Presentation is loading. Please wait.

Presentation is loading. Please wait.

Benjamin Day Role-based Security Stinks: Better Authorization in ASP.NET.

Published byAshley Marilyn Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Benjamin Day Role-based Security Stinks: Better Authorization in ASP.NET."— Presentation transcript:

1 Benjamin Day www.benday.com @benday Role-based Security Stinks: Better Authorization in ASP.NET

2 Benjamin Day Brookline, MA Consultant, Coach, & Trainer Microsoft MVP for Visual Studio ALM Scrum, Team Foundation Server, Software Testing, Software Architecture Scrum.org Classes – Professional Scrum Master (PSM) – Professional Scrum Developer (PSD) – Professional Scrum Foundations (PSF) www.benday.com, benday@benday.com, @benday

3 Got ?

4 The Goal Design a flexible authorization framework Security constraints within the application should be configurable at runtime User permissions can vary between different instances of the same object Works with.NET Security Easy to administer

5 What is “Role-based” Security? Application authorization is based on membership in roles Based on IPrincipal – System.Security.Principal – IsInRole(string roleName) WindowsPrincipal – Role Name = Group Name – Uses user’s Windows group membership to do authorization

6 HR Application Hire Employee – –CreateEmployee.aspx Edit Compensation – –EditSalary.aspx, EditVacationTime.aspx Edit Employee Info – –ViewEmployee.aspx, EditContactInfo.aspx

7 What if you start adding new offices? New Requirement: –HR Managers & HR Associates have permissions only for their office  “context” How to implement this using IsInRole()? –You could add the additional groups (roles) but your app will have to know what office the employee is in

8 More Complexity What happens when even more offices are added? What if you need to start adding new roles? What if you want to create groups of employees for someone in HR to manage? – Arbitrary groupings of employees across locations – One person becomes the “HR Manager” for that group

9 Role-based Security Limitations Role-based works well until you need context – Granting permissions to a particular “employee” Broadness and lack of context  limited configurability – Security starts getting hard-coded – Not configurable at run-time

10 Claims-based Security Declarative security System.Security.Claims namespace Name / Value Pairs

11 “Rights-based” Security? Architecture for using Claims in the app Breaks “what you can do” into small pieces  Rights Rights have context – User is granted rights to perform an action on a particular item User’s permissions (principal) becomes the set of these small granted rights The Database Perspective  Establishes row-level permissions

12 Roles vs. Claims / Rights Roles are broad – Secure large sections of an app – Grant blanket permissions to all securable items No context Rights are granular – Uses a Claim – Permissions relate to one item Have context – Secure at the operation level – Reduce actions to the least common denominator – Store permissions as small pieces  flexibility

13 Claims-Based Security To Do’s During development, identify – Securable Items – Securable Actions (Rights) – Broad Rights (Roles) Keep these as actions as small (granular) as possible

14 Ease of Administration User Groups – Group similar users together – Assign rights / roles for the group – Eliminates the bother of administering users individually Item Groups – Group similar securable items – Like a “folder” – Minimizes the number of “right grants” you need Library has thousands of items (entries) Rights are granted at run-time

15 Hooking into.NET Security System.Security.Principal namespace Use IIdentity to establish “who you are” Use IPrincipal to establish “what you can do” IPrincipal can be set onto – Thread.CurrentPrincipal – HttpContext.User IPrincipal is available in all tiers

16 IPrincipal Through The Tiers ASP.MVC / Web API – Should check IPrincipal to avoid giving the user an opportunity to cause security exceptions Other Tier(s) – Makes certain that the users cannot access data or perform unauthorized operations – (Optional) Filter unauthorized records

17 ASP.NET MVC Security Schema AspNetUsers – User account info – Local accounts – Username, password, etc AspNetUserLogins – “Social” logins – Mappings between external logins & local info – Microsoft Account, Facebook, Twitter AspNetRoles – List of roles in application AspNetUserRoles – Roles per user AspNetUserClaims – Custom claims – ClaimType – ClaimValue

18 Adjusting Claims at Login ApplicationUser class – Extends System.Security.Claims.IdentityUser GenerateUserIdentityAsync() – Any claims adjustments go here

19 DEMOS! Demos in ASP.NET – Roles – Claims Demos in ASP.NET Core – Policies – Microsoft Account Provider

20 @benday Any last questions?

21 @benday Thank you. www.benday.com | benday@benday.com

Download ppt "Benjamin Day Role-based Security Stinks: Better Authorization in ASP.NET."

Similar presentations

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
Software Testing with Visual Studio 2013 & Team Foundation Server 2013 Benjamin Day.

Software Testing with Visual Studio 2013 & Team Foundation Server 2013 Benjamin Day.
Real World Scrum with TFS2013 Benjamin Day. Brookline, MA Consultant, Coach, & Trainer Microsoft MVP for Visual Studio ALM Team Foundation Server, Software.

Real World Scrum with TFS2013 Benjamin Day. Brookline, MA Consultant, Coach, & Trainer Microsoft MVP for Visual Studio ALM Team Foundation Server, Software.
How to be a C# ninja in 10 easy steps. Benjamin Day.

How to be a C# ninja in 10 easy steps. Benjamin Day.
Real World Scrum with Team Foundation Server 2013 Benjamin

Real World Scrum with Team Foundation Server 2013 Benjamin
Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day benday.com |

Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day benday.com |
Team Foundation Server 2010 Builds: Understand, Configure, and Customize Benjamin Day benday.com |

Team Foundation Server 2010 Builds: Understand, Configure, and Customize Benjamin Day benday.com |
Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.

Security in.NET Jørgen Thyme Microsoft Denmark. Topics & non-topics  Cryptography  App domains  Impersonation / delegation  Authentication  Authorization.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
Managing Identity and Permissions

Managing Identity and Permissions
Train The Trainer Employee Central Administration

Train The Trainer Employee Central Administration
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day.

Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day.
SharePoint External Login Access – Forms Authentication vs Azure ACS.

SharePoint External Login Access – Forms Authentication vs Azure ACS.
@benday #vslive Better Unit Tests through Design Patterns: Repository, Adapter, Mocks, and more… Benjamin

@benday #vslive Better Unit Tests through Design Patterns: Repository, Adapter, Mocks, and more… Benjamin
Doing Something Useful with Enterprise Library 3.0 Benjamin Day Level: Intermediate.

Doing Something Useful with Enterprise Library 3.0 Benjamin Day Level: Intermediate.
@benday #vslive Automated Build, Test & Deploy with TFS, ASP.NET, and SQL Server Benjamin

@benday #vslive Automated Build, Test & Deploy with TFS, ASP.NET, and SQL Server Benjamin
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Goals One ASP.NET Membership story – Web APIs and Web Apps Profile. Extensibility allows for non SQL persistence model. Improve unit testability of.

Goals One ASP.NET Membership story – Web APIs and Web Apps Profile. Extensibility allows for non SQL persistence model. Improve unit testability of.
Team Foundation Server 2012 Builds: Understand, Configure, and Customize Benjamin Day.

Team Foundation Server 2012 Builds: Understand, Configure, and Customize Benjamin Day.

Similar presentations

Ads by Google