Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security in ASP.NET Core: Claims, Patterns, and Policies

Published byAugustine Montgomery Modified over 5 years ago

Similar presentations

Presentation on theme: "Implementing Security in ASP.NET Core: Claims, Patterns, and Policies"— Presentation transcript:

1 Implementing Security in ASP.NET Core: Claims, Patterns, and Policies
Benjamin Day

2 Benjamin Day Brookline, MA Consultant & Trainer Rental Chief Technology Officer Therapist for Teams Scrum, DevOps, Azure, Team Foundation Server, Software Architecture & Testing Microsoft MVP Pluralsight Author Scrum.org

3 Architecting an ASP.NET Core MVC Application for Unit Testability Just released on 12/31!

4 On with the show.

5 Overview Security Overview Security in ASP.NET Core
Authentication vs. Authorization Role-based security Claims-based security Security in ASP.NET Core [Authorize] Role-based Policy-based Use the Strategy Pattern to make authorization decisions ASP.NET Core Middleware

6 Security Overview

7 Two Big Pieces Authentication Authorization

8 Two Big Pieces Authentication Authorization Who are you?
What can you do? Permissions Two Big Pieces

9 Authentication Username & passwords in your application Social logins
Google, Facebook, Twitter, Microsoft Accounts (MSA) Azure Active Directory (AAD) Windows Active Directory Lots of other options Bad news: Authentication is more complex Good news: It’s usually external to your app Authentication

10 Authorization Core part of your application logic
What is the user allowed to do? User permissions Where are permissions stored? How do you check user permissions in your application logic? Authorization

11 Claims-based Security
Permissions in ASP.NET Role-based Security Claims-based Security

12 Role-based Security Sample roles: User is a member of a role
Administrators Users Power Users Sales Marketing User is a member of a role Application allows roles to do things in the application Role-based Security

13 Beware: Role-based security has limitations

14 Role-based Security Concerns
Maintenance concerns (Not application security concerns) Fine for simple apps with simple security “Is User X a member of Role Y?” Broad permissions “Is User X a member of Role Y for Item Z?” Permissions in the context of an item Impossible with role-based security Role-based Security Concerns

15 Claims-based Security
Goes beyond role-based security Authorization based on a list of Claims What does the user claim to be? What does the user claim to be able to do? Claims aren’t just permissions Claims can be things like Age Name address Roles Claims have context Claims-based Security

16 Claims Have Context Role-based security is just a role
Is the user a member of a role Claims are key/value pairs Claim Type Claim Value “Is User X a member of Role Y for Item Z?” Role-based security can’t do this Claims-based security can Claims Have Context

17 ASP.NET Core security is primarily about Claims

18 How is security implemented in ASP.NET Core?

19 Security in ASP.NET Core
IIdentity IPrincipal ClaimsIdentity ClaimsPrincipal

20 Things to Think About Single Responsibility Principle
Code against interfaces Keep logic isolated Dependency Injection Code against IIdentity / IPrincipal ClaimsIdentity / ClaimsPrincipal Things to Think About

21 You’re focused on testing Authorization
Assumption

22 Two Types of Code Related to Authorization
Code that checks if a user is authorized Security decisions Code that you’re trying to authorize Actions you’re trying to protect Keep these separated!!! Single Responsibility Principle Two Types of Code Related to Authorization

23 It’s always going to be easier to unit test the code that makes the security decisions

24 If you’re trying to test the decision code and the protected code at the same time…

25 …it’s probably an integration test and not a unit test

26 Two Ways to Implement Authorization in ASP.NET Core
Using the [Authorize] attribute Part of ASP.NET Core Apply to Controllers or Controller methods Custom logic Checks against IPrincipal yourself Two Ways to Implement Authorization in ASP.NET Core

27 The [Authorize] Attribute
Apply it to a Controller class Controller method User must be authenticated [Authorize()] Role-based authorization [Authorize(Roles = "Administrator")] Policy-based authorization [Authorize(Policy = “AdminOnlyPolicy")] The [Authorize] Attribute

28 The Bad News About the [Authorize] Attribute
Nearly impossible to unit test It’s really hard to integration test My recommendation: Don’t try to test that it’s working Use reflection to check that the attribute is there with the right value(s) The Bad News About the [Authorize] Attribute

29 Checks Against IPrincipal
Get an instance of IPrincipal Write checks against IPrincipal Succeed or fail based on the checks Recommendation: Group the checks into methods that make the authorization decisions Unit test the logic that makes the decisions Checks Against IPrincipal

30 ASP.NET Core Security Policies
Encapsulates the authorization decision logic [Authorize(Policy = “AdminOnlyPolicy")] Define policies in Startup.cs Policy has two parts: Requirement Handler IAuthorizationRequirement AuthorizationHandler<T> ASP.NET Core Security Policies

