23
1 ASP.NET SECURITY Presenter: Van Nguyen
1
ASP.NET SECURITY
Presenter: Van Nguyen
2
Introduction
Security is an integral part of any Web-based application. Understanding ASP.NET security will
help in building secure Web applications. This document provides a brief overview of security in
ASP.NET.
3
Introduction
I. ASP.NET Web application security
II. FormsAuthentication
III. Manager Users Using Membership
IV. Managing Authorization using Roles
4
I. ASP.NET Web application security
ASP.NET architecture ASP.NET Data Flow ASP.NET Authentication ASP.NET Authorization ASP.NET impersonation
5
I. ASP.NET Web application security
ASP.NET architecture
6
I. ASP.NET Web application security
IIS Security Anonymous Basic Digest Integrated Windows Authentication Certificate
7
I. ASP.NET Web application security
ASP.NET Data Flow The security data flow for two common
scenarios:1. Impersonation.2. Forms authentication using cookies.
8
ASP.NET Authentication:− Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority.
Windows Authentication Provider. (Asp.net Impersonation)
Forms Authentication Provider. (FormsAuthentication)
I. ASP.NET Web application security
9
I. ASP.NET Web application security
Authorization determines whether an identity should be granted access to a specific resource. In ASP.NET Authorization, there are two ways to authorize access to a given resource:
File authorization URL authorization
10
I. ASP.NET Web application security ASP.NET impersonation:
11
I. ASP.NET Web application security
ASP.NET impersonation:− ASP.NET impersonation is disabled by default. − If impersonation is enabled for an ASP.NET application,
that application runs in the context of the identity whose access token IIS passes to ASP.NET.
− Web application base on IIS to authenticate users.− Server should provide different Window users for every
application to avoid access resource to other web application. <configuration>
<system.web> <authentication mode="Windows“/> <identity impersonate="true"/> </system.web></configuration>
12
II. FormAuthentication
13
II. FormAuthentication
Forms authentication uses an authentication ticket that is created when a user logs on to a site, and then it tracks the user throughout the site. The forms authentication ticket is usually contained inside a cookie.
Configuration FormsAuthentication in web.config:
14
II. FormAuthentication
Credentials Store in web.config: Forms authentication credentials that are used to validate users at logon can be stored in an external data source or in the application configuration file.
15
II. FormAuthentication
Logging In, Logging Out using FormsAuthentication.
Logging In:
Logging Out:FormsAuthentication.SignOut();FormsAuthentication.RedirectToLoginPage();
if (FormsAuthentication.Authenticate(model.UserName, model.Password) || Membership.ValidateUser(model.UserName, model.Password)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
//FormsAuthentication.RedirectFromLoginPage(userName,isPresistentCookie); }
16
II. FormAuthentication
Understanding Persistent tickets: The forms authentication ticket was always stored in a cookie. So, the decision between using a persistent versus nonpersistent ticket is a choice between using persistent or session-based cookie.
The following code issues a persistent ticket:
FormsAuthentication.RedirectFromLoginPage("testuser", true);
17
III. Manager Users Using Membership ASP.NET membership therefore helps you manage user
authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users.
Benefit of ASP.NET membership:• Create new user and password.• Using the Login controls in asp.net.• Storing membership information in database.• Authenticating users who visit your site.• Managing passwords (creating, changing and resetting them).• Specifying a custom membership provider.
18
III. Manager Users Using Membership
Configuration Membership:
19
III. Manager Users Using Membership
Install DataBase: Run file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
aspnet_regsql.exe
20
III. Manager Users Using Membership
Finish:
Membership class.
21
Role management lets you treat groups of users as a unit by assigning users to roles.
Role management helps you manage authorization, which enables you to specify the resources that users in your application are allowed to access.
Using RoleProvider to make a custom Role management.
IV. Managing Authorization using Roles
22
IV. Managing Authorization using Roles
Configuration RoleProvider:
Authorization using Role:
23
Thanks for your listening
