8/10/2019 Synapseindia Dot Net Development-Security
1/70
Chapter 10
ASP.NET Security
8/10/2019 Synapseindia Dot Net Development-Security
2/70
Introduction to Web Security
Categories
Issues
Components
8/10/2019 Synapseindia Dot Net Development-Security
3/70
Building a Secure Web Site
Three Categories of Web Security:
Content freely available to everyone (public).
Serve the general population but require a login(application-level security, protected).
Intranet sites for a controlled population of users a
companys employees (private).
Security Issues: Application-level security (users).
Deployment security (programmers).
Web Security Components: Authenticationidentifies the originator of requests (who).
Authorizationdefines who can access which pages (what).
8/10/2019 Synapseindia Dot Net Development-Security
4/70
Authentication
ASP.NET supports three types of authentication: Forms (Page-wide) Windows (Machine-wide) Passport (Internet-wide) None
Web.config
Note:
The authentication mode is an application-wide settingthat can be set only in the application root and cant beoverridden in subordinate Web.config files.
You cant use Windows authentication in one part of anapplication and forms authentication in another.
8/10/2019 Synapseindia Dot Net Development-Security
5/70
Setting authentication mode in the root
Web.config
8/10/2019 Synapseindia Dot Net Development-Security
6/70
Authorization
ASP.NET supports two forms of authorization: ACL (access control list) authorization, also
known as file authorization, based on filesystem permissions, typically used with
Windows authentication. URL authorization, relies on configuration
directives in Web.config files, most often used
with forms authentication.
8/10/2019 Synapseindia Dot Net Development-Security
7/70
Three Typical Security Scenarios
for Web Applications
Pages can be freely browsed by any: noapplication-level security
Intranet application: use Windowsauthentication and ACL authorization.
Internet application with secure page access:use forms authentication and URL
authorization.
8/10/2019 Synapseindia Dot Net Development-Security
8/70
Where is the Passport
passport.com
December 1999: Microsoft forgot to pay $35annual registration fee to Network Solutions.
Michael Chaney paid on the Christmas dayand get the site up next day.
Replaced by Widows Live ID. No more one-
login-for-all. Changed to Microsoft Account in 2012.
8/10/2019 Synapseindia Dot Net Development-Security
9/70
The Internal Working of
IIS and ASP.NET
Security
8/10/2019 Synapseindia Dot Net Development-Security
10/70
IIS Security IIS (Internet Information Services) Server
a Web server runs in process Inetinfo.exe as SYSTEM accepts connections responds to HTTP requests
Web applications are deployed in application directories. Remoteclients cant arbitrarily grab files outside application directories.
IIS assigns every request an access tokenrepresenting a Windowssecurity principal. The access token enables the operating system toperform ACL checkson resources targeted.
IIS supports IP address and domain name restrictions.
IIS supports encrypted HTTP connections using the Secure SocketsLayer (SSL)family of protocols.
8/10/2019 Synapseindia Dot Net Development-Security
11/70
IIS Security
Anonymous access (access byunauthenticated users)
Request from anonymous users are taggedwith IUSR_machinenames access token.
IUSR_machinename is an Internet guest
account created when IIS is installed,where machinename is usually the Webservers machine name.
8/10/2019 Synapseindia Dot Net Development-Security
12/70
The relationship between IIS and ASP.NET.
8/10/2019 Synapseindia Dot Net Development-Security
13/70
ASP.NET Security
Server Side Processing:(1) Client accesses .ASPX files=>
(2)Inetinfo.exe (IIS)generates an access token=>Aspnet_isapi.dllsents the request and the
token through named pipe or local procedurecalls (LPCs) =>
(3)Aspnet_wp.exe (ASP.NET)makes ACLcheckson the requested resource and passes
access tokento the targeted application =>(4) Targeted applicationuses a HTTP pipeline =>HTTP modules => HTTP handlers (mapped inMachine.config).
8/10/2019 Synapseindia Dot Net Development-Security
14/70
Two types of access tokens:
Authenticated user: authenticated security principal Unauthenticated user: IUSR_machinename for
anonymous login
Start->Settings->Control Panel->Administrative Tools->Computer Management->Local Users and Groups->Users
Start->Settings->Control Panel->Administrative Tools->Computer Management->Event Viewer->Security
8/10/2019 Synapseindia Dot Net Development-Security
15/70
The ASPNET Account
Created when ASP.NET is installed.
A member of the Users group (hidden now).
Aspnet_wp.exe runs as ASPNET by default.
Requests executed by ASP.NET use Aspnet_wp.exes
identity.
ASP.NET can impersonate to use the requests access
token.
To make Aspnet_wp.exe to run as SYSTEM, change
processModel in Machine.config to
8/10/2019 Synapseindia Dot Net Development-Security
16/70
Programming Forms Authentication
8/10/2019 Synapseindia Dot Net Development-Security
17/70
Forms Authentication Forms authentication allows applications to setupweb
authentications independently from the authentications ofthe operating systems. It works well with URLauthorization, which relies on configuration directives inWeb.config files.
Forms/URL security is useful to protect an e-commercesite (an external Internet application for servicing customsof a company).
8/10/2019 Synapseindia Dot Net Development-Security
18/70
Forms Authentication: Static Structure
Security settings in an ASP.NET-based webapplication are configured in the Web.configfiles.
The Web.config file in the root directory (which
must be an application directory) specifies theauthentication mode, application-specific loginpage.
