Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | valentine-joseph |
View: | 223 times |
Download: | 1 times |
ASP.Net Security
Chapter 10
Jeff Prosise’s Book
Authentication
• To ascertain the caller’s identity– Windows authentication– Forms authentication– Passport authentication
• Windows authentication: Here, IIS does the authentication and makes the caller’s identity available to ASP.Net (via a token)– Most suitable when everyone that uses the
application can login to the local machine– Uses the built-in security features of the OS
• Passport authentication: – Passport serves as a front-end to a large
group of users registered with Microsoft Passport
– Such users can be authenticated anywhere on the Internet by applications that present long credentials to Passport.
– If Passport validates them, it returns an authentication ticket to the application; that in turn stores it as an encoded cookie
• Forms authentication– Relies on login forms in web pages to authenticate
users– In an e-commerce application such as e-bay’s
bidding, windows authentication is not viable since it is impractical to create windows accounts for all millions
– In web.config, we set <authentication mode = “Forms” />
– Other modes are: None, Windows, and Passport
Authorization
• Determines what resources a user can access
• ASP.Net supports:– ACL authorization or file authorization---e.g.,
using NTFS file system’s ACL– URL authorization---relies on configuration
directives in web.config using the <authorization> element
– Authorization link
Windows Authentication• Maps incoming requests to accounts on the web server • Used to serve a well defined user group that may be controlled
through windows accounts– Basic authentication: transmits a user name and password in each
request; IIS maps them to an account on the web server and generates a token.
• Suppose a web page is placed in the virtual directory• Suppose IIS is configured to disallow anonymous access to that directory
and to require basic authentication• When a user attempts to access it for the first time (via HTTP request, a 401
is returned indicating that it requires basic authentication• The user’s browser then prompts the user for windows user name/password• Problem: User name/password sent in plain text between the browser and
the web server with each request; user needs a windows account– Digest authentication: User name/password are sent as an encrypted
token with each request integrated windows authentication
IIS Security
• Internet Information Services---a web server• IIS protects a server in four ways:
– Web applications are deployed in virtual directories that are URL-addressable on the server. Remote clients cannot automatically access files outside this directory.
– IIS assigns every request a token---a windows security principal; OS and .Net check this token prior to allowing access
– It can enable/disable requests based on IP addresses and domains
– Supports SSL and HTTPs– IIS supports four types of authentication:
• Basic authentication (user name/password)• Digest authentication (user name/password)• Integrated windows authentication• SSL client authentication
Forms Authenticatrion
• Authenticates a user by asking the user to type credentials (e.g., user name/password) into a web form.
• Entries in web.config can identify login page• When a user accesses for the 1st time, ASP.Net redirects
the user to the login page. • If the login is successful, ASP.Net issues a ticket in the
form of a cookie and redirects the user to the page originally requested.
• The cookie enables the user not to login everytime. Lifetime of a cookie is dictated by your application.
Example Application with Forms Authentication
• Application contains two pages: – PublicPage.aspx --- viewed by any one– ProtectedPage.aspx --- available only to
authenticated users (validated by login page)
• LoginPage.aspx---asks for a user name and a password
• Web.config---stores valid user names and passwords
PublicPage.aspx<html> <body> <h1>Public Page</h1> <hr> <form runat="server"> <asp:Button Text="View Secret Message" OnClick="OnViewSecret" RunAt="server" /> </form> </body></html>
<script language="C#" runat="server"> void OnViewSecret (Object sender, EventArgs e) { Response.Redirect ("Secret/ProtectedPage.aspx"); }</script>
LoginPage.aspx<html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> </td> <td> </td> </tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body></html>
<script language="C#" runat="server"> void OnLogIn (Object sender, EventArgs e) { if (FormsAuthentication.Authenticate (UserName.Text, Password.Text)) FormsAuthentication.RedirectFromLoginPage (UserName.Text, false); else Output.Text = "Invalid login"; }</script>
Web.config in the main directory<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl="LoginPage.aspx"> <credentials passwordFormat="Clear"> <user name="Jeff" password="imbatman" /> <user name="John" password="redrover" /> <user name="Bob" password="mxyzptlk" /> <user name="Alice" password="nomalice" /> <user name="Mary" password="contrary" /> </credentials> </forms> </authentication> </system.web></configuration>
Web.config in the secret subdirectory (to deny unauthenticated users)
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Why is the earlier example not realistic?
