of the operating systems. It
    works well with URL authorization, which relies
    on configuration directives in Web.config files.
  • Forms/URL security is useful to protect an
    e-commerce site (an external Internet application
    for servicing customs of a company).

20
Forms Authentication Static Structure
  • Security settings in an ASP.NET-based web
    application are configured in the Web.config
    files.
  • The Web.config file in the root directory (which
    must be an application directory) specifies the
    authentication mode, application-specific login
    page.
  • The Web.config file in a subdirectory sets the
    authorization specifics for the directory.
  • User credentials can be stored in a database
    (preferred) or in the root Web.config file.

21
Forms Authentication Dynamic Behavior
  • The first time a user accesses a protected
    resource, ASP.NET redirects the user to the login
    page.
  • If the login is successful, ASP.NET then issues
    the user an authentication ticket in the form of
    a cookie (cookies need to be enabled by the
    client) and redirects the user to the page
    originally requested.
  • The ticket allows that user to revisit protected
    portions without having to login again.
  • The tickets lifetime can be controlled to
    determine how long the login is good for.

22
A First Look at Forms Authentication
  • Forms1 Web Application
  • Examples\C10\Forms1
  • At the application root
  • PublicPage.aspx can be viewed by anyone
  • Web.config
  • LoginPage.aspx
  • In the Secret subdirectory
  • ProtectedPage.aspx is available only to
    authenticated users (wp/wp).
  • Web.config

23
Deploy Forms1 on Winserv1
  • Create a web application (Forms1).
  • C\inetpub\wwwroot\xiaotest\Forms1
  • You need to have admin privilege.
  • On winserv1, use an existing web application
    directory already created for you. Save the
    current web.config file.
  • Copy everything from
  • Examples\C10\Forms1
  • to the above directory.
  • http//winserv1.cs.uakron.edu/xiaotest/Forms1/Pub
    licPage.aspx can be viewed by everyone.
    (http//winserv1.cs.uakron.edu/Examples/C10/Forms1
    /PublicPage.aspx)

24
Deploy Forms1 on Winserv1
  • http//winserv1.cs.uakron.edu/xiaotest/Forms1/Secr
    et/ProtectedPage.aspx is available only to
    authenticated users (wp/wp).
  • Authenticated users means anyone who has
    successfully logged in through LoginPage.aspx.
  • Valid users are stored in Web.config.
  • The cookie containing the authentication ticket
    is a session cookie, destroyed when the browser
    is closed.
  • You are not prompted for password again during a
    session.

25
Programming Forms Security
  • Authentication in the root Web.config
  • ltauthentication mode"Forms"gt  
  • ltforms loginUrl"LoginPage.aspx"gt
  • ltcredentials passwordFormat"Clear"gt  
  • ltuser name"wp" passwordwp"/gt 
  • ltuser name"John" password"redrover" /gt
  • Authorization (directory-wise) in
    Secret/Web.config
  • ltauthorizationgt  
  • ltdeny users"?" /gt
  • URL authorization to deny ? (anonymous) users.

26
Programming Forms Security
  • PublicPage.aspx
  • void OnViewSecret (Object sender, EventArgs e) 
  •   Response.Redirect ("Secret/ProtectedPage.asp
    x")
  • LoginPage.aspx.
  • void OnLogIn (Object sender, EventArgs e)  
  •  if(FormsAuthentication.Authenticate(UserName
    .Text,  Password.Text))     
  • FormsAuthentication.RedirectFromLoginPage (User
    Name.Text, false)
  • // true for persistent cookie      
  • else Output.Text  "Invalid login"  
  • System.Web.Security.FormsAuthentication.Authentic
    method returns true if the user name and password
    are in the credentials section of Web.config.

27
Internal Works
  • ASP.NET creates an authentication cookie,
    attaches it to the outgoing response, and
    redirects the user to the page that he or she
    originally requested. The lifetime of a
    persistent cookie is independent of the browser
    session.
  • Authorization is applied on a directory-by-directo
    ry basis. Web.config files in each directory
    specify exactly how the files are to be
    protected.
  • ASP.NET checks to see whether a valid
    authentication cookie is attached to the request.
    If the cookie exists, ASP.NET extracts identity
    information. If the cookie doesnt exist, ASP.NET
    redirects the request to the login page.

