Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows.
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Web Site Security ISYS 512/812. Authentication Authentication is the process that determines the identity of a user. Web.config file – node Options: –Windows:
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
ASP.NET Programming with C# and SQL Server First Edition Chapter 8 Manipulating SQL Server Databases with ASP.NET.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
IT533 Lectures Configuring, Deploying, Tracing and Error Handling.
CONFIGURING WINDOWS SERVER MIS 424 Professor Sandvig.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Session 11: Security with ASP.NET
Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
1.NET Web Forms Security Issues © 2002 by Jerry Post.
Session 10: Managing State. Overview State Management Types of State Management Server-Side State Management Client-Side State Management The Global.asax.
State Management. What is State management Why State management ViewState QueryString Cookies.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Tracing 1www.tech.findforinfo.com. Contents Why Tracing Why Tracing Tracing in ASP.NET Tracing in ASP.NET Page Level tracing Page Level tracing Application.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
Global.asax file. Agenda What is Global.asax file How to add the Global.asax file What are the default events available Explanation to Application_Level.
CSC 2720 Building Web Applications Server-side Scripting with PHP.
Session and Cookie Management in.Net Sandeep Kiran Shiva UIN:
PROG Advanced Web Applications With.NET PROG Advanced Web Applications With.NET User Authentication & Authorization.
1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables.
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 7: Creating a Microsoft ASP.NET Web Application.
Website Security ISYS 512. Authentication Authentication is the process that determines the identity of a user.
Role Management in.NET Shree Shalini Pusapati CS /17/20151.
ASP.Net Role-based Security Chapter 10 (Freeman and Jones) CS795/895.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
PHP-based Authentication
Module 4: Creating a Web Application with Web Forms
1 Database Design and Development: A Visual Approach © 2006 Prentice Hall Chapter 12 DATABASE DESIGN AND DEVELOPMENT: A VISUAL APPROACH Chapter 12 Accessing.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
The Shaw Group Inc. WebVPN - Access Anywhere Users Manual.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University.
ASP.NET Programming with C# and SQL Server First Edition
Security In your webSite.
Unit 7 Learning Objectives
Agenda Introduction Security flow for a request Authentication
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
Security Basics and ASP.NET Support
Module 10: Creating a Web Application with Web Forms
ASP.Net Security Framework
Security - Forms Authentication
Presentation transcript:

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795

Role based Security in.NET Use Forms authentication to obtain and validate user credentials. Use Forms authentication to obtain and validate user credentials. Create Forms Authentication Ticket objects based on name and roles retrieved from the data store. Create Forms Authentication Ticket objects based on name and roles retrieved from the data store. Use Generic Principle class that provides the Role- based authorization checking functionality. ASP.NET requires it to be stored in the HttpContext.User to relate it current application Http request. Use Generic Principle class that provides the Role- based authorization checking functionality. ASP.NET requires it to be stored in the HttpContext.User to relate it current application Http request. Use these objects to make authorization decisions.

Role based Security in.NET.NET Framework provides support for the implementation of role based security which consists of Authentication (Identity) and Authorization(Rights)..NET Framework provides support for the implementation of role based security which consists of Authentication (Identity) and Authorization(Rights). The.NET provides access to the user through an identity and authorization access by principal object. Identities corresponds to users and their properties.Identity classes belong to System.Security.Principal Namespace. Identities corresponds to users and their properties.Identity classes belong to System.Security.Principal Namespace. Roles are String of role names added to a Principal to associate the current user with his assigned roles. Roles are String of role names added to a Principal to associate the current user with his assigned roles. Principal object is a collection of information about identity and roles that the current user is associated with. The System.Security.Principal Namespace contains two classes GenericPrincipal and WindowsPrincipal that are used to determine the properties of a principal object..NET uses the Principal object to gain information about the identity and roles of a user. Principal object is a collection of information about identity and roles that the current user is associated with. The System.Security.Principal Namespace contains two classes GenericPrincipal and WindowsPrincipal that are used to determine the properties of a principal object..NET uses the Principal object to gain information about the identity and roles of a user.

