ASP.Net Security - PowerPoint PPT Presentation

About This Presentation

Title:

ASP.Net Security

Description:

asp:Button Text='View Secret Message' OnClick='OnViewSecret' RunAt='server' / /form ... asp:Button Text='Log In' OnClick='OnLogIn' RunAt='server' / /td td ... – PowerPoint PPT presentation

Number of Views:89

Avg rating:3.0/5.0

Slides: 25

Provided by: muk1

Learn more at: https://www.cs.odu.edu

Category:

more less

Transcript and Presenter's Notes

Title: ASP.Net Security

1
ASP.Net Security

Chapter 10
Jeff Prosises Book

2
Authentication

To ascertain the callers identity
Windows authentication
Forms authentication
Passport authentication
Windows authentication Here, IIS does the
authentication and makes the callers identity
available to ASP.Net (via a token)
Most suitable when everyone that uses the
application can login to the local machine
Uses the built-in security features of the OS

Passport authentication
Passport serves as a front-end to a large group
of users registered with Microsoft Passport
Such users can be authenticated anywhere on the
Internet by applications that present long
credentials to Passport.
If Passport validates them, it returns an
authentication ticket to the application that in
turn stores it as an encoded cookie

Forms authentication
Relies on login forms in web pages to
authenticate users
In an e-commerce application such as e-bays
bidding, windows authentication is not viable
since it is impractical to create windows
accounts for all millions
In web.config, we set ltauthentication mode
Forms /gt
Other modes are None, Windows, and Passport

5
Authorization

Determines what resources a user can access
ASP.Net supports
ACL authorization or file authorization---e.g.,
using NTFS file systems ACL
URL authorization---relies on configuration
directives in web.config using the
ltauthorizationgt element
Authorization link

6
Windows Authentication

Maps incoming requests to accounts on the web
server
Used to serve a well defined user group that may
be controlled through windows accounts
Basic authentication transmits a user name and
password in each request IIS maps them to an
account on the web server and generates a token.
Suppose a web page is placed in the virtual
directory
Suppose IIS is configured to disallow anonymous
access to that directory and to require basic
authentication
When a user attempts to access it for the first
time (via HTTP request, a 401 is returned
indicating that it requires basic authentication
The users browser then prompts the user for
windows user name/password
Problem User name/password sent in plain text
between the browser and the web server with each
request user needs a windows account
Digest authentication User name/password are
sent as an encrypted token with each request
integrated windows authentication

7
IIS Security

Internet Information Services---a web server
IIS protects a server in four ways
Web applications are deployed in virtual
directories that are URL-addressable on the
server Remote clients cannot automatically access
files outside this directory.
IIS assigns every request a token---a windows
security principal OS and .Net check this token
prior to allowing access
It can enable/disable requests based on IP
addresses and domains
Supports SSL and HTTPs
IIS supports four types of authentication
Basic authentication (user name/password)
Digest authentication (user name/password)
Integrated windows authentication
SSL client authentication

8
Forms Authenticatrion

Authenticates a user by asking the user to type
credentials (e.g., user name/password) into a web
form.
Entries in web.config can identify login page
When a user accesses for the 1st time, ASP.Net
redirects the user to the login page.
If the login is successful, ASP.Net issues a
ticket in the form of a cookie and redirects the
user to the page originally requested.
The cookie enables the user not to login
everytime. Lifetime of a cookie is dictated by
your application.

9
Example Application with Forms Authentication

Application contains two pages
PublicPage.aspx --- viewed by any one
ProtectedPage.aspx --- available only to
authenticated users (validated by login page)
LoginPage.aspx---asks for a user name and a
password
Web.config---stores valid user names and
passwords

10
PublicPage.aspx

lthtmlgt
ltbodygt
lth1gtPublic Pagelt/h1gt
lthrgt
ltform runat"server"gt
ltaspButton Text"View Secret Message"
OnClick"OnViewSecret"
RunAt"server" /gt
lt/formgt
lt/bodygt
lt/htmlgt
ltscript language"C" runat"server"gt
void OnViewSecret (Object sender, EventArgs e)
Response.Redirect ("Secret/ProtectedPage.asp
x")
lt/scriptgt