28
Real-World Forms AuthenticationForms2Forms3
29
Real-World Forms Authentication (Forms2)
  • Storing user names and passwords in a database
    (MySQL).
  • Creating the database, creating the users table
    and adding users.
  • Logo on to winserv1.
  • Start-gtAll Programs-gtMy SQL-gtMy SQL Query
    Browser.
  • Server Host db1.cs.uakron.edu
  • Port 3306
  • Username yourLoginID
  • Password yourPassword for MySQL
  • Default Schema your DB name
  • File-gtOpen Script
  • Examples\C10\MySQL-Table-Creation\Weblogin.sql
  • Execute!
  •  

30
Real-World Forms Authentication
  • Weblogin.sql
  • CREATE TABLE users
  • (
  • username varchar(32) NOT NULL,
  • password varchar(32) NOT NULL,
  • role varchar(32)
  • )
  • INSERT INTO users (username, password, role)
    VALUES (dev', dev', 'Developer')
  • INSERT INTO users (username, password, role)
    VALUES (mgr', mgr', 'Manager')
  • AddUsers.sql
  • INSERT INTO users (username, password, role)
    VALUES ('wpd1', 'wp2009', 'Developer')
  • INSERT INTO users (username, password, role)
    VALUES ('wpd2', 'wp2009', 'Developer')

31
Deploy Forms2 on Winserv1
  • On winserv1, use an existing web application
    directory already created for you.
  • C\inetpub\wwwroot\WP_s2016\yourID
  • Copy everything from
  • Examples\C10\Forms2
  • to the above directory.

32
Deploy Forms2 on Winserv1
  • Move web.config, login.aspx and Global.asax from
  • C\inetpub\wwwroot\WP_s2016\yourID\Forms2 to
  • C\inetpub\wwwroot\WP_s2016\yourID
  • Save the old files you already have there.
  • Move the dll from
  • C\inetpub\wwwroot\WP_s2016\yourID\Forms2\bin to
  • C\inetpub\wwwroot\WP_s2016\yourID\bin
  • Start a browser on the server.
  • Use the following URL to access Forms2
  • http//winserv1.cs.uakron.edu/yourID/Forms2/Pub
    licPage.aspx

33
Deploy Forms2 on Winserv1
34
Deploy Forms2 on Winserv1
  • To access
  • http//winserv1.cs.uakron.edu/xiaotest/Forms2/Publ
    icPage.aspx, can be viewed by anyone.
  • http//winserv1.cs.uakron.edu/xiaotest/Forms2/Secr
    et/ProtectedPage.aspx and is available only to
    authenticated users (dev/dev).

35
Deploy Forms2 on Winserv1
  • Authenticated users means anyone who has
    successfully logged in through LoginPage.aspx.
  • Valid users are stored in the database.
  • The cookie containing the authentication ticket
    is a session cookie, destroyed when the browser
    is closed.
  • You are not prompted for password again during a
    session.

36
Real-World Forms Authentication
  • LoginPage.aspx
  • Credential Matching
  • SQL
  • select count() from users where username  dev'
     and pwd dev 
  • It returns 0 if no matching credentials found.
  • MySQL notes
  • (1) count () works for SQL Server but not MySQL
    due to the extra space after count.
  • (2) password is a keyword in MySQL (not SQL
    Server), therefore cant be used as database
    column names.
  • (3) ExecuteScalar returns Int64 for count
    query.
  • FormsAuthentication.RedirectFromLoginPage (UserNam
    e.Text, Persistent.Checked)
  • Persistent authentication cookie be able to get
    back without logging in again, even after
    shutting down. No expiration.

