Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Similar presentations


Presentation on theme: "ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig."— Presentation transcript:

1 ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig

2 Overview Today Security Concepts & Terminology Security Concepts & Terminology Authentication and Authorization Role-based security ASP.NET approaches: ASP.NET approaches: 1.Do it yourself 2.Windows authentication 3.Forms authentication 4..NET membership provider

3 Security Terminology Authentication Process of identifying the user Process of identifying the user User provides credentials User provides credentials Username / Password Username / Password ID card, key, finger print, eye scan… ID card, key, finger print, eye scan… Authentication done once at login Authentication done once at login

4 Security Terminology Authorization Permissions Permissions Which resources user is allowed to access Type of access Read, write, modify, delete, change permissions… Read, write, modify, delete, change permissions… Performed with every request Performed with every request

5 Example - WWU Library Authentication Who are you? Who are you? WWU student Lost Canadian Authorization What are you allowed to do? What are you allowed to do? WWU student Checkout books, laptops, IIL services… Checkout books, laptops, IIL services… Lost Canadian Look at books, use restrooms, stay warm Look at books, use restrooms, stay warm

6 Security Terminology Principle of least privilege Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. Benefits: Benefits: Protects data Protects organization Protects individuals

7 Role-based Security Permissions assigned based upon role of job function

8 Role-based Security Create roles AdministratorUserStudent Anonymous user etc, etc. … Roles are assigned specific permissions Principle of least privilege Principle of least privilege People are assigned to roles

9 Role-Based Security Benefit Simplifies management of permissions Example: Roles in WWU Banner system Students Students Faculty Faculty Administrators Administrators Many types, each with specific permissions Enforced at both application & DB level Enforced at both application & DB level

10 ASP.NET Security Approaches: Do-it-yourself Do-it-yourself Forms authentication Forms authentication Windows authentication Windows authentication ASP.NET Membership Provider ASP.NET Membership Provider

11 Do-it-yourself Authentication Each.aspx page checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) Response.Redirect("Login.aspx");

12 Do it yourself Authentication Advantages Simple Simple Flexible – page-by-page Flexible – page-by-page Database access Database accessDisadvantages Need to include code in every.aspx page Need to include code in every.aspx page Pages need to be executable Pages need to be executable Excludes.html pages, images, etc.

13 Windows Authentication Authenticate against Windows user accounts Username/password managed with Windows (Active Directory) Username/password managed with Windows (Active Directory)

14 Windows Authentication Authorization Specify in web.config Specify in web.config First match algorithm Set on each directory Set on each directory Sample Page Sample Page

15 Windows Authentication Benefits: Secures every file type Secures every file type Use existing Windows accounts Use existing Windows accountsIntranet Not public web Fine-level control of permissions Fine-level control of permissionsLimitations Users need permissions on server Users need permissions on server

16 Forms Authentication Create login page Authenticate against any data source Authenticate against any data source database, LDAP, web service, CAS… database, LDAP, web service, CAS… Login page.aspx file.aspx file access database, other data sources Authentication ticket issued Authentication ticket issued Encrypted cookie Redirects back to requested page Redirects back to requested page

17 Forms Authentication How to Configure Web.config file Web.config file Authentication mode=“Forms” Root directory of application Create Login Page Create Login PageExample: Sample Sample Sample

18 ASP.NET Membership Drag & Drop controls Implements Forms authentication Implements Forms authentication No code required No code required Automatically creates SQL Server Database Can define users & roles Quite sophisticated

19 ASP.NET Membership Provider

20

21

22 No code “Magical” “Magical” Many configuration options Password recovery Password recovery Change password control Change password control Sends email Sends email Create groups (programmatically) Create groups (programmatically) Assign users to groups Assign users to groups

23 Summary Application Security options: Do-it-yourself Do-it-yourself Windows authentication Windows authentication Forms authentication Forms authentication ASP.NET Membership provider ASP.NET Membership providerSecurity Complex topic Complex topic Discuss other aspects later Discuss other aspects later


Download ppt "ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig."

Similar presentations


Ads by Google