31 IAuthorization Requirement
Configuration information related to a Policy Create a class Implement the interface (Optional) Provide properties for config values IAuthorization Requirement

32 Authorization Handler<T>
T = Class the implements IAuthorizationRequirement Implement HandleRequirementAsync( context, requirement) AuthorizationHandlerContext Current authorization check info Identity, Principal MVC Context Make the decision Succeed() Fail() Authorization Handler<T>

33 Testing the Policies Unit test the policy handler logic in isolation
Focus testing on AuthorizationHandler<T> Integration testing policy handlers with Controllers is HARD Testing the Policies

34 Next up: Demos

35 Unit testing the [Authorize()] attribute
“Didn’t you say that was impossible?” Testing the existence of [Authorize()] using Reflection Avoids integration tests Trusts that the decision implementation works Technique is by David Pine

36 Credit for This Idea David Pine Microsoft MVP Google Developer Expert
asp-net-core-security-unit-testing/ Credit for This Idea

37 Multi-part demo ASP.NET Core AuthorizationHandler and Policy-based Authorization Part 1: The overall code structure Part 2: Implement the unit tests Part 3: Implement AuthorizationHandler<T> Part 4: Create the policy Hook it in to ASP.NET Core

38 The President Database is going start selling subscriptions
Basic  Search Ultimate  Search + Images Decide if a user is authorized to do something Strategy Pattern Strategy encapsulates algorithms & business logic IUserAuthorizationStrategy DefaultUserAuthorizationStrategy

39 ASP.NET Core Middleware

40 What is middleware?

41 It’s stuff in the middle

42 Middleware lets you plug your code into the ASP
Middleware lets you plug your code into the ASP.NET Core execution pipeline

43 Middleware

44 “What does middleware have to do with security?”

45 Not necessarily anything…

46 …but it can be really helpful in security scenarios

47 Use Middleware to hook into the execution pipeline and populate claims

48 Implementing Middleware
Really easy Create a class that implements Microsoft.AspNetCore.Http.IMiddleware InvokeAsync(HttpContext context, RequestDelegate next) Configure Startup.cs Implementing Middleware

49 ASP.NET Core Middleware
Load information about user’s subscription status Populate claims Unit Tests

50 Any last questions?

51 Thank you. |

Download ppt "Implementing Security in ASP.NET Core: Claims, Patterns, and Policies"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Software Testing with Visual Studio 2013 & Team Foundation Server 2013 Benjamin Day.

Software Testing with Visual Studio 2013 & Team Foundation Server 2013 Benjamin Day.
Team Foundation Server 2010 Builds: Understand, Configure, and Customize Benjamin Day benday.com |

Team Foundation Server 2010 Builds: Understand, Configure, and Customize Benjamin Day benday.com |
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.

Membership, Role Manager and Profile Membership, Role Manager and Profile Matt Gibbs ASP.NET Development Manager.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Understanding Active Directory

Understanding Active Directory
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day.

Design for Testability: Mocks, Stubs, Refactoring, and User Interfaces Benjamin Day.
SharePoint External Login Access – Forms Authentication vs Azure ACS.

SharePoint External Login Access – Forms Authentication vs Azure ACS.
@benday #vslive Better Unit Tests through Design Patterns: Repository, Adapter, Mocks, and more… Benjamin

@benday #vslive Better Unit Tests through Design Patterns: Repository, Adapter, Mocks, and more… Benjamin
Doing Something Useful with Enterprise Library 3.0 Benjamin Day Level: Intermediate.

Doing Something Useful with Enterprise Library 3.0 Benjamin Day Level: Intermediate.
@benday #vslive Automated Build, Test & Deploy with TFS, ASP.NET, and SQL Server Benjamin

@benday #vslive Automated Build, Test & Deploy with TFS, ASP.NET, and SQL Server Benjamin
Windows Azure Tour Benjamin Day Benjamin Day Consulting, Inc.

Windows Azure Tour Benjamin Day Benjamin Day Consulting, Inc.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
Top 10 Ways to Go from Good to Great Scrum Master Benjamin Day.

Top 10 Ways to Go from Good to Great Scrum Master Benjamin Day.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Goals One ASP.NET Membership story – Web APIs and Web Apps Profile. Extensibility allows for non SQL persistence model. Improve unit testability of.

Goals One ASP.NET Membership story – Web APIs and Web Apps Profile. Extensibility allows for non SQL persistence model. Improve unit testability of.
Team Foundation Server 2012 Builds: Understand, Configure, and Customize Benjamin Day.

Team Foundation Server 2012 Builds: Understand, Configure, and Customize Benjamin Day.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Similar presentations

Ads by Google