37
Authentication Cookie Lifetime
  • Session authentication cookie.
  • Machine.config
  • ltforms ... timeout"30"gt // 30 minutes
  • Web.config
  • ltforms loginUrl"LoginPage.aspx" timeout"10080"
    /gt // 7 days
  • Proramming cookies.
  • HttpCookie cookie Response.CookiesFormsAuthent
    ication.FormsCookieName
  • cookie.Expires DateTime.Now
  • new TimeSpan (7, 0, 0, 0) // 7 days
  • Removing cookies as a user.
  • IE-gt Tools -gtInternet Options-gtGeneral-gtBrowsing
    history-gtDelete -gt Cookies and website data -gt
    Delete.
  • FireFox-gtOpen Menu-gtHistory-gtClear All History
    check Cookies.
  • Netscape-gtTools-gtCookie Manager-gtManage stored
    cookies-gtRemove all.
  • Google Chrome-gtCustomize-gtMore Tools-gtClear
    Browser Data-gtCookies
  • Safari -gt Preferences -gtPrivacy -gt Remove All
    Website Data

38
Forms AuthenticationRole-Based
Securityhttp//winserv1.cs.uakron.edu/xiaotest/F
orms3/PublicPage.aspx http//winserv1.cs.uakron.e
du/xiaotest/Forms3/Secret/ProtectedPage.aspx
39
Real-World Forms Authentication (Forms3)
  • Storing user names and passwords in a database
    (MySQL).
  • Creating the database, creating the users table
    and adding users.
  • Logo on to winserv1.
  • Start-gtAll Programs-gtMy SQL-gtMy SQL Query
    Browser.
  • Server Host db1.cs.uakron.edu
  • Port 3306
  • Username yourLoginID
  • Password yourPassword for MySQL
  • Default Schema your DB name
  • File-gtOpen Script
  • Examples\C10\MySQL-Table-Creation\Weblogin.sql
  • Execute!
  •  

40
Real-World Forms Authentication
  • Weblogin.sql
  • CREATE TABLE users
  • (
  • username varchar(32) NOT NULL,
  • password varchar(32) NOT NULL,
  • role varchar(32)
  • )
  • INSERT INTO users (username, password, role)
    VALUES (dev', dev', 'Developer')
  • INSERT INTO users (username, password, role)
    VALUES (mgr', mgr', 'Manager')
  • AddUsers.sql
  • INSERT INTO users (username, password, role)
    VALUES ('wpd1', 'wp2020', 'Developer')
  • INSERT INTO users (username, password, role)
    VALUES ('wpd2', 'wp2020', 'Developer')

41
Deploy Forms3 on Winserv1
  • On winserv1, use an existing web application
    directory already created for you.
  • C\inetpub\wwwroot\WP_s2016\yourID
  • Copy everything from
  • Examples\C10\Forms3
  • to the above directory.

42
Deploy Forms3 on Winserv1
  • Move web.config, login.aspx and Global.asax from
  • C\inetpub\wwwroot\WP_s2016\yourID\Forms3 to
  • C\inetpub\wwwroot\WP_s2016\yourID
  • Save the old files you already have there.
  • Move the dll from
  • C\inetpub\wwwroot\WP_s2016\yourID\Forms2\bin to
  • C\inetpub\wwwroot\WP_s2016\yourID\bin
  • Start a browser on the server.
  • Use the following URL to access Forms3
  • http//winserv1.cs.uakron.edu/yourID/Forms3/Pub
    licPage.aspx

43
Deploy Forms2 on Winserv1
44
Deploy Forms3 on Winserv1
  • To access
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
    icPage.aspx, can be viewed by anyone.
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
    et/ProtectedPage.aspx and is available only to
    authenticated users (dev/dev).

45
Forms Authentication and Role-Based Security
(Forms3)
  • Use role membership to allow only some
    authenticated users to view Secret/ProtectedPage.a
    spx.
  • Without roles
  • Deny all unauthenticated users.
  • ltdeny users"?" /gt
  • Deny all users (users) except John and
    Alice.
  • ltallow users"John, Alice" /gt      
  • ltdeny users"" /gt
  • Allow all except Jeff, Bob, and Mary
  • ltdeny users"Jeff, Bob, Mary" /gt      
  • ltallow users"" /gt
  • ltallowgt and ltdenygt are order-sensitive.
  • ASP.NET will stop at lt gt and ignore any
    statements that appear after it.

