Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 11: Securing a Microsoft ASP.NET Web Application.

Similar presentations


Presentation on theme: "Module 11: Securing a Microsoft ASP.NET Web Application."— Presentation transcript:

1 Module 11: Securing a Microsoft ASP.NET Web Application

2 Overview Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

3 Lesson: Web Application Security Overview Authentication vs. Authorization What Are ASP.NET Authentication Methods? Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods What Are the IIS Authentication Mechanisms?

4 Authentication vs. Authorization Authentication Accepts credentials from a user Validates the credentials ( a process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority such as database ). If the credentials are valid, the entity that submitted the credentials is considered as an authenticated identity. )

5 Authentication vs. Authorization Authorization Given the authentication credentials supplied, determines the right to access a resource Can be assigned by user name or by role ( After an identity has been authenticated, the authorization process determines whether that identity has access to specifies resource. The authorization process limits access rights by granting or denying specific permission to an authenticated identity )

6 What Are ASP.NET Authentication Providers? Windows-based authentication Relies on the Windows operating system and IIS User requests a secure Web page and the request goes through IIS After credentials are verified by IIS, the secure Web page is returned The users must have valid Windows account. Forms-based authentication Use a custom ASP.NET page to collect credentials from users. If users attempt to access page for which they are not authorized, they will be automatically directed to the login page. User credentials can be stored in a variety of locations. Eg: Ms Sql Server, Access Database

7 What Are ASP.NET Authentication Methods? Microsoft Passport authentication Centralized authentication service that offers a single logon option Microsoft Passport is an XML Web service Users can use their MSN Passport to access your application/site.

8 Multimedia: ASP.NET Authentication Methods

9 Comparing the ASP.NET Authentication Methods MethodAdvantagesDisadvantages Windows-based Authentication  Uses existing Windows infrastructure  Controls access to sensitive information  Not appropriate for most Internet applications Forms-based Authentication  Good for Internet applications  Supports all client types  Based on cookies Microsoft Passport Authentication  Single sign in for many Internet sites  No need to maintain a database to store user information  Allows developers to customize the appearance of the registration page  Based on cookies  Fees involved

10 What Are the IIS Authentication Mechanisms? Mechanisms Security Level Description AnonymousNone  No authentication occurs Basic Low (Medium with SSL)  Client sends username and password as clear text  Can be encrypted by using SSL  Part of the HTTP specification and supported by most browsers DigestMedium  Sends information as encoded hash  Requires Internet Explorer 5 or later  Requires Active Directory Integrated WindowsHigh  Uses NTLM  Generally good for intranets, not Internet  Does not work through most firewalls

11 Lesson: Working with Windows- Based Authentication How to Enable Windows-Based Authentication Reading User Information Demonstration: Using Windows-Based Authentication

12 How to Enable Windows-Based Authentication Configure IIS to use one or more of the following authentication mechanisms: Basic Digest Integrated Windows security Set Windows-based authentication in Web.config 11 22

13 How to Enable Windows-Based Authentication (continued) Set up authorization in Web.config When users access the Web Form, IIS requests logon information 44 33

14 Reading User Information After authentication, the Web server can user read the identity lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated; lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated;

15 Lesson: Working with Forms- Based Authentication Overview of Forms-Based Authentication Multimedia: Forms-Based Authentication How to Enable Forms-Based Authentication Creating a Logon Page Demonstration: Using Forms-Based Authentication

16 Overview of Forms-Based Authentication Client requests page Authorized ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authentication Cookie Authorized Not Authenticated Access Denied Requested Secure Page  IIS Username Password Someone *********** Submit 1122 33 44 66 55 77

17 Multimedia: Forms-Based Authentication

18 How to Enable Forms-Based Authentication Configure IIS to use Anonymous authentication Set Forms-based authentication in Web.config Set up authorization Build a Logon Web Form11 22 33 44 < forms name=".namesuffix" loginUrl="login.aspx" /> < forms name=".namesuffix" loginUrl="login.aspx" />

19 Lesson: Overview of Microsoft Passport Authentication How Microsoft Passport Works Other Microsoft Passport Resources

20 How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host11 22 33 44 55 The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

21 Authorization for a Web Application File Authorization Available only if your application uses Ms Windows Authentication. Set permissions on files and directories by using Access Control Lists (ACLs) URL Authorization Available regardless of which authentication provider used. Use Web.config file in each directory of the application to assign permissions for the contents of the directory.

22 Review Web Application Security Overview Working with Windows-Based Authentication Working with Forms-Based Authentication Overview of Microsoft Passport Authentication

23 Exercise Study on : Membership How Membership works How to configure ASP.NET Application to use Membership

24 ~ End Slides ~


Download ppt "Module 11: Securing a Microsoft ASP.NET Web Application."

Similar presentations


Ads by Google