Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.

Similar presentations


Presentation on theme: "Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management."— Presentation transcript:

1 Security

2 Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management service

3 ASP.NET Security AuthenticationAuthentication AuthorizationAuthorization ACL Authorization URL Authorization Windows Passport Forms ImpersonationImpersonation Who did the request come from? What is the caller allowed to do? Use process identity or caller identity?

4 Windows Authn/File Authz ACL Bob IIS ASP.NET A ASPX A IIS creates access token identifying Bob and passes it to ASP.NET ASP.NET checks ACL on requested file and fails request if Bob lacks read permission Anonymous access disabled Authentication mode="Windows"

5 URL Forms Authn/URL Authz ASP. NET ASP. NET Bob ASPX Login Page Login Page T URL ASP. NET ASP. NET Bob ASPX T First access - Redirect to login page Next access - Authenticated access to ASPX Authentication ticket

6 Setting the Authentication Type

7 Security Principals Every call has an associated security principal object representing current user Page.User and HttpContext.User properties expose IPrincipal for current user GenericPrincipal WindowsPrincipal GenericPrincipal WindowsPrincipal IPrincipal FormsIdentity WindowsIdentity PassportIdentity GenericIdentity IIdentity

8 Getting the User Name If User.Identity.IsAuthenticated Then Dim name As String = User.Identity.Name End If

9 Membership Service Service for managing users and credentials Declarative access via Web Site Admin Tool Programmatic access via Membership and MembershipUser classes Membership class provides base services MembershipUser class represents users and provides additional services Provider-based for flexible data storage

10 Membership Schema Membership API Membership Data Access Other Data Stores Controls Login LoginStatus LoginView AccessMembershipProvider Other Membership Providers Other Membership Providers Membership Providers Membership MembershipUser SqlMembershipProvider SQL Server Other Login Controls Other Login Controls

11 The Membership Class Provides static methods for performing key membership tasks Creating and deleting users Retrieving information about users Generating random passwords Validating logins Also includes read-only static properties for acquiring data about provider settings

12 Key Membership Methods NameDescription CreateUserAdds a user to the membership data store DeleteUserRemoves a user from the membership data store GeneratePasswordGenerates a random password of a specified length GetAllUsersRetrieves a collection of MembershipUser objects representing all currently registered users GetUserRetrieves a MembershipUser object representing a user UpdateUserUpdates information for a specified user ValidateUserValidates logins based on user names and passwords

13 Creating New Users Try Membership.CreateUser ("Jeff", "imbatman", "jeff@microsoft.com") Catch e As MembershipCreateUserException ' Find out why CreateUser failed Select Case e.StatusCode Case MembershipCreateStatus.DuplicateUsername... Case MembershipCreateStatus.DuplicateEmail... Case MembershipCreateStatus.InvalidPassword... Case Else... End Select End Try

14 Validating Logins If Membership.ValidateUser (UserName.Text, Password.Text) Then FormsAuthentication.RedirectFromLoginPage (UserName.Text, _ RememberMe.Checked) End If

15 The MembershipUser Class Represents individual users registered in the membership data store Includes numerous properties for getting and setting user info Includes methods for retrieving, changing, and resetting passwords Returned by Membership methods such as GetUser and CreateUser

16 Key MembershipUser Properties NameDescription CommentStorage for user-defined data CreationDateDate user was added to the membership data store EmailUser's e-mail address LastLoginDateDate user last logged in successfully LastPasswordChangedDateDate user's password was last changed UserIdUnique user ID generated by membership provider UserNameUser's registered user name

17 Key MembershipUser Methods NameDescription ChangePasswordChanges user's password ChangePassword- QuestionAndAnswer Changes question and answer used for password recovery GetPassword*Retrieves a password ResetPasswordResets a password by setting it to a new random password * Works if Membership.EnablePasswordRetrieval is true