46
Forms Authentication and Role-Based Security
(Forms3)
  • With roles
  • Users table has a field named role that
    stores each users role (group) membership.
  • Grant Developer access to Secret.
  • ltallow roles"Developer" /gt     
  • ltdeny users"" /gt
  • Map the roles to user accounts so that ASP.NET
    can determine whether the requestor is a
    developer or not.
  • Place the mapping in the AuthenticateRequest
    event handler (invoked at the beginning of every
    request).
  • Can be done in a custom HTTP module or in
    Global.asax.
  • http//winserv1.cs.uakron.edu/Examples/C10/Forms3/
    PublicPage.aspx
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
    icPage.aspx
  • dev/dev/Developer can view ProtectedPage.aspx.
  • mgr/mgr/Manager cant.

47
Programming Role-based Authentication
  • Getting Information about Authenticated Users in
    Your Code
  • ASP.NET stores user information in the
    HttpContext.User property.
  • Access User through Page.Context.User or simply
    Page.User, or HttpApplication.User.
  • The User property is of the type IPrincipal (an
    interface defined in System.Security.Principal).
  • Implemented by the WindowsPrincipal class for
    Windows authentication and GenericPrincipal class
    for other forms of authentication (along with
    Windows authentication).
  • GenericPrincipal is a device for representing
    user identities independent of the authentication
    protocol being used. ASP.NET compares the role
    name in the GenericPrincipal to the roles granted
    access through Web.config.
  • User.Identity contains some usefull properties

48
Properties in User.Identity
Property Description
AuthenticationType Reveals which form of authentication was used
IsAuthenticated Reveals whether the user is authenticated
Name Reveals an authenticated users name
if (User.Identity.IsAuthenticated)  string name
  User.Identity.Name Name is of the form
domain-name\user-name for Windows authentication,
user-typed login for forms authentication.
49
Programming Authentication - Roles
  • Retrieve a users role and create a Principal for
    the user.
  • lt_at_ Import Namespace"System.Security.Principal"
    gt
  • ltscript language"C" runat"server"gt
  • void Application_AuthenticateRequest (Object
    sender, EventArgs e)
  • HttpApplication app (HttpApplication)
    sender
  • if (app.Request.IsAuthenticated
  • app.User.Identity is FormsIdentity)
  • FormsIdentity identity
    (FormsIdentity) app.User.Identity
  • // Find out what role (if any) the user
    belongs to
  • string role GetUserRole
    (identity.Name)
  • // Create a GenericPrincipal containing
    the role name
  • // and assign it to the current request
  • if (role ! null)
  • app.Context.User new
    GenericPrincipal (identity,
  • new string role )

50
Programming Authentication - Roles
  • string GetUserRole (string name)
  • MySqlConnection connection new
    MySqlConnection
  • ("serverdb1.cs.uakron.edudatabasexiao
    testuidxiaotestpwdwp2009
  • allow zero datetimeyes)
  • try
  • connection.Open ()
  • StringBuilder builder new
    StringBuilder ()
  • builder.Append ("select role from users
    "
  • "where username \'")
    builder.Append (name) builder.Append ("\'")
  • MySqlCommand command new MySqlCommand
    (builder.ToString (), connection)
  • object role command.ExecuteScalar ()
  • if (role is DBNull) return null
  • return (string) role
  • catch (MySqlException) return null
  • finally connection.Close ()

51
More on Forms Authentication
  • Multiple Roles
  • Coding
  • app.Context.User new GenericPrincipal
    (identity,
  • new string "Developer", "Manager" )
  • Web.config
  • ltallow roles"Manager, Developer" /gt
  • ltdeny users"" /gt
  • Configure subdirectories in root Web.config
  • ltlocation path"Secret"gt
  • ltsystem.webgt
  • ltauthorizationgt
  • ltallow roles" Developer" /gt
  • ltdeny users"" /gt
  • lt/authorizationgt
  • lt/system.webgt
  • lt/locationgt

