Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Slides:



Advertisements
Similar presentations
iRequestManager for MediMizer X3
Advertisements

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Managing Identity and Permissions
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Sql Server Advanced Features MIS 424 Professor Sandvig.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Working with Workgroups and Domains
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
CIM6400 CTNW (04/05) 1 CIM6400 CTNW Lesson 6 – More on Windows 2000.
Copyright 2000 eMation SECURITY - Controlling Data Access with
1.NET Web Forms Security Issues © 2002 by Jerry Post.
Telerik Software Academy ASP.NET Web Forms.
Security Planning and Administrative Delegation Lesson 6.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Sofia, Bulgaria | 9-10 October Developing Custom ASP.NET Providers For Membership And Role Manager Goksin Bakir Yage Ltd Microsoft Regional Director, MEA.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
2. SQL Security Objectives –Learn SQL Server 2000 components Contents –Understanding the Authentication Process –Understanding the Authorization Process.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
Security In your webSite.
Unit 7 Learning Objectives
Agenda Introduction Security flow for a request Authentication
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
Security Basics and ASP.NET Support
ACTIVE DIRECTORY ADMINISTRATION
Jim Fawcett CSE686 – Internet Programming Summer 2005
Active Directory Administration
Security mechanisms and vulnerabilities in .NET
IIS.
Created by : Asst. Prof. Ashish Shah
Configuring Internet-related services
Role Management in .net Vinay Dhareshwar.
Security - Forms Authentication
Presentation transcript:

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

1. Basic principles 2. Authentication Types  Windows Authentication  Forms Authentication  Passport Authentication 3. Users & Roles 4. Membership and Providers 5. Login / Logout Controls

 Authentication  The process of verifying the identity of a user or computer  Questions: Who are you? How you prove it?  Credentials can be password, smart card, etc.  Authorization  The process of determining what a user is permitted to do on a computer or network  Question: What are you allowed to do?

 Windows Authentication  Uses Active Directory / Windows accounts  Forms Authentication  Uses a traditional login / logout pages  Code associated with a Web form handles users authentication by username / password  Users are usually stored in a database  Passport Authentication  Uses Microsoft's passport service

 In Windows Authentication mode the Web application uses the same security scheme that applies to your Windows network  Network resources and Web applications use the same:  User names  Passwords  Permissions  It is the default authentication when a new Web site is created

 The user is authenticated against his username and password in Windows  NTLM or Kerberos authentication protocol  When a user is authorized:  Application executes using the permissions associated with the Windows account  The user's session ends when the browser is closed or when the session times out

 Users who are logged on to the network  Are automatically authenticated  Can access the Web application  To set the authentication to Windows add to the Web.config :  To deny anonymous users add: <authorization> </authorization>

 The Web server should have NTLM enabled: GET /Default.aspx HTTP/1.1 … HTTP/ Unauthorized WWW-Authenticate: NTLM GET /Default.aspx HTTP/1.1 Authorization: NTLM tESsB/ yNY3lb6a0L6vVQEZNqwQn0sqZ… HTTP/ OK … … …  HTTP requests:  HTTP responses:

Live Demo

 Forms Authentication uses a Web form to collect login credentials (username / password)  Users are authenticated by the C# code behind the Web form  User accounts can be stored in:  Web.config file  Separate user database  Users are local for the Web application  Not part of Windows or Active Directory

 Enabling forms authentication:  Set authentication mode in the Web.config to " Forms "  Create a login ASPX page  Create a file or database to store the user credentials (username, password, etc.)  Write code to authenticate the users against the users file or database

 To deny someone's access add in the tag  To allow someone's access add in the authorization tag  denies anonymous access  denies access to all users <system.web> </system.web>

 Specifying authorization rules in Web.config :  The deny / allow stops the authorization process at the first match  Example: if a user is authorized as Pesho, the tag is not processed </location>

 Logging-in using credentials from Web.config :  Logging-out the currently logged user:  Displaying the currently logged user: if (FormsAuthentication.Authenticate(username, passwd)) { FormsAuthentication.RedirectFromLoginPage( FormsAuthentication.RedirectFromLoginPage( username, false); username, false);}else{ lblError.Text = "Invalid login!"; lblError.Text = "Invalid login!";} FormsAuthentication.SignOut(); This method creates a cookie (or hidden field) holding the authentication ticket. lblInfo.Text = "User: " + Page.User.Identity.Name;

Live Demo

Membership Provider and Roles Provider

 User is a client with a Web browser running a session with the Web application  Users can authenticate (login) in the Web application  Once a user is logged-in, a set of roles and permissions are assigned to him  Authorization in ASP.NET is based on users and roles  Authorization rules specify what permissions each user / role has

 Simplify common authentication and user management tasks  CreateUser()  DeleteUser()  GeneratePassword()  ValidateUser()  …  Can store user credentials in database / file / etc.

