1 / 24

ASP.NET SECURITY

ASP.NET SECURITY. Presenter: Van Nguyen. Introduction. Security is an integral part of any Web-based application. Understanding ASP.NET security will help in building secure Web applications. This document provides a brief overview of security in ASP.NET. Introduction.

jovan
Download Presentation

ASP.NET SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ASP.NET SECURITY Presenter: Van Nguyen

  2. Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will help in building secure Web applications. This document provides a brief overview of security in ASP.NET.

  3. Introduction • ASP.NET Web application security • FormsAuthentication • Manager Users Using Membership • Managing Authorization using Roles

  4. I. ASP.NET Web application security • ASP.NET architecture • ASP.NET Data Flow • ASP.NET Authentication • ASP.NET Authorization • ASP.NET impersonation

  5. I. ASP.NET Web application security • ASP.NET architecture

  6. I. ASP.NET Web application security • ASP.NET Data Flow • The security data flow for two common scenarios: • Impersonation. • Forms authentication using cookies.

  7. I. ASP.NET Web application security • Impersonation

  8. I. ASP.NET Web application security • FormsAuthentication

  9. I. ASP.NET Web application security • ASP.NET Authentication: • Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. • Windows Authentication Provider. (Asp.net Impersonation) • Forms Authentication Provider. (FormsAuthentication)

  10. I. ASP.NET Web application security • Authorization determines whether an identity should be granted access to a specific resource. • In ASP.NET Authorization, there are two ways to authorize access to a given resource: • File authorization • URL authorization

  11. I. ASP.NET Web application security • File authorization is performed by the FileAuthorizationModule. It checks the access control list (ACL) of the .aspx or .asmx handler file to determine whether a user should have access to the file. ACL permissions are verified for the user's Windows identity (if Windows authentication is enabled) or for the Windows identity of the ASP.NET process.

  12. I. ASP.NET Web application security • URL authorization: URL authorization is performed by the UrlAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application (typically directories) for specific users or roles. • <authorization> • <[allow|deny] roles verbs users /> • </authorization>

  13. I. ASP.NET Web application security • ASP.NET impersonation: • ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity). • <configuration> • <system.web> • <authentication mode="Windows“/> • <identity impersonate="true"/> • </system.web> • </configuration>

  14. II. FormAuthentication • Forms authentication uses an authentication ticket that is created when a user logs on to a site, and then it tracks the user throughout the site. The forms authentication ticket is usually contained inside a cookie. • Configuration FormsAuthenticationin web.config:

  15. II. FormAuthentication • Credentials Store in web.config: Forms authentication credentials that are used to validate users at logon can be stored in an external data source or in the application configuration file.

  16. II. FormAuthentication • Logging In, Logging Out using FormsAuthentication. • Logging In: • Logging Out: if (FormsAuthentication.Authenticate(model.UserName, model.Password) || Membership.ValidateUser(model.UserName, model.Password)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); //FormsAuthentication.RedirectFromLoginPage(userName,isPresistentCookie); } FormsAuthentication.SignOut(); FormsAuthentication.RedirectToLoginPage();

  17. II. FormAuthentication • Understanding Persistent tickets:The forms authentication ticket was always stored in a cookie. So, the decision between using a persistent versus nonpersistent ticket is a choice between using persistent or session-based cookie. • The following code issues a persistent ticket: FormsAuthentication.RedirectFromLoginPage("testuser", true);

  18. III. Manager Users Using Membership • ASP.NET membership therefore helps you manage user authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users. • Benefit of ASP.NET membership: • Create new user and password. • Using the Login controls in asp.net. • Storing membership information in database. • Authenticating users who visit your site. • Managing passwords (creating, changing and resetting them). • Specifying a custom membership provider.

  19. III. Manager Users Using Membership • Configuration Membership:

  20. III. Manager Users Using Membership • Install DataBase: • Run file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

  21. III. Manager Users Using Membership • Finish: • Membership class.

  22. IV. Managing Authorization using Roles • Role management lets you treat groups of users as a unit by assigning users to roles. • Role management helps you manage authorization, which enables you to specify the resources that users in your application are allowed to access. • Using RoleProvider to make a custom Role management.

  23. IV. Managing Authorization using Roles • Configuration RoleProvider: • Authorization using Role:

  24. Thanks for your listening

More Related