52
More on Forms Authentication
  • Signing Out
  • ltaspButton Text"Log Out"
  • OnClick"OnLogOut" RunAt"server" /gt
  • ltscript language"C" runat"server"gt
  • void OnLogOut (Object sender, EventArgs e)
  • FormsAuthentication.SignOut ()
  • FormsAuthentication.SignOut( ) returns a
    Set-Cookie header, sets the cookies value to a
    null string and sets the cookies expiration date
    to a date in the past.

53
More on Forms Authentication
  • Attributes of forms element in Web.config

Attribute Description Default
name Name assigned to authentication cookies .ASPXAUTH
loginUrl URL of the login page login.aspx
protection Level of protection (validation and encryption) applied to authentication cookies All
timeout Lifetime of session authentication tickets in minutes 30
path Scope of authentication cookies /
The protection attributes specifies the desired
level of protection for the authentication
cookies. All instructs ASP.NET to both encrypt
and validate authentication cookies.
54
Encrypt and Validate Authentication Cookies
  • Validation works by appending the machineKey
    elements validationKey to the cookie, the
    resulting value is hashed, and the hash is
    appended to the cookie. When the cookie is
    returned in a request, ASP.NET verifies that it
    wasnt tampered with by rehashing the cookie and
    comparing the new hash to the one accompanying
    the cookie.
  • Encryption works by encrypting the cookiehash
    value and allwith machineKeys decryptionKey
    attribute.

55
Encrypt and Validate Authentication Cookies
  • Validation consumes less CPU time than encryption
    and prevents tampering. It does not prevent
    someone from intercepting an authentication
    cookie and reading its contents.
  • To validate but not encrypt authentication
    cookies
  • ltforms ... protection"Validation" /gt
  • Encryption provides insurance against tampering
    and prevents the cookies contents being read.
  • To encrypt but not validate cookies
  • ltforms ... protection" Encryption " /gt

56
Encrypt and Validate Authentication Cookies
  • To disable both
  • ltforms ... protection"None" /gt
  • Encrypted cookies cant be read or altered, but
    can be stolen and used illicitly. Time-outs are
    the only protection.
  • The most reliable way to prevent someone from
    spoofing your site with a stolen authentication
    cookie is to use an encrypted communications link
    (HTTPS).
  • ltforms ... loginUrl"https//www.wintellect.com/l
    ogin.aspx" /gt
  • This assumes the server supports HTTPS and
    Login.aspx is stored in a directory configured to
    use HTTPS.
  • Caveat Emptor ASP.NET does not protect HTML
    pages.
  • Just renaming .html to .aspx to protect it.
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
    icPage.aspx
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
    et/ProtectedPage.aspx
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
    et/Calc.html
  • http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
    et/Calc.aspx

57
Windows Authentication
58
Windows Authentication
  • It maps incoming requests to accounts on the Web
    server or in the Web servers domain.
  • Serve content to a well-defined populace
    (intranet.)
  • Requires no programming. Authentication is done
    by the system.

59
Windows Authentication
  • Dont use it to generically expose content to all
    comers over the Internet.
  • Windows authentication on the front end is
    typically paired with ACL authorization
    (administrator controlled) on the back end.
  • Can be also used with URL authorization
    (programmer controlled).

60
Windows Authentication
  • Categories of Windows Authentication
  • Basic authentication login, piggyback on HTTP.
  • Digest authentication login, piggyback on HTTP.
  • Integrated Windows authentication Windows login.
  • SSL client certificates limited primarily to
    intranet.