 Adding membership provider to the Web.config <add connectionStringName="UsersConnectionString" <add connectionStringName="UsersConnectionString" minRequiredPasswordLength="6" minRequiredPasswordLength="6" requiresQuestionAndAnswer="true" requiresQuestionAndAnswer="true" enablePasswordRetrieval="false" enablePasswordRetrieval="false" requiresUnique ="false" requiresUnique ="false" applicationName="/MyApp" applicationName="/MyApp" minRequiredNonalphanumericCharacters="1" minRequiredNonalphanumericCharacters="1" name="MyMembershipProvider" name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider"/> type="System.Web.Security.SqlMembershipProvider"/> </membership>

 Roles in ASP.NET allow assigning permissions to a group of users  E.g. " Admins " role could have more privileges than " Guests " role  A user account can be assigned to multiple roles in the same time  E.g. user " Peter " can be member of " Admins " and " TrustedUsers " roles  Permissions can be granted to multiple users sharing the same role

 Role providers in ASP.NET  Simplify common authorization tasks and role management tasks  CreateRole()  IsUserInRole()  GetAllRoles()  GetRolesForUser()  …  Can store user credentials in database / file / etc.

 To register role provider in ASP.NET 4.0 add the following to the Web.config : <roleManager enabled="true" DefaultProvider="MyRoleProvider"> DefaultProvider="MyRoleProvider"> <add connectionStringName="UsersConnectionString" <add connectionStringName="UsersConnectionString" name="MyRoleProvider" name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" /> type="System.Web.Security.SqlRoleProvider" /> </roleManager><connectionStrings> <add name="UsersConnectionString" <add name="UsersConnectionString" connectionString="Data Source=.\SQLEXPRESS;Initial connectionString="Data Source=.\SQLEXPRESS;Initial Catalog=Users;Integrated Security=True" Catalog=Users;Integrated Security=True" providerName="System.Data.SqlClient" /> providerName="System.Data.SqlClient" /></connectionStrings>

 The built-in classes System.Web.Security. SqlMembershipProvider and System.Web. Security.SqlRoleProvider use a set of standard tables in the SQL Server  Can be created by the ASP.NET SQL Server Registration tool ( aspnet_regsql.exe )  The aspnet_regsql.exe utility is installed as part of with ASP.NET 4.0: C:\WINDOWS\Microsoft.NET\Framework\v \ aspnet_regsql.exe

Live Demo

 Implementing login:  Implementing logout:  Creating new user: if (Membership.ValidateUser(username, password)) { FormsAuthentication.RedirectFromLoginPage( FormsAuthentication.RedirectFromLoginPage( username, false); username, false);} FormsAuthentication.SignOut(); Membership.CreateUser(username, password);

 Getting the currently logged user:  Creating new role:  Adding user to existing role:  Deleting user / role: MembershipUser currentUser = Membership.GetUser(); Roles.AddUserToRole("admin", "Admins"); Membership.DeleteUser("admin", true); Roles.DeleteRole("Admins"); Roles.CreateRole("Admins");

Live Demo

 Designed to manage your Web site configuration  Simple interface  Can create and manage users, roles and providers  Can manage application configuration settings  Accessible from Visual Studio:  [Project] menu  [ASP.NET Configuration]

Live Demo

 The Login control provides the necessary interface through which a user can enter their username and password  The control uses the membership provider specified in the Web.config file  Adding the login control to the page:

 Once a user has logged in we can display his username just by adding the LoginName control to the page  The LoginStatus control allows the user to log in or log out of the application

 Customized information which will be shown to users through templates, based on their roles  By default there are AnonymousTemplate and LoggedInTemplate  New custom templates can be added  To add the control to the page use: </asp:LoginView>

 It is used to create new accounts  It works with the membership provider class  Offers many customizable features  Can quickly be added to and used using </asp:CreateUserWizard>

 It is used to retrieve passwords  The user is first prompted to enter username  Once users enter valid user names, they must answer their secret questions  The password is sent via  To add this control use: </asp:PasswordRecovery>

 Allows users to change their passwords  It uses the membership provider specified in the Web.config  Can be added to any page with the following tag:

Questions?