Professional Documents
Culture Documents
ASP.NET Security
Security Issues:
Application-level security (users).
Deployment security (programmers).
Authentication
Forms (Page-wide)
Windows (Machine-wide)
Passport (Internet-wide)
None
Web.config
<configuration> <system.web>
<authentication mode="Forms"/>
</system.web> </configuration>
Note:
The authentication mode is an application-wide setting
that can be set only in the application root and cant be
overridden in subordinate Web.config files.
You cant use Windows authentication in one part of an
application and forms authentication in another.
Authorization
passport.com
December 1999: Microsoft forgot to pay $35
annual registration fee to Network Solutions.
Michael Chaney paid on the Christmas day
and get the site up next day.
Replaced by Widows Live ID. No more onelogin-for-all.
Changed to Microsoft Account in 2012.
IIS Security
IIS Security
ASP.NET Security
Forms Authentication
PublicPage.aspx
void OnViewSecret (Object sender, EventArgs e)
{ Response.Redirect ("Secret/ProtectedPage.aspx"); }
LoginPage.aspx.
Internal Works
Logo on to winserv1.
Start->All Programs->My SQL->My SQL Query Browser.
Server Host: db1.cs.uakron.edu
Port 3306
Username: yourLoginID
Password: yourPassword for MySQL
Default Schema: your DB name
File->Open Script:
T:\Xiao\Windows Programming\Examples\C10\MySQLTable-Creation\Weblogin.sql
Execute!
NOT NULL,
NOT NULL,
INSERT INTO users (username, password, role) VALUES (dev', dev', 'Developer');
INSERT INTO users (username, password, role) VALUES (mgr', mgr', 'Manager');
AddUsers.sql
INSERT INTO users (username, password, role) VALUES ('wpd1', 'wp2009', 'Developer');
INSERT INTO users (username, password, role) VALUES ('wpd2', 'wp2009', 'Developer');
To access
http://winserv1.cs.uakron.edu/xiaotest/Forms2/PublicPag
e.aspx, and
http://winserv1.cs.uakron.edu/Examples/C10/Forms2/Pu
blicPage.aspx can be viewed by anyone.
http://winserv1.cs.uakron.edu/xiaotest/Forms2/Secret/Pro
tectedPage.aspx and is available only to authenticated
users (dev/dev).
MySQL notes:
(1) count (*) works for SQL Server but not MySQL due to the extra space
after count.
(2) password is a keyword in MySQL (not SQL Server), therefore cant be
used as database column names.
(3) ExecuteScalar returns Int64 for count query.
FormsAuthentication.RedirectFromLoginPage (UserName.Text,
Persistent.Checked);
Persistent authentication cookie: be able to get back without logging in
again, even after shutting down.
Proramming cookies.
HttpCookie cookie =
Response.Cookies[FormsAuthentication.FormsCookieName];
cookie.Expires = DateTime.Now
+ new TimeSpan (7, 0, 0, 0); // 7 days
Forms Authentication
Role-Based Security
Without roles:
Deny all unauthenticated users.
<deny users="?" />
Deny all users (users=*) except John and Alice.
<allow users="John, Alice" />
<deny users="*" />
Allow all except Jeff, Bob, and Mary:
<deny users="Jeff, Bob, Mary" />
<allow users="*" />
<allow> and <deny> are order-sensitive.
ASP.NET will stop at <= *> and ignore any statements
that appear after it.
With roles:
Users table has a field named role that stores each users role
(group) membership.
Grant Developer access to Secret.
<allow roles="Developer" />
<deny users="*" />
Map the roles to user accounts so that ASP.NET can determine
whether the requestor is a developer or not.
Place the mapping in the AuthenticateRequest event handler
(invoked at the beginning of every request).
Can be done in a custom HTTP module or in Global.asax.
http://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspx
http://winserv1.cs.uakron.edu/xiaotest/Forms3/PublicPage.aspx
dev/dev/Developer can view ProtectedPage.aspx.
mgr/mgr/Manager cant.