Role base Security in.NET Create a Web Application with a Logon Page. Create a Web Application with a Logon Page. Configure the Web Application for Forms Authentication. Configure the Web Application for Forms Authentication. Generate a Authentication Ticket for Authenticated Users. Generate a Authentication Ticket for Authenticated Users. Construct Generic Principal and Forms Identity Objects. Construct Generic Principal and Forms Identity Objects. Use these objects to implement Role base security. Use these objects to implement Role base security.

Creating web application with Login Page Create a new ASP.NET Web Application called RoleBasedSecurity. Create a new ASP.NET Web Application called RoleBasedSecurity. Rename WebForm1.aspx to Logon.aspx. Rename WebForm1.aspx to Logon.aspx. Add controls to Logon.aspx to create a logon form. Add controls to Logon.aspx to create a logon form. Set the “Text Mode” property of the password Text Box control to Password. Set the “Text Mode” property of the password Text Box control to Password. In Solution Explorer, right-click “RoleBasedSecurity” and click Add a Web Form. In Solution Explorer, right-click “RoleBasedSecurity” and click Add a Web Form. Enter Default.aspx as the new form's name. Set it as a start up page. Enter Default.aspx as the new form's name. Set it as a start up page.

Creating a web application with Login Page

Application’s Web.Config file

Generate Authentication Ticket for Authenticated Users The authentication ticket is a type of cookie used by the ASP.NET “Forms Authentication Module” (System.Web.Security) namespace. The authentication ticket is a type of cookie used by the ASP.NET “Forms Authentication Module” (System.Web.Security) namespace. Add “using System.Web.Security” namespace to the login.aspx webform1 class. Add “using System.Web.Security” namespace to the login.aspx webform1 class. Add the following private method to the login.aspx’s WebForm1 class called IsAuthenticated and GetRoles. These methods will be used in authenticating the user and getting his identity and roles. Add the following private method to the login.aspx’s WebForm1 class called IsAuthenticated and GetRoles. These methods will be used in authenticating the user and getting his identity and roles.

Generate Authentication Ticket for Authenticated Users private bool IsAuthenticated( string username, string password ) private bool IsAuthenticated( string username, string password ) { // This code would typically validate the user name and password // This code would typically validate the user name and password // combination against SQL or some other database and return true // combination against SQL or some other database and return true // or false based on the credentials found in the database. // or false based on the credentials found in the database. return true; return true;} private string GetRoles( string username, string password ) private string GetRoles( string username, string password ) { // GetRoles method get the role list from database, and returns // GetRoles method get the role list from database, and returns //A pipe delimited string containing roles. This format is //A pipe delimited string containing roles. This format is //Convenient for storing roles in authentication ticket //Convenient for storing roles in authentication ticket return "Senior Manager|Manager|Employee"; return "Senior Manager|Manager|Employee"; }

Generating Authentication Ticket for Users private void btnLogon_Click(object sender, System.EventArgs e) { bool isAuthenticated = IsAuthenticated( txtUserName.Text,txtPassword.Text ); if (isAuthenticated = = true ) { string roles = GetRoles( txtUserName.Text, txtPassword.Text ); // Create the authentication ticket FormsAuthenticationTicketauthTicket= newFormsAuthenticationTicket( 1,txtUserName.Text,DateTime.Now,DateTime.Now.AddMinutes(60),false,roles ); // Encrypt the ticket. string encryptedTicket = FormsAuthentication.Encrypt(authTicket); // Create a cookie and add the encrypted ticket to the cookie as data. HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); // Add the cookie to the outgoing cookies collection returned to the user’s browser Response.Cookies.Add(authCookie); // Redirect the user to the originally requested page Response.Redirect( FormsAuthentication.GetRedirectUrl(txtUserName.Text,false) }

Creating GenericPrincipal & FormsIdentity objects Implement Application AuthenticateRequest event handler in Global.asax file. Implement Application AuthenticateRequest event handler in Global.asax file. Add the following using statements to the top of the Global.asax file: Add the following using statements to the top of the Global.asax file: using System.Web.Security; using System.Web.Security; using System.Security.Principal; using System.Security.Principal; Create GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket. Create GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket.