61
Basic Authentication
  • An HTTP standard (documented in RFC 2617,
    ftp//ftp.isi.edu/in-notes/rfc2617.txt.)
  • How it works
  • For the first time access, the Web server returns
    a 401 status code indicating what type of
    authentication is required.
  • HTTP/1.1 401 Access Denied
  • Server Microsoft IIS-5.0  .  .  .WWW-Authenticat
    e Basic realm"uakron.edu"
  • A realm is a logical security space that
    encompasses all or part of a web site.
  • The browser pops up a dialog box (not part of
    your ASP generated HTML) asking for a user name
    and password.

62
Basic Authentication
  • It concatenates the user name and password to an
    encoded string in the Authorization header of an
    HTTP request. Authorization Basic SmVmZjppbWJhdG1
    hbg
  • The browser includes the same Authorization
    header in each future request to the same realm.
  • IIS maps the user name and password to an account
    on the web server, producing an access token.
  • The access token is used to perform ACL-based
    security checks.

63
Basic Authentication
  • Pros of Basic Authentication
  • It works with virtually all browsers.
  • Easy to use.
  • It works well with firewalls.
  • Cons of Basic Authentication
  • Nothing prevents the HTTP requests with
    Authorization header from being intercepted and
    used to gain access to your server.
  • Some users consider pop-up dialogs intrusive.
  • Better to be used with HTTPS, not HTTP.

64
Digest Authentication
  • Documented in RFC 2617 (ftp//ftp.isi.edu/in-notes
    /rfc2617.txt).
  • Similar to basic authentication.
  • The browser solicits a user name and password by
    popping up a dialog box. The server uses the
    credentials to assign an identity to the request.
  • The big difference between basic and digest
    authentication is that digest doesnt transmit
    clear-text passwords. Instead, it passes an
    authentication token that is cryptographically
    secure. As a result, you can use it over
    unencrypted channels without fear of compromising
    your Web server.

65
Digest Authentication Cont.
  • When the client first requests a resource guarded
    by digest authentication, the server returns a
    401 error and includes a noncea string of 1s
    and 0sin a HTTP-Authenticate header.
  • The browser responds by prompting for a user name
    and password. It then transmits the user name
    back to the server, along with a hash or digest
    computed from the combined user name, password,
    and nonce.
  • The server authenticates the request by
    performing its own hash on the user name,
    password, and nonce. The password the server uses
    doesnt come from the client it comes from the
    server itself.
  • If the hashes match, the user is authenticated.
  • Its also compatible with proxy servers.

66
Digest Authentication Cont.
  • Pros of Digest Authentication
  • Easy to understand.
  • Works with firewalls.
  • Far more secure over ordinary HTTP than basic
    authentication.
  • Cons of Digest Authentication
  • Uses pop-up dialog boxes for user names and
    passwords.
  • Doesnt support delegation (the ability to make a
    call from one machine to another and have the
    call execute as the caller on the remote machine)
    on Windows 2000 servers.
  • Digest authentication is not widely used.

67
Integrated Windows Authentication
  • Uses Windows login credentials to authenticate
    users.
  • Identifies the user (on the server) by using that
    persons login identity on the client.
  • The browser asks for a user name and password
    only if the user does not have a valid account on
    the server.
  • The client and server negotiate a trust in a
    series of exchanges that involve user names,
    domain names, nonces, and hashes.
  • All done automatically by the OS on the server
    and the browser on the client.

68
Integrated Windows Authentication
  • Pros of Windows Authentication
  • Doesnt force users who have already logged in to
    Windows to provide a user name and password
    again.
  • Secure, even over unencrypted channels, because
    plain-text passwords are never transmitted.
  • Good for in-house use and behind firewalls.
  • Cons of Windows Authentication
  • Cant work through firewalls.
  • Proprietary to Windows and Internet Explorer.
  • Not for general Internet use.

69
Windows Authentication / ACL Authorization in
Action
  • CorpNet
  • Examples\C10\Basic
  • About CorpNet
  • It models a simple intranet-type application
    (e.g. an internal application for a company).
  • It uses Windows (basic) authentication and ACL
    authorization to restrict access to its pages.
  • Code
  • General.aspx provides general information.
  • Salaries.aspx lists the salary.
  • Bonuses.aspx lists the bonuses.
  • Anyone in the company can view General.aspx,
    only selected individuals can view Salaries.aspx
    and Bonuses.aspx.

