ASP.Net Role-based Security Chapter 10 (Freeman and Jones) CS795/895.

Slides:

Advertisements

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Advertisements

Process & Department Set-up How Marketplace works Roles Business Units Approvals)

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Lesson 17: Configuring Security Policies

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.

Slides prepared by Rose Williams, Binghamton University Chapter 9 More Exception Handling.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

ASP.Net Application Security Chapter 18 (Freeman and Jones) CS795/895.

ASP.NET Programming with C# and SQL Server First Edition

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Working with Workgroups and Domains

Best Practices for.NET Development Thom Robbins

Introduction to .Net Framework

Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation

WMS systems manage and coordinate several independent subtasks. The coordination problems get even more serious when the subtasks are performed on separate.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

.Net Security and performance

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

System.Security.Policy namespace Chinmay Lokesh.NET Security CS 795 Summer 2010.

CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.

What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.

Chapter 10: Rights, User, and Group Administration.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Presented By: Ahmed ALSUM PhD Student CS 895:.Net Security Old Dominion University College of Science Department of Computer Science.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.

Role Management in.NET Shree Shalini Pusapati CS /17/20151.

Object Oriented Software Development

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.

Introduction to Object-Oriented Programming Lesson 2.

Programming with Microsoft Visual Basic th Edition

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Craps Game Application Introducing Random-Number Generation and Enum.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

1 Types of Data Fundamental data type (atoms, primitive) –integers, characters Data structures- fundamental data types grouped in a particular way –Employee.

Autorisierung und rollenbasierte Sicherheit in.NET Anwendungen Jürgen Pfeifer Senior Architect Evangelist Developer & Platform Strategy Group Microsoft.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Customizing.NET Security Permissions Nageswari Vallabhaneni.

SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.

Software sales at U Waterloo Successfully moved software sales online Handle purchases from university accounts Integrated with our Active Directory and.

Company File Setup and Maintenance Chapter 6. PAGE REF #CHAPTER 6: Company Setup SLIDE # 2 2 Objectives Use the EasyStep Interview to setup your company.

Benjamin Day Role-based Security Stinks: Better Authorization in ASP.NET.

19 Copyright © 2008, Oracle. All rights reserved. Security.

Administrating a Database

Security In your webSite.

Unit 7 Learning Objectives

Lesson 6: Configuring Servers for Remote Management

Security mechanisms and vulnerabilities in .NET

Autorisierung und rollenbasierte Sicherheit in .NET Anwendungen

Introduction to .net Impersonation

Intermediate Security Topics in SQL SERver

ASP.Net Security Framework

Role Management in .net Vinay Dhareshwar.

Administrating a Database

Presentation transcript:

ASP.Net Role-based Security Chapter 10 (Freeman and Jones) CS795/895

Role-based security: Basics Roles are often used in financial or business applications to enforce policy. –For example, an application might impose limits on the size of the transaction being processed depending on whether the user making the request is a member of a specified role. –Clerks might have authorization to process transactions that are less than a specified threshold, supervisors might have a higher limit, and vice-presidents might have a still higher limit (or no limit at all). –Role-based security can also be used when an application requires multiple approvals to complete an action. Such a case might be a purchasing system in which any employee can generate a purchase request, but only a purchasing agent can convert that request into a purchase order that can be sent to a supplier.

Role-based security (RBS):.Net In.Net, an identity RBS represents the user on whose behalf code is running. (e.g., Windows local user or other non-local users) A principal encapsulates an identity and the roles to which the identity belongs. –If the identity represents Windows user account, the roles will identify the Windows groups to which the user belongs –Otherwise, it could be based on other authentication mechanisms...Net runtime uses principal as the primary basis for role-bases security decisions. While Windows security operates at OS level,.Net RBS operates at the application level. –For example, you can allow users who are members of certain roles to call an important method –You may make different menu items visible depending on the roles of the current user. Each thread (not a process) running.Net code has a principal associated with it. Use of.Net RBS is optional; programmer is responsible for deciding what is protected by.Net RBS by expressing in the code. –.NET Framework applications can make authorization decisions based on the principal's identity or role membership, or both. –A role is a named set of principals that have the same privileges with respect to security (such as a teller or a manager). –A principal can be a member of one or more roles. Therefore, applications can use role membership to determine whether a principal is authorized to perform a requested action.

