Introduction to ASP.NET
Download
Report
Transcript Introduction to ASP.NET
ASP.NET Security
MacDonald Ch. 18
MIS 424
Professor Sandvig
Overview
Today
Security Concepts & Terminology
Authentication and Authorization
Role-based security
ASP.NET approaches:
1.
2.
3.
4.
Do it yourself
Windows authentication
Forms authentication
.NET membership provider
Security Terminology
Authentication
Process of identifying
the user
User provides
credentials
Username / Password
ID card, key, finger
print, eye scan…
Authentication done
once at login
Security Terminology
Authorization
Permissions
Which resources user is
allowed to access
Type of access
Read, write, modify,
delete, change
permissions…
Performed with every
request
Example - WWU Library
Authentication
Who are you?
WWU student
Lost Canadian
Authorization
What are you allowed to do?
WWU student
Checkout books, laptops, IIL services…
Lost Canadian
Look at books, use restrooms, stay warm
Security Terminology
Principle of least privilege
Every program and every user of the system
should operate using the least set of privileges
necessary to complete their job.
Benefits:
Protects data
Protects organization
Protects individuals
Role-based Security
Permissions assigned based upon role of
job function
Role-based Security
Create roles
Administrator
User
Student
Anonymous user
etc, etc. …
Roles are assigned specific permissions
Principle of least privilege
People are assigned to roles
Role-Based Security
Benefit
Simplifies management of permissions
Example: Roles in WWU Banner system
Students
Faculty
Administrators
Many types, each with specific permissions
Enforced at both application & DB level
ASP.NET Security
Approaches:
Do-it-yourself
Forms authentication
Windows authentication
ASP.NET Membership Provider
Do-it-yourself Authentication
Each .aspx page checks for authorization
Redirect unauthorized users to login
Single line of code:
if (Session["authenticated"] == null)
Response.Redirect("Login.aspx");
Do it yourself Authentication
Advantages
Simple
Flexible – page-by-page
Database access
Disadvantages
Need to include code in every .aspx page
Pages need to be executable
Excludes .html pages, images, etc.
Windows Authentication
Authenticate against
Windows user
accounts
Username/password
managed with
Windows (Active
Directory)
Windows Authentication
Authorization
Specify in web.config
First match algorithm
Set on each directory
Sample Page
Windows Authentication
Benefits:
Secures every file type
Use existing Windows accounts
Intranet
Not public web
Fine-level control of permissions
Limitations
Users need permissions on server
Forms Authentication
Create login page
Authenticate against any data source
database, LDAP, web service, CAS…
Login page
.aspx file
access database, other data sources
Authentication ticket issued
Encrypted cookie
Redirects back to requested page
Forms Authentication
How to Configure
Web.config file
Authentication mode=“Forms”
Root directory of application
Create Login Page
Example:
Sample
ASP.NET Membership
Drag & Drop controls
Implements Forms authentication
No code required
Automatically creates SQL Server
Database
Can define users & roles
Quite sophisticated
ASP.NET Membership Provider
ASP.NET Membership Provider
ASP.NET Membership Provider
ASP.NET Membership Provider
No code
“Magical”
Many configuration options
Password recovery
Change password control
Sends email
Create groups (programmatically)
Assign users to groups
Summary
Application Security options:
Do-it-yourself
Windows authentication
Forms authentication
ASP.NET Membership provider
Security
Complex topic
Discuss other aspects later