70
Windows Authentication / ACL Authorization in
Action
  • Deployment on your home computer
  • Create your own directory
  • C\inetpub\wwwroot\yourLoginID
  • Copy
  • Examples\C10\Basic
  • To
  • C\inetpub\wwwroot\yourLoginID
  • Make the directory a web application.
  • Access the aspx pages (as an anonymous user)
  • http//localhost/yourLogin/Basic/general.aspx
  • http//localhost/yourLoginI/Basic/salaries.aspx
  • (access accepted but no salary entry).
  • http//localhost/yourLoginID/Basic/bonuses.aspx

71
Windows Authentication and Anonymous Access (No
Authorization Control)
  • Use Web.config in the root directory to set the
    authentication mode.
  • ltconfigurationgt  
  • ltsystem.webgt    
  • ltauthentication mode"Windows"/gt  
  • lt/system.webgt
  • lt/configurationgt
  • Access CorpNet as an anonymous user on winserv1
  • http//winserv1.cs.uakron.edu/xiaotest/basic/gener
    al.aspx
  • http//winserv1.cs.uakron.edu/xiaotest/basic/salar
    ies.aspx
  • http//winserv1.cs.uakron.edu/xiaotest/basic/bonus
    es.aspx
  • Access CorpNet as an anonymous on your own
    computer
  • http//localhost/xiaotest/basic/general.aspx
  • http//localhost/xiaotest/basic/salaries.aspx
  • http//localhost/xiaotest/basic/bonuses.aspx

72
Basic Authentication, No Authorization Control
(on your own computer)
  • Use Control Panel -gt Administrative Tools -gt IIS
    manager
  • to configure the application to require
    authentication and to disallow anonymous access.
  • In IIS Manager, find and click on Basic
    application. (WINSERV1\Sites\Default Web
    Site\xiaotest\Basic)
  • In the IIS pane, double-click on Authentication
  • Disable Anonymous Authentication
  • Enable Basic Authentication
  • http//winserv1.cs.uakron.edu/xiaotest/basic/salar
    ies.aspx
  • Login prompt provided by the browser.
  • User Name CS\xiao, Password ???
  • No salary information is available for xiaotest
  • Modify salaries.aspx to enter a salary for
    xiaotest

73
ACL Authorization
  • Change the permissions on Salaries.aspx and
    Bonuses.xml to deny CS\xiaotest read privilege.
  • Right-click on the file -gt properties
    -gtSecurity-gtEdit-gtAdd
  • location CS
  • object name xiaotest
  • ok
  • Deny Read
  • ok ok
  • (advanced for inheritance)
  • If you dont see the security tab in the
    properties window
  • right-click on Start, open, tools, folder
    options, view, advanced settings, files and
    folders, uncheck Use simple file sharing.
  • Tests
  • http//winserv1.cs.uakron.edu/xiaotest/basic/gene
    ral.aspx (ok)
  • http//winserv1.cs.uakron.edu/xiaotest/basic/sala
    ries.aspx (denied)
  • http//winserv1.cs.uakron.edu/xiaotest/basic/bonu
    ses.aspx (ok)

74
Security Inside
  • Note ACL Control is set per user and per file
    manually.
  • User xiaotest access denied for
    Basic/Bonuses.xml
  • Why you can still read Bonuses.xml through
    Bonuses.aspx?
  • IIS checks the login and passes access token to
    ASP.NET if the login is correct.
  • ASP.NET makes ACL checks using the callers
    identity against the ASPX files to be accessed
    and passes access token to the application (ASPX
    files).
  • Web applications run inside ASP.NET which is run
    by user ASPNET, and can programmatically access
    anything that ASPNET is allowed to access.

75
  • Impersonation
  • To execute a request using the access token
    provided by IIS.
  • Add the following in Web.config
  • ltidentity impersonate"true" /gt
  • The identities assigned to the ASP.NET worker
    process and to the requests that it executes play
    crucial roles in ASP.NET security.
  • After IIS 6.0, W3WP.exe connects to
    aspnet_isapi.dll.