18 Suspending Login Privileges If Membership.ValidateUser (UserName.Text, Password.Text) Then Dim user As MembershipUser = Membership.GetUser(UserName.Text) user.Comment = "0" RedirectFromLoginPage (UserName.Text, RememberMe.Checked) Else Dim user As MembershipUser = Membership.GetUser (UserName.Text) If Not (user Is Nothing) Then ' Get a count of consecutive failed login attempts Dim count As String = Convert.ToInt32 (user.Comment) + 1 ' If the count equals or exceeds 5, suspend login privileges If count >= 5 Then user.IsApproved = False End If ' Update the count of consecutive failed login attempts user.Comment = count.ToString () End If

19 Membership Providers Membership is provider-based Provider provides interface between membership service and physical data store Beta 1 ships with two providers AccessMembershipProvider (Access)* SqlMembershipProvider (SQL Server) Use custom providers for other data stores * Will be replaced by SQL Express provider in beta 2

20 Using the SQL Server Provider

21 Provider Configuration Membership providers support a number of configuration settings How should passwords be stored (cleartext, hashed, encrypted)? Should password recovery be enabled? Must each user have a unique e-mail address? Exposed as properties of provider class Initialized from CONFIG files

22 Changing Provider Settings <add name="AspNetSqlProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,..." connectionStringName="RemoteSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data..." />

23 Login Controls ControlDescription LoginUI for entering and validating user names and passwords LoginNameDisplays authenticated user names LoginStatusUI for logging in and logging out LoginViewDisplays different views based on login status and roles PasswordRecoveryUI for recovering forgotten passwords CreateUserWizardUI for creating new user accounts ChangePasswordUI for changing passwords

24 Role Management Service Role-based security in a box Declarative access via Web Site Admin Tool Programmatic access via Roles class Roles class contains static methods for creating roles, adding users to roles, etc. Maps users to roles on each request Replaces Application_AuthenticateRequest Provider-based for flexible data storage

25 Role Management Schema Roles API Roles Data Access Other Data Stores Controls Login LoginStatus LoginView AccessRoleProvider Other Role Providers Role Providers Roles SqlRoleProvider SQL Server Other Login Controls Other Login Controls

26 The Roles Class Gateway to the Role Management API Provides static methods for performing key role management tasks Creating and deleting roles Adding users to roles Removing users from roles and more Also includes read-only static properties for acquiring data about provider settings

27 Key Roles Methods NameDescription AddUserToRoleAdds a user to a role CreateRoleCreates a new role DeleteRoleDeletes an existing role GetRolesForUserGets a collection of roles to which a user belongs GetUsersInRoleGets a collection of users belonging to a specified role IsUserInRoleIndicates whether a user belongs to a specified role RemoveUserFromRoleRemoves a user from the specified role

28 Creating a New Role If Not Roles.RoleExists ("Developers") Then Roles.CreateRole ("Developers") End If

29 Adding a User to a Role Dim name As String = Membership.GetUser ().Username Roles.AddUserToRole (name, "Developers")

30 Enabling the Role Manager Role management is disabled by default Enable it via Web.config:

31 Role Caching Role manager offers option for caching role data in cookies Fewer accesses to data store Better performance Controlled via attributes and programmatically exposed thru Roles class Should roles be cached in cookies? Should role cookies be encrypted? How long are role cookies valid?

32 Enabling Role Caching <!-- Other roleManager attributes (and their defaults) include: cookieName=".ASPXROLES" // Cookie name cookieTimeout="30" // Cookie lifetime cookiePath="/" // Cookie path cookieRequireSSL="false" // Restrict cookie to SSL? cookieSlidingExpiration="true" // Renew expiring cookies? createPersistentCookie="false" // Issue persistent cookie? cookieProtection="All" /> // Cookie protection level -->

33 Role Management Providers Role management is provider-based Beta 1 ships with four providers AccessRoleProvider (Access)* AuthorizationStoreRoleProvider (AuthMan) SqlRoleProvider (SQL Server) WindowsTokenRoleProvider (Windows) Use custom providers for other data stores * Will be replaced by SQL Express provider in beta 2

34 Using the SQL Server Provider

35 Forms Authentication

36 © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management."

Similar presentations


Ads by Google