• Unreasonable to store passwords in clear text
• Storing a large number of names/passwords in Web.config is unrealistic. Instead, store them in a database.
• Modified Login.aspx is in the next few slides
<%@ Import NameSpace="System.Data.SqlClient" %>
<html> <body> <h1>Please Log In</h1> <hr> <form runat="server"> <table cellpadding="8"> <tr> <td> User Name: </td> <td> <asp:TextBox ID="UserName" RunAt="server" /> </td> </tr> <tr> <td> Password: </td> <td> <asp:TextBox ID="Password" TextMode="password" RunAt="server" /> </td> </tr> <tr> <td> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> </td>
<td> <asp:Button Text="Log In" OnClick="OnLogIn" RunAt="server" /> </td> <td> <asp:CheckBox Text="Keep me signed in" ID="Persistent" RunAt="server" /> </td> </tr> </table> </form> <hr> <h3><asp:Label ID="Output" RunAt="server" /></h3> </body></html>
• <script language="C#" runat="server">• void OnLogIn (Object sender, EventArgs e)• {• if (CustomAuthenticate (UserName.Text, Password.Text))• FormsAuthentication.RedirectFromLoginPage (UserName.Text,• Persistent.Checked);• else• Output.Text = "Invalid login";• }
• bool CustomAuthenticate (string username, string password)• {• SqlConnection connection = new SqlConnection• ("server=localhost;database=weblogin;uid=sa;pwd=");
• try {• connection.Open ();
• StringBuilder builder = new StringBuilder ();• builder.Append ("select count (*) from users " +• "where username = \'");• builder.Append (username);• builder.Append ("\' and cast (rtrim (password) as " +• "varbinary) = cast (\'");• builder.Append (password);• builder.Append ("\' as varbinary)");
• SqlCommand command = new SqlCommand (builder.ToString (),• connection);
• int count = (int) command.ExecuteScalar ();• return (count > 0);• }• catch (SqlException) {• return false;• }• finally {• connection.Close ();• }• }• </script>
New Web.config in main directory
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx" />
</authentication>
</system.web>
</configuration>
Authentication Cookie Lifetime
• Timeout value is controlled by:– In Machine.config file:
• <forms … timeout=“30”>
– In local Web.config file:configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="LoginPage.aspx" timeout = “30”/>
</authentication>
</system.web>
</configuration>
Forms Authentication and Role-based Security
• Previous example, all authenticated users have access; what if we want to restrict access to a few? (Here, * means all; ? means unauthenticated users)– In Web.config of the secret page:
<authorization>
<allow users = “John, Alice” />
<deny users=“*” />
</authorization>
• Alternately, deny access to Jeff, Bob, and Mary explicitly.
<authorization><deny users = “?” /><deny users = “Jeff, Bob, Mary” /><allow users=“*” /></authorization>
• Order sensitive statement execution• Still not practical when a large number of users
are involved• Solution: Role based control
Using role-based authorization: Step 1
In Web.config file of the secret directory:
<configuration>
<system.web>
<authorization>
<allow roles="Manager" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Step 2: Mapping users to rolesvoid Application_AuthenticateRequest (Object sender, EventArgs e) { HttpApplication app = (HttpApplication) sender;
if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity) { FormsIdentity identity = (FormsIdentity) app.User.Identity;
// Find out what role (if any) the user belongs to string role = GetUserRole (identity.Name); //From DB
// Create a GenericPrincipal containing the role name // and assign it to the current request if (role != null) app.Context.User = new GenericPrincipal (identity, new string[] { role }); } }
Multiple roles?
if (role != null) app.Context.User = new GenericPrincipal
(identity, new string[] { role });The 2nd parameter is a string and hence could be:new string[] { “Manager”, “Developer”});
In Web.config we can say:<allow roles = “Manager, developer”/><deny users = “*”/>