Programming Role-based Security +Role-Based+Security/10.2+Programming+Role-Based+Security/ Use System.Security.Principal namespace Iidentity represents identity interface –Properties: –AuthenticationTypeGets the type of authentication used.AuthenticationType –IsAuthenticatedGets a value that indicates whether the user has been authenticated.IsAuthenticated –NameGets the name of the current user.Name Iprincipal represents principal interface. –Property: IdentityGets the identity of the current principal.Identity –Method: IsInRoleDetermines whether the current principal belongs to the specified role.IsInRole Note that Iprincipal interface does not allow you to enumerate all possible roles for an identity. Instead, you can only test if it is has a role. Since not all applications use RBS,.Net runtime does not automatically assign an Iprincipal object to every thread (for efficiency). –When an application intends to use RBS, user must either assign an Iprincipal to a threda manually or configure the runtime to create one automatically the first time it is needed..

Programming Role-based Security (cont.) In general, authorization requirements are as follows: –Users should have proper credentials to access a resource –Certain users need to be denied access to particular resources –Only certain users should be allowed to access particular resources If you intend to use RBS, you must either assign an IPrincipal to a thread manually or configure the runtime to create one automatically Use System.AppDomain.SetThreadPrincipal to automatically generate for each thread, or –Set current thread’s IPrincipal manually using System.Threading.Thread.CurrentPrincipal property.

Making Role-based Security Demands Based solely on identity and roles of the active thread’s principal Imperative role-based security statements: –Commonly used constructor: PrincipalPermission –Each PrincipalPermission can specify only a single role name. “null” means no matching is needed –Public PrincipalPermission(string name, string role) PrincipalPermission p1 = new PrincipalPermission(“John”, “Manager”); p1.Demand(); PrincipalPermission p2 = new PrincipalPermission(null, “Programmer”); p2.Demand(); PrincipalPermission p3 = new PrincipalPermission(“Kevin”, null); p3.Demand(); PrinciplaPermission Explanationhttp://msdn.microsoft.com/en- us/library/system.security.permissions.principalpermission.aspxhttp://msdn.microsoft.com/en- us/library/system.security.permissions.principalpermission.aspx

Making Role-based Security Demands (cont.) Using Declarative role-based security statements: –PrincipalPermissionAttribute may be applied to classes, methods, properties, or events to force declarative demands –This cannot be applied at the assemble level –Demand, LinkDemand, and InheritanceDemand are the only RBS statements allowed [PrincipalPermission(SecurityAction.Demand, Name=“John”, Role=“Manager”)] [PrincipalPermission(SecurityAction.Demand, Role=“Programmer”)] [PrincipalPermission(SecurityAction.Demand, Name=“Kevin”)]

Calculation of Permissions The default permission is to allow access for all users Upon calculation of a merged rule set, the system checks the rules until it finds a match: either allow or deny When a deny is encountered, the system throws a 401 error: Unauthorized access Example: At the application level, include in web.config: At a particular page level, we can add this to web.config: Denies access to this page to any windows user.

Authorization Checks in Code We can control access even at a button level using checks in the code If {user1, user2} are made into a single group called validgroup, then: if (Thread.CurrentPrincipal.IsInRole(“localhost\vali dgroup”)) {Response.Write (“You have access”);} else {Response.Redirect(“AuthorizationError.aspx”);}

Demanding Credentials try { PrincipalPermission pp = new PrincipalPermission(“user1”, “validgroup”); pp.Demand(); Response.Write(“PrincipalPermission successful”); } Catch (SecurityException se) {Response.Write (“PrincipalPermission Denied”); } Merging PrincipalPermission objects: try {PrincipalPermission pp1 = new PrincipalPermission(“user1”, “validgroup”); {PrincipalPermission pp2 = new PrincipalPermission(“user2”, “validgroup”); {PrincipalPermission pp3 = (PrincipalPermission)p1.Union (p2); pp3.Demand(); Response.Write(“PrincipalPermission successful”); } Catch (SecurityException se) {Response.Write (“PrincipalPermission Denied”); }

PrincipalPermissionAttribute: Another way to Authorize Place the following code above the method declaration: [PrincipalPermissionAttribute(SecurityAction.Demand, Name=“user1”, Role = “validusers”)] Or [PrincipalPermissionAttribute(SecurityAction.Demand, Role = “validusers”)]