Authentication and Authorisation in ASP.Net

Slides:



Advertisements
Similar presentations
Malek Kemmou Technology Architect, Application Platform Microsoft Middle East and Africa Overview of ASP.NET 2.0.
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
The Jukebox Orian Paz & Yair Cleper Instructor: Viktor Kulikov Semester: Spring 2009 Final Presentation.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Leading at Every Turn. 1)Make sure you have your Trusted Sites configured properly in Internet Explorer 2)Store your credentials on your PC so you.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
1.NET Web Forms Security Issues © 2002 by Jerry Post.
Telerik Software Academy ASP.NET Web Forms.
State Management. What is State management Why State management ViewState QueryString Cookies.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
1 CS 3870/CS 5870: Note 11 Authentication and Authorization Membership Provider.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
ASP.NET 2.0: A Look Inside Membership, Role Management, and Profiles in ASP.NET 2.0 Sam Spencer Program Manager Microsoft – Web Platform & Tools DEV312.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
1 CS 3870/CS 5870: Note 12 Authentication and Authorization Membership Provider.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
1 CS 3870/CS 5870: Note 14. Prog5 Due 10 PM Wednesday, Oct 21 Authentication and Authorization 2.
A Lap Around New Enhancements for Web Developers in Visual Studio 2005 Alexander Holy Developer Evangelist, Microsoft EMEA
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Personalizing Web Sites Nasrullah. Understanding Profile The ASP.NET application service that enables you to store and retrieve information about users.
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
Part 2.
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Authentication and Authorization
Current Popular IT I Pertemuan 5
Security In your webSite.
Unit 7 Learning Objectives
Securing your ASP.NET Website
Agenda Introduction Security flow for a request Authentication
ASP .NET MVC Authorization Training Videos
Security Basics and ASP.NET Support
Jim Fawcett CSE686 – Internet Programming Summer 2005
ASP.NET Application Framework
Created by : Asst. Prof. Ashish Shah
Web Servers / Deployment
Role Management in .net Vinay Dhareshwar.
Mark Quirk Head of Technology Developer & Platform Group
Security - Forms Authentication
Presentation transcript:

Authentication and Authorisation in ASP.Net By Dharam Shadija

Structure of Presentation Review Application Directory structure Review Simple Authentication process Authentication in ASP.Net SQLMembershipProvider, SQLRoleProvider and SQLProfileProvider class Built-in Security controls Website Administration panel Summary

Authorisation and Authentication Whereas Authentication is the process of checking user credentials against a database or active directory. Authorisation Authorisation is the process of checking whether a user or role has access to a particular part of the web site.

Simple Authentication process IIS Browser Login page Client enters Login information Login page authenticates user info Puts user name in session and forwards user to secure area If incorrect details Access denied Default.asp

Simple Authentication process Advantages Simple to setup Disadvantages Lot of code required from developers perspective High Maintenance User details not secure as stored as plain text

Forms Authentication process IIS 2 Forms Authentication 1 Request forwarded to login page using settings in web.config Browser Client accesses secure area Authenticated Not Authenticated Login page 3 Puts user name in Authentication Cookie and forwards user to the page requested 3 If incorrect details Access denied Default.aspx

Authentication and Authorisation in ASP.Net Provides ways to authenticate using pre-built database or against Active Directory Number of built-in security controls Based on Provider model i.e. can be extended by developers to write custom logic Number of pre-written methods to perform repetitive functions Pre-built SQL server database to hold user, role and access information Built on top of current implementation of Forms Authentication

Authentication and Authorisation in ASP.Net System.Web.Security Namespace ProviderBase Inherits Inherits MembershipProvider ValidateUser() CreateUser() DeleteUser() RoleProvider AddUsersToRoles() CreateRole() DeleteRole()

SQLMembershipProvider and SQLRoleProvider class Used to store user information in a pre-built SQL Server database file (ASPNetDB.mdf) Can be configured to point to another location using web.config file aspnet_user table SQLRoleProvider Used to store role information in a pre-built SQL Server database file (ASPNetDB.mdf) aspnet_role and aspnet_userInRole tables

SQLProfileProvider class Enable developers to store user profile information in a pre-built SQL Server database file (ASPNetDB.mdf) User profile configured in web.config file aspnet_profile table Key methods GetAllProfiles(), DeleteProfiles() <add name="UIPreference" type="String" serializeAs="String"/> <add name="Address" type="String" serializeAs="String"/>

Built-in Security controls Login control VerifyUser(username, password) PasswordRecovery control LoginStatus control LoginView control

Built-in Security controls LoginName control CreateUserWizard control ChangePassword control

ASPNetDB.mdf

Configuring Forms Authentication Use a custom login page to validate the user ' web.config file <configuration> <system.web> <authentication mode= "Forms"> <forms name=".ASPXAUTH" loginUrl="Login.aspx" /> </authentication> </system.web> </configuration> Authentication information goes in web.config file at root level

Configuring Authorisation To deny unauthorised users accessing files in a particular folder <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> Authorisation information goes in web.config file, could be at root level and at sub folder level Access level is inherited Deny anonymous access

Configuring Authorisation Allow particular user or role access to this folder <configuration> <system.web> <authorization> <deny users="*"/> <allow users=“Jim, Mo" /> <allow roles=“Administrator" /> </authorization> </system.web> </configuration> Deny anonymous access

Forms Authentication Advantages Disadvantages Automatically encrypts user information in Authentication cookie Takes away the plumbing from developer Provides a structure to implement Authentication and authorisation in ASP.Net applications Built-in UI controls Pre-written authentication logic Disadvantages Needs some work setting it up

Website Administration Panel Developer friendly tool to setup Authentication and Authorisation information Stores information in an SQL Server database Configures Web.config to reflect changes done using Administration panel

Website Administration Panel

Summary Reviewed Forms Authentication Authentication in ASP.Net SQLMembershipProvider and SQLRoleProvider class Built-in Security controls Website Administration panel

References Examining ASP.NET 2.0's Membership, Roles, and Profile http://aspnet.4guysfromrolla.com/articles/120705-1.aspx This is a multipage article, explore all the pages.