GenericPrincipal & FormsIdentity objects protected void Application_AuthenticateRequest(Object sender,EventArgs e) { // Extract the forms authentication cookie // Extract the forms authentication cookie string cookieName = FormsAuthentication.FormsCookieName; string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if(null == authCookie) if(null == authCookie) { return; // There is no authentication cookie. return; // There is no authentication cookie. } FormsAuthenticationTicket authTicket = null; FormsAuthenticationTicket authTicket = null; try try { authTicket = FormsAuthentication.Decrypt(authCookie.Value); authTicket = FormsAuthentication.Decrypt(authCookie.Value); } catch(Exception ex) catch(Exception ex) { return; // Log exception details (omitted for simplicity) return; // Log exception details (omitted for simplicity) } if(authTicket == null) if(authTicket == null) { return;// Cookie failed to decrypt. return;// Cookie failed to decrypt. } // Ticket contains pipe delimited string of role names. // Ticket contains pipe delimited string of role names. string[] roles = authTicket.UserData.Split(new char[]{'|'}); string[] roles = authTicket.UserData.Split(new char[]{'|'}); FormsIdentity id = new FormsIdentity( authTicket ); // Create an Identity object FormsIdentity id = new FormsIdentity( authTicket ); // Create an Identity object // This principal will flow throughout the request. // This principal will flow throughout the request. GenericPrincipal principal = new GenericPrincipal(id, roles); GenericPrincipal principal = new GenericPrincipal(id, roles); Context.User = principal; // Attach the principal object to the current HttpContext object Context.User = principal; // Attach the principal object to the current HttpContext object }

Testing the application Add code to Default.aspx file to display information from the Principal object attached to the current HttpContext object. Confirm that the object has been correctly constructed and assigned to the current Web request. Tests the role-based functionality supported by the Generic Principle class. Add following using statement beneath the existing using statements. using System.Security.Principal ;

Testing the application (Coding Default.aspx) private void Page_Load(object sender, System.EventArgs e) { IPrincipal p = HttpContext.Current.User; IPrincipal p = HttpContext.Current.User; Response.Write( "Authenticated Identity is: " + p.Identity.Name ); Response.Write( "Authenticated Identity is: " + p.Identity.Name ); Response.Write( " " ); Response.Write( " " ); if ( p.IsInRole("Senior Manager") ) if ( p.IsInRole("Senior Manager") ) Response.Write( "User is in Senior Manager role " ); Response.Write( "User is in Senior Manager role " ); else else Response.Write( "User is not in Senior Manager role " ); Response.Write( "User is not in Senior Manager role " ); if ( p.IsInRole("Manager") ) if ( p.IsInRole("Manager") ) Response.Write( "User is in Manager role " ); Response.Write( "User is in Manager role " ); else else Response.Write( "User is not in Manager role " ); Response.Write( "User is not in Manager role " ); if ( p.IsInRole("Employee") ) if ( p.IsInRole("Employee") ) Response.Write( "User is in Employee role " ); Response.Write( "User is in Employee role " ); else else Response.Write( "User is not in Employee role " ); Response.Write( "User is not in Employee role " ); if ( p.IsInRole("Sales") ) if ( p.IsInRole("Sales") ) Response.Write( "User is in Sales role " ); Response.Write( "User is in Sales role " ); else else Response.Write( "User is not in Sales role " ); Response.Write( "User is not in Sales role " ); }

Testing the application

Refrences t.asp?url=/library/en- us/secmod/html/secmod08.asp net_security/authentication/article.php net_security/authentication/article.php t.asp?url=/library/en- us/secmod/html/secmod20.asp