ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig
Overview Today Security Concepts & Terminology Security Concepts & Terminology Authentication and Authorization Role-based security ASP.NET approaches: ASP.NET approaches: 1.Do it yourself 2.Windows authentication 3.Forms authentication 4..NET membership provider
Security Terminology Authentication Process of identifying the user Process of identifying the user User provides credentials User provides credentials Username / Password Username / Password ID card, key, finger print, eye scan… ID card, key, finger print, eye scan… Authentication done once at login Authentication done once at login
Security Terminology Authorization Permissions Permissions Which resources user is allowed to access Type of access Read, write, modify, delete, change permissions… Read, write, modify, delete, change permissions… Performed with every request Performed with every request
Example - WWU Library Authentication Who are you? Who are you? WWU student Lost Canadian Authorization What are you allowed to do? What are you allowed to do? WWU student Checkout books, laptops, IIL services… Checkout books, laptops, IIL services… Lost Canadian Look at books, use restrooms, stay warm Look at books, use restrooms, stay warm
Security Terminology Principle of least privilege Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. Benefits: Benefits: Protects data Protects organization Protects individuals
Role-based Security Permissions assigned based upon role of job function
Role-based Security Create roles AdministratorUserStudent Anonymous user etc, etc. … Roles are assigned specific permissions Principle of least privilege Principle of least privilege People are assigned to roles
Role-Based Security Benefit Simplifies management of permissions Example: Roles in WWU Banner system Students Students Faculty Faculty Administrators Administrators Many types, each with specific permissions Enforced at both application & DB level Enforced at both application & DB level
ASP.NET Security Approaches: Do-it-yourself Do-it-yourself Forms authentication Forms authentication Windows authentication Windows authentication ASP.NET Membership Provider ASP.NET Membership Provider
Do-it-yourself Authentication Each.aspx page checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) Response.Redirect("Login.aspx");
Do it yourself Authentication Advantages Simple Simple Flexible – page-by-page Flexible – page-by-page Database access Database accessDisadvantages Need to include code in every.aspx page Need to include code in every.aspx page Pages need to be executable Pages need to be executable Excludes.html pages, images, etc.
Windows Authentication Authenticate against Windows user accounts Username/password managed with Windows (Active Directory) Username/password managed with Windows (Active Directory)
Windows Authentication Authorization Specify in web.config Specify in web.config First match algorithm Set on each directory Set on each directory Sample Page Sample Page
Windows Authentication Benefits: Secures every file type Secures every file type Use existing Windows accounts Use existing Windows accountsIntranet Not public web Fine-level control of permissions Fine-level control of permissionsLimitations Users need permissions on server Users need permissions on server
Forms Authentication Create login page Authenticate against any data source Authenticate against any data source database, LDAP, web service, CAS… database, LDAP, web service, CAS… Login page.aspx file.aspx file access database, other data sources Authentication ticket issued Authentication ticket issued Encrypted cookie Redirects back to requested page Redirects back to requested page
Forms Authentication How to Configure Web.config file Web.config file Authentication mode=“Forms” Root directory of application Create Login Page Create Login PageExample: Sample Sample Sample
ASP.NET Membership Drag & Drop controls Implements Forms authentication Implements Forms authentication No code required No code required Automatically creates SQL Server Database Can define users & roles Quite sophisticated
ASP.NET Membership Provider
No code “Magical” “Magical” Many configuration options Password recovery Password recovery Change password control Change password control Sends Sends Create groups (programmatically) Create groups (programmatically) Assign users to groups Assign users to groups
Summary Application Security options: Do-it-yourself Do-it-yourself Windows authentication Windows authentication Forms authentication Forms authentication ASP.NET Membership provider ASP.NET Membership providerSecurity Complex topic Complex topic Discuss other aspects later Discuss other aspects later