76
Impersonation
  • Impersonation makes web applications run as the
    caller. Any programmatically access will subject
    ACL check using the callers identity.
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthentication mode"Windows" /gt
  • ltidentity impersonate"true" /gt
  • lt/system.webgt
  • lt/configurationgt
  • Start a new browser
  • http//winserv1.cs.uakron.edu/xiaotest/basic/bonus
    es.aspx
  • 500 - Internal error occurred.
  • The following does work on winserv1
  • IIS Manager, double-click on the Basic
    application.
  • In the IIS pane, double-click on Authentication
  • Enable ASP.NET Impersonation

77
  • CorpNet demonstrates several important principles
    for using Windows authentication
  • Windows authentication is enabled in ASP.NET by
    including an ltauthentication modeWindows /gt
    statement in Web.config. It has the scope of the
    Web.config at application level (not page level).
  • ASP.NET applications that use Windows
    authentication can prevent users from viewing
    files by using ACLs to deny access to selected
    security principals.
  • ASP.NET applications that use Windows
    authentication must enable impersonation if they
    want resources protected by ACLs to be protected
    from programmatic accesses by code executed
    within a request.
  • ASP.NET applications that use Windows
    authentication can personalize content for
    individual users by reading user names from
    Page.User.Identity.Name.
  • ACL authorization requires system administrators
    of the web server to manually set the security
    control for each application (even each
    page/file).

78
Windows Authentication and URL Authorizations
  • In the Basic/Secret directory, edit web.config
  • Change web.config to use URL authorization so the
    system administrator can set security control per
    directory not per file.
  • ltconfigurationgt
  • ltsystem.webgt
  • ltauthorizationgt
  • ltdeny users"CS\xiaotest" /gt
  • ltallow users"" /gt
  • lt/authorizationgt
  • lt/system.webgt
  • lt/configurationgt
  • CS\xiaotest" is not allowed to access any APSX
    pages in Secret. (Note only one \ after CS.)
  • Based on string names not Windows security IDs
    (SIDs).
  • The deny statement needs to be before the allow
    statement in the above case.
  • URL authorizations usually not used with Windows
    authentication.

79
Windows Authentication and Role-Based Security
  • Role-based security restricts access based on
    roles (groups) that the users belong to. For
    ACL authorizations, control the access by giving
    permission to the selected groups.
  • For URL authorizations, use Web.config to
    restrict groups.
  • e.g. add the WP group and a test2 user in
    the group.
  • Start-gtSettings-gtControl Panel-gtUser
    Accounts-gtAdvanced-gtAdvanced-gtGroups
  • Action-gtNew Group
  • Start-gtSettings-gtControl Panel-gtUser
    Accounts-gtAdvanced-gtAdvanced-gtUsers
  • test2-gtproperties-gtMember Of-gtAdd
  • Action-gtNew Users
  • Web.config
  • ltauthorizationgt
  • ltallow rolesServerName\WP" /gt
  • ltdeny users"" /gt
  • lt/authorizationgt
  • Deny test but allow test2.
  • Allow should be first here. ( should be at the
    end).

80
Summary
  • Security
  • Authentication
  • Forms
  • Windows
  • Basic, Digest, Integrated, SSL Client
    Certificates
  • Passport
  • Authorization ACL, URL
  • IIS/ASP.NET Server-Side Security Processing
  • Application Security Scenarios
  • Encryption and Validation
  • Database Based Authentication
  • Role Based Authorization
  • Anonymous Login
  • Impersonation
  • Realm

81
Good References
  • Microsoft Security Tutorials
  • ASP.NET authentication and authorization
  • by Shivprasad Koirala
  • http//www.codeproject.com/Articles/98950/ASP-NET-
    authentication-and-authorizationAuthentication20
    and20Authorization
Write a Comment
User Comments (0)
About PowerShow.com