Properties in User.Identity
Property
Description
AuthenticationType
IsAuthenticated
Name
if (User.Identity.IsAuthenticated) {
string name = User.Identity.Name;
}
Name is of the form domain-name\user-name for Windows authentication,
user-typed login for forms authentication.
if (app.Request.IsAuthenticated &&
app.User.Identity is FormsIdentity) {
Multiple Roles
Coding:
app.Context.User = new GenericPrincipal (identity,
new string[] { "Developer", "Manager" });
Web.config
<allow roles="Manager, Developer" />
<deny users="*" />
Signing Out
<asp:Button Text="Log Out"
OnClick="OnLogOut" RunAt="server" />
<script language="C#" runat="server">
void OnLogOut (Object sender, EventArgs e)
{ FormsAuthentication.SignOut (); }
FormsAuthentication.SignOut( ): returns a SetCookie header, sets the cookies value to a null
string and sets the cookies expiration date to a
date in the past.
Description
Default
name
.ASPXAUTH
loginUrl
login.aspx
protection
All
timeout
30
path
The protection attributes specifies the desired level of protection for the
authentication cookies. All instructs ASP.NET to both encrypt and validate
authentication cookies.
Windows
Authentication
Windows Authentication
Windows Authentication
Windows Authentication
Basic Authentication
An HTTP standard (documented in RFC 2617,
ftp://ftp.isi.edu/in-notes/rfc2617.txt.)
How it works:
For the first time access, the Web server returns a 401
status code indicating what type of authentication is
required.
HTTP/1.1 401 Access Denied
Server: Microsoft IIS-5.0 . . .WWWAuthenticate: Basic realm="uakron.edu"
A realm is a logical security space that encompasses
all or part of a web site.
The browser pops up a dialog box (not part of your
ASP generated HTML) asking for a user name and
password.
Basic Authentication
Basic Authentication
Digest Authentication
Documented in RFC 2617 (ftp://ftp.isi.edu/innotes/rfc2617.txt).
Similar
to basic authentication.
The
T:\Xiao\Windows Programming\Examples\C10\Basic
About CorpNet
It models a simple intranet-type application (e.g. an internal
application for a company).
It uses Windows (basic) authentication and ACL authorization
to restrict access to its pages.
Code:
General.aspx provides general information.
Salaries.aspx lists the salary.
Bonuses.aspx lists the bonuses.
Anyone in the company can view General.aspx, only selected
individuals can view Salaries.aspx and Bonuses.aspx.
To
C:\inetpub\wwwroot\yourLoginID
Make the directory a web application.
Access the aspx pages (as an anonymous user):
http://localhost/yourLogin/Basic/general.aspx
http://localhost/yourLoginI/Basic/salaries.aspx
(access accepted but no salary entry).
http://localhost/yourLoginID/Basic/bonuses.aspx
ACL Authorization
Security Inside
Note: ACL Control is set per user and per file
manually.
User: xiaotest access denied for Basic/Bonuses.xml
Impersonation
To execute a request using the access token
provided by IIS.
Add the following in Web.config
<identity impersonate="true" />
The identities assigned to the ASP.NET worker
process and to the requests that it executes
play crucial roles.
After IIS 6.0, W3WP.exe connects to
aspnet_isapi.dll.
Impersonation
Impersonation makes web applications run as the caller.
Any programmatically
access will subject ACL check using the callers identity.
<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
</configuration>
Start a new browser
http://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx
500 - Internal error occurred.
The following does work on winserv1
IIS Manager, double-click on the Basic application.
In the IIS pane, double-click on Authentication
Enable ASP.NET Impersonation
</configuration>
Role-based security restricts access based on roles (groups) that the users belong
to. For ACL authorizations, control the access by giving permission to the selected
groups.
For URL authorizations, use Web.config to restrict groups.
e.g. add the WP group and a test2 user in the group.
Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Groups
Action->New Group
Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Users
test2->properties->Member Of->Add
Action->New Users
Web.config
<authorization>
<allow roles=ServerName\WP" />
<deny users="*" />
</authorization>
Deny test but allow test2.
Allow should be first here. (* should be at the end).
Summary
Security
Authentication
Forms
Windows
Basic, Digest, Integrated, SSL Client Certificates
Passport
Authorization: ACL, URL
IIS/ASP.NET Server-Side Security Processing
Application Security Scenarios
Encryption and Validation
Database Based Authentication
Role Based Authorization
Anonymous Login
Impersonation
Realm