WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Prabath Siriwardena | Johann Nallathamby.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SIP Security Matt Hsu.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Fraser Technical Solutions, LLC
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Understanding SharePoint 2013 Add-In Security Vulnerabilities
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Kay Herzam Herzam IT Consulting What‘s new in ASP.NET MS TechTalk.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.
ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Module 11: Securing a Microsoft ASP.NET Web Application.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.
Web2.0 Secure Development Practice Bruce Xia
ICM – API Server & Forms Gary Ratcliffe.
Web Services Security Patterns Alex Mackman CM Group Ltd
Securing Angular Apps Brian Noyes
Automatic and Precise Client-Side Protection against CSRF Attacks.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
ASP.NET WEB API Napredne tehnike i mogućnosti RENATO JOVIĆ, Tagit Adriatica d.o.o.
Redmond Protocols Plugfest 2016 Tarun Chopra Accessing APIs through Add-Ins Sr. Escalation Engineer.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
WMarket For Developers API && Authorization.
API Security Auditing Be Aware,Be Safe
Migrating SharePoint Add-ins from Azure ACS to Azure AD
WEB-API & MVC5 - Identity & Security
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Dominik Pinter, CMS.IO, Authentication Dominik Pinter,
An Introduction to Web Application Security
Riding Someone Else’s Wave with CSRF
Office 365 Development.
Token-based Authentication
Louis DeJardin | Software Developer, Microsoft
Presentation transcript:

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014

Transport security  HTTPS == HTTP over TLS RFC 1818  Tunnels unprotected HTTP and adds Server authentication ○ Is it really amazon.com? Integrity protection ○ Nobody can change your book order in the middle of communication Replay protection ○ Nobody can take your packet and resend it 500x times Confidentiality ○ Encryption – nobody knows what book you are buying 2

Security Architecture  Overview  Hosting  Message handlers  Authentication filter  Authorization filter  Accessing client identity 3

WEB-API Overview  No dependencies on specific host IIS Self-host OWIN & Katana  No ASP.NET system.web 4

Security pipeline 5

OWIN system.web hosting 6

OWIN Middleware 7

Katana Authentication Middleware 8

MessageHandler  Web API, global or per-route 9

Authentication Filter 10

Authorization Filter  Determines if a resource needs authentication  [AllowAnonymous] to skip authorization for an action  Emits the 401 code, if unsuccessful 11

Accessing the Client Identity  RequestContext HttpRequestMessage – hosting enviroment ApiController.User is now shortcut to the request context (used to be Thread.CurrentPrincipal in WEB Api 1) Could be null 12

Demo - Pipeline 13

Summary  Web API security extensibility is a pipeline Katana Authentication filters Authorization filters  Avoid host (IIS) specific dependencies  HttpRequestMessage.GetRequestContext().Principal One stop shop for client identity 14

JS/Browser-based clients  Same origin policy  Implicit Browser Authentication  Cross Site Request Forgery (CSRF)  Cross Origin Resource Sharing (CORS) 15

Same Origin Policy  Sandbox Scripts, communication, implicit browser authentication 16

Using same-domain for Auth  Web APIs inherit security settings of web host Cookies, Win/Basic auth, client certs … 17

CSRF 18

CSRF – Web API 2 19

Web API 2 – demo - FIDDLER  Get 20

Web API 2 – Register user  Post  Request headers Content-Type: application/json  Request body { "Password": “parool”, "ConfirmPassword": “parool”, “ ”: } 21

Web API 2 – Authenticate  Post  Request headers Content-Type: application/x-www-form-urlencoded  Request body password=parool 22

Web API 2 – Authenticate  Bearer token is a particular type of access token. An access token is a credential string that authorizes a client to access a protected resource. (RFC 6749.)  A bearer token is an access token that can be used by any client. (RFC 6750.)  Bearer tokens must be used with SSL. 23

Web API 2 – Authorized request  Get  Request headers Authorization: Bearer mBKN9H_zaix…. 24

CORS 25

26

THE END Mait Poska & Andres Käver 27

Classic/Basic authentication  Anti pattern Client must store the secret or obtain it from the user (on every request) Storage in clear text (or reversible encryption) Server has to validate the secret on every request High computational cost – brute force protection  High probability of accidental exposure of the secret is increased 28

Basic authentication  Base64 encoded credentials on auth header  GET /service/resource  Authorization: Basic username:password 29

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.