ASP.NET SecurityASP.NET SecurityMacDonald Ch. 18MacDonald Ch. 18

MIS 424MIS 424

Professor SandvigProfessor Sandvig

OverviewOverview

TodayToday Security Concepts & TerminologySecurity Concepts & Terminology

Authentication and AuthorizationAuthentication and AuthorizationRole-based securityRole-based security

ASP.NET approaches:ASP.NET approaches:1.1.Do it yourselfDo it yourself2.2.Windows authenticationWindows authentication3.3.Forms authenticationForms authentication4.4..NET membership provider.NET membership provider

Security TerminologySecurity Terminology

AuthenticationAuthentication Process of identifying Process of identifying

the userthe user User provides User provides

credentialscredentials Username / PasswordUsername / Password ID card, key, finger ID card, key, finger

print, eye scan…print, eye scan… Authentication done Authentication done

once at loginonce at login

Security TerminologySecurity Terminology

Authorization Authorization PermissionsPermissions

Which resources user is Which resources user is allowed to accessallowed to accessType of accessType of access

Read, write, modify, Read, write, modify, delete, change delete, change permissions…permissions…

Performed with every Performed with every requestrequest

Example - WWU LibraryExample - WWU Library

AuthenticationAuthentication Who are you?Who are you?

WWU studentWWU studentLost CanadianLost Canadian

AuthorizationAuthorization What are you allowed to do?What are you allowed to do?

WWU studentWWU student Checkout books, laptops, IIL services…Checkout books, laptops, IIL services…

Lost CanadianLost Canadian Look at books, use restrooms, stay warmLook at books, use restrooms, stay warm

Security TerminologySecurity Terminology

Principle of least privilegePrinciple of least privilegeEvery program and every user of the system Every program and every user of the system should operate using the least set of privileges should operate using the least set of privileges necessary to complete their job.necessary to complete their job.

Benefits:Benefits:Protects dataProtects data

Protects organizationProtects organization

Protects individualsProtects individuals

Role-based SecurityRole-based Security

Permissions assigned based upon role of Permissions assigned based upon role of job functionjob function

Role-based SecurityRole-based Security

Create rolesCreate rolesAdministratorAdministrator

UserUser

StudentStudent

Anonymous userAnonymous user

etc, etc. …etc, etc. …

Roles are assigned specific permissionsRoles are assigned specific permissions Principle of least privilegePrinciple of least privilege

People are assigned to rolesPeople are assigned to roles

Role-Based SecurityRole-Based Security

BenefitBenefitSimplifies management of permissionsSimplifies management of permissions

Example: Roles in WWU Banner systemExample: Roles in WWU Banner system StudentsStudents FacultyFaculty AdministratorsAdministrators

Many types, each with specific permissionsMany types, each with specific permissions

Enforced at both application & DB levelEnforced at both application & DB level

ASP.NET SecurityASP.NET Security

Approaches:Approaches: Do-it-yourselfDo-it-yourself Forms authenticationForms authentication Windows authenticationWindows authentication ASP.NET Membership ProviderASP.NET Membership Provider

Do-it-yourself AuthenticationDo-it-yourself Authentication

Each .aspx page checks for authorizationEach .aspx page checks for authorization

Redirect unauthorized users to loginRedirect unauthorized users to login

Single line of code:Single line of code:

if (Session["authenticated"] == null) if (Session["authenticated"] == null) Response.Redirect("Login.aspx");Response.Redirect("Login.aspx");

Do it yourself AuthenticationDo it yourself Authentication

AdvantagesAdvantages SimpleSimple Flexible – page-by-pageFlexible – page-by-page Database accessDatabase access

DisadvantagesDisadvantages Need to include code in every .aspx pageNeed to include code in every .aspx page Pages need to be executablePages need to be executable

Excludes .html pages, images, etc.Excludes .html pages, images, etc.

Windows AuthenticationWindows Authentication

Authenticate against Authenticate against Windows user Windows user accountsaccounts Username/password Username/password

managed with managed with Windows (Active Windows (Active Directory)Directory)

Windows AuthenticationWindows Authentication

AuthorizationAuthorization Specify in web.configSpecify in web.config

First match algorithmFirst match algorithm Set on each directorySet on each directory

Sample PageSample Page

Windows AuthenticationWindows Authentication

Benefits:Benefits: Secures every file typeSecures every file type Use existing Windows accountsUse existing Windows accounts

IntranetIntranet

Not public webNot public web Fine-level control of permissionsFine-level control of permissions

LimitationsLimitations Users need permissions on serverUsers need permissions on server

Forms AuthenticationForms Authentication

Create login pageCreate login page Authenticate against any data sourceAuthenticate against any data source database, LDAP, web service, CAS…database, LDAP, web service, CAS…

Login pageLogin page .aspx file.aspx file

access database, other data sourcesaccess database, other data sources Authentication ticket issuedAuthentication ticket issued

Encrypted cookieEncrypted cookie Redirects back to requested pageRedirects back to requested page

Forms AuthenticationForms Authentication

How to ConfigureHow to Configure Web.config fileWeb.config file

Authentication mode=“Forms”Authentication mode=“Forms”Root directory of applicationRoot directory of application

Create Login PageCreate Login Page

Example:Example: Sample Sample

ASP.NET MembershipASP.NET Membership

Drag & Drop controlsDrag & Drop controls Implements Forms authentication Implements Forms authentication No code requiredNo code required

Automatically creates SQL Server Automatically creates SQL Server DatabaseDatabase

Can define users & rolesCan define users & roles

Quite sophisticatedQuite sophisticated

ASP.NET Membership ProviderASP.NET Membership Provider

ASP.NET Membership ProviderASP.NET Membership Provider

ASP.NET Membership ProviderASP.NET Membership Provider

ASP.NET Membership ProviderASP.NET Membership Provider

No codeNo code ““Magical”Magical”

Many configuration optionsMany configuration options Password recoveryPassword recovery Change password controlChange password control Sends emailSends email Create groups (programmatically)Create groups (programmatically) Assign users to groupsAssign users to groups

SummarySummary

Application Security options:Application Security options: Do-it-yourselfDo-it-yourself Windows authenticationWindows authentication Forms authenticationForms authentication ASP.NET Membership providerASP.NET Membership provider

SecuritySecurity Complex topicComplex topic Discuss other aspects laterDiscuss other aspects later