11
LoginPage.aspx

lthtmlgt
ltbodygt
lth1gtPlease Log Inlt/h1gt
lthrgt
ltform runat"server"gt
lttable cellpadding"8"gt
lttrgt
lttdgt
User Name
lt/tdgt
lttdgt
ltaspTextBox ID"UserName"
RunAt"server" /gt
lt/tdgt
lt/trgt
lttrgt
lttdgt
Password
lt/tdgt
lttdgt

12
Web.config in the main directory

ltconfigurationgt
ltsystem.webgt
ltauthentication mode"Forms"gt
ltforms loginUrl"LoginPage.aspx"gt
ltcredentials passwordFormat"Clear"gt
ltuser name"Jeff" password"imbatman"
/gt
ltuser name"John" password"redrover"
/gt
ltuser name"Bob" password"mxyzptlk" /gt
ltuser name"Alice" password"nomalice"
/gt
ltuser name"Mary" password"contrary"
/gt
lt/credentialsgt
lt/formsgt
lt/authenticationgt
lt/system.webgt
lt/configurationgt

13
Web.config in the secret subdirectory (to deny
unauthenticated users)

ltconfigurationgt
ltsystem.webgt
ltauthorizationgt
ltdeny users"?" /gt
lt/authorizationgt
lt/system.webgt
lt/configurationgt

14
Why is it not earlier example not realistic?

Unreasonable to store passwords in clear text
Storing a large number of names/passwords in
Web.config is unrealistic. Instead, store them in
a database.
Modified Login.aspx is in the next few slides

lt_at_ Import NameSpace"System.Data.SqlClient" gt
lthtmlgt
ltbodygt
lth1gtPlease Log Inlt/h1gt
lthrgt
ltform runat"server"gt
lttable cellpadding"8"gt
lttrgt
lttdgt
User Name
lt/tdgt
lttdgt
ltaspTextBox ID"UserName"
RunAt"server" /gt
lt/tdgt
lt/trgt
lttrgt
lttdgt
Password

lttdgt
ltaspButton Text"Log In"
OnClick"OnLogIn"
RunAt"server" /gt
lt/tdgt
lttdgt
ltaspCheckBox Text"Keep me signed
in" ID"Persistent"
RunAt"server" /gt
lt/tdgt
lt/trgt
lt/tablegt
lt/formgt
lthrgt
lth3gtltaspLabel ID"Output" RunAt"server"
/gtlt/h3gt
lt/bodygt
lt/htmlgt

ltscript language"C" runat"server"gt
void OnLogIn (Object sender, EventArgs e)
if (CustomAuthenticate (UserName.Text,
Password.Text))
FormsAuthentication.RedirectFromLoginPag
e (UserName.Text,
Persistent.Checked)
else
Output.Text "Invalid login"
bool CustomAuthenticate (string username,
string password)
SqlConnection connection new
SqlConnection
("serverlocalhostdatabasewebloginuid
sapwd")
try
connection.Open ()
StringBuilder builder new
StringBuilder ()

18
New Web.config in main directory

ltconfigurationgt
ltsystem.webgt
ltauthentication mode"Forms"gt
ltforms loginUrl"LoginPage.aspx" /gt
lt/authenticationgt
lt/system.webgt
lt/configurationgt

19
Authentication Cookie Lifetime

Timeout value is controlled by
In Machine.config file
ltforms timeout30gt
In local Web.config file
configurationgt
ltsystem.webgt
ltauthentication mode"Forms"gt
ltforms loginUrl"LoginPage.aspx" timeout
30/gt
lt/authenticationgt
lt/system.webgt
lt/configurationgt

20
Forms Authentication and Role-based Security

Previous example, all authenticated users have
access what if we want to restrict access to a
few? (Here, means all ? means unauthenticated
users)
In Web.config of the secret page
ltauthorizationgt
ltallow users John, Alice /gt
ltdeny users /gt
lt/authorizationgt