ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
ASP.NET SecurityASP.NET SecurityMacDonald Ch. 18MacDonald Ch. 18
MIS 424MIS 424
Professor SandvigProfessor Sandvig
OverviewOverview
TodayToday Security Concepts & TerminologySecurity Concepts & Terminology
Authentication and AuthorizationAuthentication and AuthorizationRole-based securityRole-based security
ASP.NET approaches:ASP.NET approaches:1.1.Do it yourselfDo it yourself2.2.Windows authenticationWindows authentication3.3.Forms authenticationForms authentication4.4..NET membership provider.NET membership provider
Security TerminologySecurity Terminology
AuthenticationAuthentication Process of identifying Process of identifying
the userthe user User provides User provides
credentialscredentials Username / PasswordUsername / Password ID card, key, finger ID card, key, finger
print, eye scan…print, eye scan… Authentication done Authentication done
once at loginonce at login
Security TerminologySecurity Terminology
Authorization Authorization PermissionsPermissions
Which resources user is Which resources user is allowed to accessallowed to accessType of accessType of access
Read, write, modify, Read, write, modify, delete, change delete, change permissions…permissions…
Performed with every Performed with every requestrequest
Example - WWU LibraryExample - WWU Library
AuthenticationAuthentication Who are you?Who are you?
WWU studentWWU studentLost CanadianLost Canadian
AuthorizationAuthorization What are you allowed to do?What are you allowed to do?
WWU studentWWU student Checkout books, laptops, IIL services…Checkout books, laptops, IIL services…
Lost CanadianLost Canadian Look at books, use restrooms, stay warmLook at books, use restrooms, stay warm
Security TerminologySecurity Terminology
Principle of least privilegePrinciple of least privilegeEvery program and every user of the system Every program and every user of the system should operate using the least set of privileges should operate using the least set of privileges necessary to complete their job.necessary to complete their job.
Benefits:Benefits:Protects dataProtects data
Protects organizationProtects organization
Protects individualsProtects individuals
Role-based SecurityRole-based Security
Permissions assigned based upon role of Permissions assigned based upon role of job functionjob function
Role-based SecurityRole-based Security
Create rolesCreate rolesAdministratorAdministrator
UserUser
StudentStudent
Anonymous userAnonymous user
etc, etc. …etc, etc. …
Roles are assigned specific permissionsRoles are assigned specific permissions Principle of least privilegePrinciple of least privilege
People are assigned to rolesPeople are assigned to roles
Role-Based SecurityRole-Based Security
BenefitBenefitSimplifies management of permissionsSimplifies management of permissions
Example: Roles in WWU Banner systemExample: Roles in WWU Banner system StudentsStudents FacultyFaculty AdministratorsAdministrators
Many types, each with specific permissionsMany types, each with specific permissions
Enforced at both application & DB levelEnforced at both application & DB level
ASP.NET SecurityASP.NET Security
Approaches:Approaches: Do-it-yourselfDo-it-yourself Forms authenticationForms authentication Windows authenticationWindows authentication ASP.NET Membership ProviderASP.NET Membership Provider
Do-it-yourself AuthenticationDo-it-yourself Authentication
Each .aspx page checks for authorizationEach .aspx page checks for authorization
Redirect unauthorized users to loginRedirect unauthorized users to login
Single line of code:Single line of code:
if (Session["authenticated"] == null) if (Session["authenticated"] == null) Response.Redirect("Login.aspx");Response.Redirect("Login.aspx");
Do it yourself AuthenticationDo it yourself Authentication
AdvantagesAdvantages SimpleSimple Flexible – page-by-pageFlexible – page-by-page Database accessDatabase access
DisadvantagesDisadvantages Need to include code in every .aspx pageNeed to include code in every .aspx page Pages need to be executablePages need to be executable
Excludes .html pages, images, etc.Excludes .html pages, images, etc.
Windows AuthenticationWindows Authentication
Authenticate against Authenticate against Windows user Windows user accountsaccounts Username/password Username/password
managed with managed with Windows (Active Windows (Active Directory)Directory)
Windows AuthenticationWindows Authentication
AuthorizationAuthorization Specify in web.configSpecify in web.config
First match algorithmFirst match algorithm Set on each directorySet on each directory
Sample PageSample Page
Windows AuthenticationWindows Authentication
Benefits:Benefits: Secures every file typeSecures every file type Use existing Windows accountsUse existing Windows accounts
IntranetIntranet
Not public webNot public web Fine-level control of permissionsFine-level control of permissions
LimitationsLimitations Users need permissions on serverUsers need permissions on server
Forms AuthenticationForms Authentication
Create login pageCreate login page Authenticate against any data sourceAuthenticate against any data source database, LDAP, web service, CAS…database, LDAP, web service, CAS…
Login pageLogin page .aspx file.aspx file
access database, other data sourcesaccess database, other data sources Authentication ticket issuedAuthentication ticket issued
Encrypted cookieEncrypted cookie Redirects back to requested pageRedirects back to requested page
Forms AuthenticationForms Authentication
How to ConfigureHow to Configure Web.config fileWeb.config file
Authentication mode=“Forms”Authentication mode=“Forms”Root directory of applicationRoot directory of application
Create Login PageCreate Login Page
Example:Example: Sample Sample
ASP.NET MembershipASP.NET Membership
Drag & Drop controlsDrag & Drop controls Implements Forms authentication Implements Forms authentication No code requiredNo code required
Automatically creates SQL Server Automatically creates SQL Server DatabaseDatabase
Can define users & rolesCan define users & roles
Quite sophisticatedQuite sophisticated
ASP.NET Membership ProviderASP.NET Membership Provider
No codeNo code ““Magical”Magical”
Many configuration optionsMany configuration options Password recoveryPassword recovery Change password controlChange password control Sends emailSends email Create groups (programmatically)Create groups (programmatically) Assign users to groupsAssign users to groups
SummarySummary
Application Security options:Application Security options: Do-it-yourselfDo-it-yourself Windows authenticationWindows authentication Forms authenticationForms authentication ASP.NET Membership providerASP.NET Membership provider
SecuritySecurity Complex topicComplex topic Discuss other aspects laterDiscuss other aspects later