ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.

Slides:

Advertisements

Similar presentations

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Advertisements

Attie Naude 14 May 2013 Windows Azure Mobile Services.

FI-WARE Testbed Access Control temporary solution.

Running PHP on Windows Server 2008 and IIS 7 Rob Cameron Developer Evangelist, Communications Sector Microsoft.

Securing the Broker Pattern Patrick Morrison 12/08/2005.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited

Host Message Handlers Controller Model Bindings Result Conversion Action Method.

Internet Information Server (IIS)

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Fraser Technical Solutions, LLC

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

DB-19: OpenEdge® Authentication Without the _User Table

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

A Close Look Inside the SharePoint Engine Randy Williams, MVP MOSS Synergy Corporate Technologies

Remotely authenticating against the Service Framework.

ASP. Net is a rich web framework that leverages well known patterns and JavaScript frameworks to build great web experiences quickly.

ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

@CloudOps_www.cloudops.com Swift UI in CloudStack with Single Sign-On CloudStack Collaboration Conference 2012.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Java Web Development with NetBeans IDE －－ Kai Qian Chapter 5 JavaServer Faces (JSF) Technology.

Module 11: Securing a Microsoft ASP.NET Web Application.

Shibboleth: An Introduction

Reset and Recycle IIS Reset Application Pool Management Error Codes New HTTP Sub-status codes Custom/Detailed Errors Tracing in IIS7 and.

CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

This is the main tracing and diagnostics presentation. Very important that this be practical and useful information. IT Pro audience is very.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Securing Angular Apps Brian Noyes

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.

Modern Development Technologies in SharePoint SHAREPOINT SATURDAY OMAHA APRIL, 2016.

ASP.NET WEB API Napredne tehnike i mogućnosti RENATO JOVIĆ, Tagit Adriatica d.o.o.

Wes Hackett Principal Solutions Architect Chris O’Brien Head of Development.

Martina Grom MVP Office 365 How to (remote) control Office 365 with Azure Toni Pohl MVP Client Dev

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Module 4: Troubleshooting Web Servers. Overview Use IIS 7.0 troubleshooting features to gather troubleshooting information Use the Runtime Control and.

Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.

562: Power of Single Sign-On in OpenEdge

Ask the Experts – Building Login-Based Sites in AEM

Azure Identity Premier Fast Start

API (Application Program Interface)

Introduction to Windows Azure AppFabric

WMarket For Developers API && Authorization.

API Security Auditing Be Aware,Be Safe

WEB-API & MVC5 - Identity & Security

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Considering issues regarding handling token

Windows Azure AppFabric

SharePoint Cloud hosted Apps

Introduction to .net Impersonation

ASP.NET Module Subtitle.

IIS v7.0 Martin Parry Developer & Platform Group Microsoft Limited

Office 365 Development.

TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Building production-ready APIs with ASP.NET Core 2.2

07 | Introduction to Authentication

Security for Science Gateways Initial Design Discussions

IIS and .NET Security Application Pools Pamella Smith June 18, 2009.

Presentation transcript:

ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN

ASP.NET Web API in Modern Architecture ASP.NET Web API

About me Ivan Marković SPAN Cloud Solutions Program Manager/Technology evangelist Student

Agenda 1. ASP.NET Web API Pipeline 2. OAuth 2.0

ASP.NET Web API Pipeline

Request Lifecylce Application Domain WebAPIApplication: HttpApplication RouteTable.Routes HttpWebRoute:Route HttpControllerRouteHa ndler:IRouteHandler HttpControllerHandleer: IHttpAsyncHandler::IHttp[ Handler HttpControllerDispatcher :DelegatingHandler HttpRoutingDispatcher: Delegating Handler AllRoutesHandler: Delegating Handler HttpServer: DelegatingHandler ActionFilters ApiController: IHttpController Http Context, Http Request, Http Response AuthorizationFilters PerRouteHandler: Delegating Handler

Request Lifecylce Application Domain WebAPIApplication: HttpApplication RouteTable.Routes HttpWebRoute:Route HttpControllerRouteHa ndler:IRouteHandler HttpControllerHandleer: IHttpAsyncHandler::IHttp[ Handler HttpControllerDispatcher :DelegatingHandler HttpRoutingDispatcher: Delegating Handler AllRoutesHandler: Delegating Handler HttpServer: DelegatingHandler ActionFilters ApiController: IHttpController Http Context, Http Request, Http Response AuthorizationFilters PerRouteHandler: Delegating Handler

Pipeline in Web API 2.0 HttpModuleMessageHandlerAuthentication Filter Authorization Filter Host/Framework independent concerns Web API cross- cutting concerns, eg. CORS Web API specific authentication Authorization

HTTP Module Allow security code to execute early as part of the IIS pipeline. The principal established from an HTTP module is available to all components The biggest drawback with HTTP modules is the lack of granularity.

Message Handler Runs before Authentication and Authorization filters Message handler runs only for Web API requests. A message handler can be configured to run as a global handler for all requests or for a specific route. The downside of using a message handler is the lack of finer control.

Action Filter Another extensibility option provided by ASP.NET Web API It runs after the authorization filters are run in the ASP.NET Web API pipeline.

Authentication vs Authorization AuthenticationAuthorization Authentication is knowing the identity of the user. Eg: Login() Authorization is deciding whether a user is allowed to perform an action. Eg: Read, Write, Delete

Authorization Filter Another extensibility option provided by ASP.NET Web API The order of execution of authorization filters isn’t guaranteed by ASP.NET Web API.

Authentication Filter Authentication filters run after message handlers but before all other filter types. Authentication filters run before authorization filters! Authentication filters offer a level of control or granularity that makes them particularly useful.

Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method No Action Taken Does Not Execute Rejects the Reqouest for the Lack of Authenticate Principal Request with no Credential Unathorized Response 401

Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method contex.ErrorResult Is Set to Unathorized Result Does Not Execute Request with Invalid Credential Unathorized Response Does Not Execute

Authentication Filter + Authorization Filter Authentication Filter Authorization Filter Action Method Contex.Principal Is Set to an Authenticated Princiapl Action Method Runs and Produces a Response Successfully Authorizes Because Identity is Authentic Request with Valid Credential Response Message No Action Taken

ASP.NET Web API Pipeline Demo

OAuth 2.0

Enterprise Security

Modern Applications UsersClientsWeb APIs

OAuth 2.0 User Client Application Authentication Server Resource Server

OAuth 2.0 User Client Application Authentication Server Resource Server

OAuth 2.0 User Client Application Authentication Server Resource Server Access token

OAuth 2.0 User Client Application Authentication Server Resource Server Access token { „iss”:”myAuthzServer”, „aud”:”application”, „exp”:” ”, „scope”:[„search”,”read”], „client_id”:”client1” }

Conclusion HttpModuleMessageHandlerAuthentication Filter Authorization Filter Host/Framework independent concerns Web API cross- cutting concerns, eg. CORS Web API specific authentication Authorization

Conclusion User Client Application Authentication Server Resource Server

Q & A ? ? ? ? ? ? ?