ASP.Net Security Chapter 10 Jeff Prosise’s Book

Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport authentication Windows authentication: Here, IIS does the authentication and makes the caller’s identity available to ASP.Net (via a token) –Most suitable when everyone that uses the application can login to the local machine –Uses the built-in security features of the OS

Passport authentication: –Passport serves as a front-end to a large group of users registered with Microsoft Passport –Such users can be authenticated anywhere on the Internet by applications that present long credentials to Passport. –If Passport validates them, it returns an authentication ticket to the application; that in turn stores it as an encoded cookie

Forms authentication –Relies on login forms in web pages to authenticate users –In an e-commerce application such as e-bay’s bidding, windows authentication is not viable since it is impractical to create windows accounts for all millions –In web.config, we set –Other modes are: None, Windows, and Passport

Authorization Determines what resources a user can access ASP.Net supports: –ACL authorization or file authorization---e.g., using NTFS file system’s ACL –URL authorization---relies on configuration directives in web.config using the element –Authorization linkAuthorization link

Windows Authentication Maps incoming requests to accounts on the web server Used to serve a well defined user group that may be controlled through windows accounts –Basic authentication: transmits a user name and password in each request; IIS maps them to an account on the web server and generates a token. Suppose a web page is placed in the virtual directory Suppose IIS is configured to disallow anonymous access to that directory and to require basic authentication When a user attempts to access it for the first time (via HTTP request, a 401 is returned indicating that it requires basic authentication The user’s browser then prompts the user for windows user name/password Problem: User name/password sent in plain text between the browser and the web server with each request; user needs a windows account –Digest authentication: User name/password are sent as an encrypted token with each request integrated windows authentication

IIS Security Internet Information Services---a web server IIS protects a server in four ways: –Web applications are deployed in virtual directories that are URL-addressable on the server. Remote clients cannot automatically access files outside this directory. –IIS assigns every request a token---a windows security principal; OS and.Net check this token prior to allowing access –It can enable/disable requests based on IP addresses and domains –Supports SSL and HTTPs –IIS supports four types of authentication: Basic authentication (user name/password) Digest authentication (user name/password) Integrated windows authentication SSL client authentication

Forms Authenticatrion Authenticates a user by asking the user to type credentials (e.g., user name/password) into a web form. Entries in web.config can identify login page When a user accesses for the 1 st time, ASP.Net redirects the user to the login page. If the login is successful, ASP.Net issues a ticket in the form of a cookie and redirects the user to the page originally requested. The cookie enables the user not to login everytime. Lifetime of a cookie is dictated by your application.

Example Application with Forms Authentication Application contains two pages: –PublicPage.aspx --- viewed by any one –ProtectedPage.aspx --- available only to authenticated users (validated by login page) LoginPage.aspx---asks for a user name and a password Web.config---stores valid user names and passwords

PublicPage.aspx Public Page <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); }

LoginPage.aspx Please Log In User Name: Password: <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> void OnLogIn (Object sender, EventArgs e) { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }

Web.config in the main directory

Web.config in the secret subdirectory (to deny unauthenticated users)

Why is the earlier example not realistic? Unreasonable to store passwords in clear text Storing a large number of names/passwords in Web.config is unrealistic. Instead, store them in a database. Modified Login.aspx is in the next few slides

Please Log In User Name: Password: <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" />

<asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> <asp:CheckBox Text="Keep me signed in" ID="Persistent" RunAt="server" />

void OnLogIn (Object sender, EventArgs e) { if (CustomAuthenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, Persistent.Checked); else Output.Text = "Invalid login"; } bool CustomAuthenticate (string username, string password) { SqlConnection connection = new SqlConnection ("server=localhost;database=weblogin;uid=sa;pwd="); try { connection.Open (); StringBuilder builder = new StringBuilder (); builder.Append ("select count (*) from users " + "where username = \'"); builder.Append (username); builder.Append ("\' and cast (rtrim (password) as " + "varbinary) = cast (\'"); builder.Append (password); builder.Append ("\' as varbinary)"); SqlCommand command = new SqlCommand (builder.ToString (), connection); int count = (int) command.ExecuteScalar (); return (count > 0); } catch (SqlException) { return false; } finally { connection.Close (); }

New Web.config in main directory

Authentication Cookie Lifetime Timeout value is controlled by: –In Machine.config file: –In local Web.config file: configuration>

Forms Authentication and Role- based Security Previous example, all authenticated users have access; what if we want to restrict access to a few? (Here, * means all; ? means unauthenticated users) –In Web.config of the secret page:

Alternately, deny access to Jeff, Bob, and Mary explicitly. Order sensitive statement execution Still not practical when a large number of users are involved Solution: Role based control

Using role-based authorization: Step 1 In Web.config file of the secret directory:

Step 2: Mapping users to roles void Application_AuthenticateRequest (Object sender, EventArgs e) { HttpApplication app = (HttpApplication) sender; if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity) { FormsIdentity identity = (FormsIdentity) app.User.Identity; // Find out what role (if any) the user belongs to string role = GetUserRole (identity.Name); //From DB // Create a GenericPrincipal containing the role name // and assign it to the current request if (role != null) app.Context.User = new GenericPrincipal (identity, new string[] { role }); }

Multiple roles? if (role != null) app.Context.User = new GenericPrincipal (identity, new string[] { role }); The 2 nd parameter is a string and hence could be: new string[] { “Manager”, “Developer”}); In Web.config we can say: