300 likes | 325 Views
ASP.NET Security. MIS 424 Professor Sandvig. Overview. Today Security Concepts & Terminology Authentication and Authorization Role-based security HTTPS ASP.NET approaches: Do-it-yourself ASP.NET Identity Windows authentication. Security Terminology. Authentication
E N D
ASP.NET Security MIS 424 Professor Sandvig
Overview Today • Security Concepts & Terminology • Authentication and Authorization • Role-based security • HTTPS • ASP.NET approaches: • Do-it-yourself • ASP.NET Identity • Windows authentication
Security Terminology • Authentication • Process of identifying the user • User provides credentials • Username / Password • ID card, key, finger print, eye scan… • Authentication done once at login
Security Terminology • Authorization • Which resources user is allowed to access • Permissions • Type of access • Read, write, modify, delete, change permissions… • Performed with every request
Example - WWU Library • Authentication • Who are you? • WWU student • Lost Canadian • Authorization • What are you allowed to do? • WWU student • Checkout books, laptops, IIL services… • Lost Canadian • Look at books, use restrooms, stay warm
Security Terminology • Principle of least privilege • Every program and every user of the system should operate using the least set of privileges necessary to complete their job. • Benefits: • Protects data • Protects organization • Protects individuals
Role-based Security • Permissions assigned based upon oganizational role
Role-based Security • Create roles • Financial Aid counselor • Academic counselor • Network Administrator • Database Administrator • Payroll • Roles are assigned specific permissions • Principle of least privilege
Role-Based Security • Groups • Collections of individuals • Examples: • Students • Faculty • Help Desk technicians • Department administrators
Role-based Security Assign Users and groups to roles Source: https://docs.oracle.com/cd/E19226-01/820-7627/bnbxj/index.html
Role Permissions Source: ITGlue content management system
Role Permissions • WWU P drive
Web Security • Always use HTTPS • Secure Socket Layers • Encrypts all data • Session Hijacking • All security methods pass cookie identifying user as authenticated. • Hacker gets cookie data • Impersonates authenticated user
Adding HTTPS • Individual controllers: namespace mis424Assignments.Controllers { [RequireHttps] [Authorize] public class RetailController : Controller • Entire Site • Global.asax protected void Application_Start() { GlobalFilters.Filters.Add(new RequireHttpsAttribute()); }
ASP.NET Security • Approaches: • Do-it-yourself • ASP.NET Identity • Windows authentication
Do-it-yourself Authentication • Each action method checks for authorization • Redirect unauthorized users to login • Single line of code: if (Session["authenticated"] == null) return RedirectToAction("Login");
Do it yourself Authentication • Advantages • Simple • Flexible • Write own authentication code • Disadvantages • More work? • Your responsibility
ASP.NET Identity Individual user accounts VS creates models & database Username, password, roles stored in DB
ASP.NET Identity • Features • Contains views for: • Creating account • Modify account • Password recovery • Change password
ASP.NET Identity • Features • Can use social providers for authentication • Facebook, Google, Twitter • Create roles • Assign users to roles
ASP.NET Identity • Decorate action methods with Authorization rules • Individuals • Roles • Authenticates against database, Active Directory, cloud based authentication, … • Example: Secured Admin Pages
Windows Authentication • Authenticate against Windows users and roles • Active Directory • Take advantage of organizational roles • Group email, file permissions, chat…
Windows Authentication • MVC Implementation • Specify in web.config • <authentication mode="Windows" /> • Enable Windows Authentication in IIS
Windows Authentication • Benefits: • Use existing Active Directory user & groups • Intranet • Not public web • Single sign-in within organization • Fine-level control of permissions • Example: WindowsAuthentication
Summary • Application Security options: • Do-it-yourself • Identity User Accounts • Windows authentication • Security • Complex topic • Discuss other aspects later