The Web.config file in a subdirectory sets the
authorization specifics for the directory. User credentials can be stored in a database
(preferred) or in the root Web.config file.
8/10/2019 Synapseindia Dot Net Development-Security
19/70
Forms Authentication : Dynamic Behavior
The first time a user accesses a protected resource,ASP.NET redirects the user to the login page.
If the login is successful, ASP.NET then issues the user
an authentication ticket in the form of a cookie (cookies
need to be enabled by the client) and redirects theuser to the page originally requested.
The ticket allows that user to revisit protected portions
without having to login again.
The tickets lifetime can be controlled to determine how
long the login is good for.
8/10/2019 Synapseindia Dot Net Development-Security
20/70
A First Look at Forms Authentication
Forms1 Web Application
T:\Xiao\Windows Programming\Examples\C10\Forms1
At the application root
PublicPage.aspx can be viewed by anyone
Web.config LoginPage.aspx
In the Secret subdirectory
ProtectedPage.aspx is available only to
authenticated users (wp/wp). Web.config
8/10/2019 Synapseindia Dot Net Development-Security
21/70
Deploy Forms1 on Winserv1
Create a web application (Forms1).C:\inetpub\wwwroot\xiaotest\Forms1You need to have admin privilege.
On winserv1, use an existing web application directoryalready created for you.
Copy everything fromT:\Xiao\Windows Programming\Examples\C10\Forms1to the above directory(C:\inetpub\wwwroot\xiaotest\Forms1)
http://winserv1.cs.uakron.edu/xiaotest/Forms1/PublicPage.aspx can be viewed by everyone.(http://winserv1.cs.uakron.edu/Examples/C10/Forms1/PublicPage.aspx)
8/10/2019 Synapseindia Dot Net Development-Security
22/70
Deploy Forms1 on Winserv1
http://winserv1.cs.uakron.edu/xiaotest/Forms1/Secret/ProtectedPage.aspx is available only to authenticated users(wp/wp).
Authenticated users means anyone who hassuccessfully logged in through LoginPage.aspx.
Valid users are stored in Web.config. The cookie containing the authentication ticket is a
session cookie, destroyed when the browser is closed. You are not prompted for password again during a
session.
8/10/2019 Synapseindia Dot Net Development-Security
23/70
Programming Forms Security
Authentication in the root Web.config
8/10/2019 Synapseindia Dot Net Development-Security
24/70
Programming Forms Security PublicPage.aspx
void OnViewSecret (Object sender, EventArgs e)
{ Response.Redirect ("Secret/ProtectedPage.aspx"); }
LoginPage.aspx.
void OnLogIn (Object sender, EventArgs e)
{ if(FormsAuthentication.Authenticate(UserName.Text, Password.Text))
FormsAuthentication.RedirectFromLoginPage (UserName.Text, false);
// true for persistent cookie
else Output.Text = "Invalid login";
}
System.Web.Security.FormsAuthentication.Authentic method returns true if the user
name and password are in the credentials section of Web.config.
8/10/2019 Synapseindia Dot Net Development-Security
25/70
Internal Works
ASP.NET creates an authentication cookie,
attaches it to the outgoing response, andredirects the user to the page that he or sheoriginally requested. The lifetime of a persistentcookie is independent of the browser session.
Authorization is applied on a directory-by-directory basis. Web.config files in each directoryspecify exactly how the files are to be protected.
ASP.NET checks to see whether a valid
authentication cookie is attached to the request. Ifthe cookie exists, ASP.NET extracts identityinformation. If the cookie doesnt exist, ASP.NETredirects the request to the login page.
8/10/2019 Synapseindia Dot Net Development-Security
26/70
Real-World Forms Authentication
Forms2Forms3
8/10/2019 Synapseindia Dot Net Development-Security
27/70
Real-World Forms Authentication(Forms2)
Storing user names and passwords in a database(MySQL).
Creating the database, creating the users table andadding users.
Logo on to winserv1.
Start->All Programs->My SQL->My SQL Query Browser. Server Host: db1.cs.uakron.edu Port 3306 Username: yourLoginID Password: yourPassword for MySQL Default Schema: your DB name File->Open Script:
T:\Xiao\Windows Programming\Examples\C10\MySQL-Table-Creation\Weblogin.sql
Execute!
8/10/2019 Synapseindia Dot Net Development-Security
28/70
Real-World Forms AuthenticationWeblogin.sql
CREATE TABLE users(
username varchar(32) NOT NULL,password varchar(32) NOT NULL,role varchar(32)
);
INSERT INTO users (username, password, role) VALUES (dev', dev', 'Developer');INSERT INTO users (username, password, role) VALUES (mgr', mgr', 'Manager');
AddUsers.sql
INSERT INTO users (username, password, role) VALUES ('wpd1', 'wp2009', 'Developer'); INSERT INTO users (username, password, role) VALUES ('wpd2', 'wp2009', 'Developer');
8/10/2019 Synapseindia Dot Net Development-Security
29/70
Deploy Forms2 on Winserv1
Create a web application directory.C:\inetpub\wwwroot\xiaotest\Forms2You need to have admin privilege.
On winserv1, use an existing web application directoryalready created for you.
Copy everything fromT:\Xiao\Windows Programming\Examples\C10\Forms2to the above directory(C:\inetpub\wwwroot\xiaotest\Forms2)
8/10/2019 Synapseindia Dot Net Development-Security
30/70
Deploy Forms2 on Winserv1
To access http://winserv1.cs.uakron.edu/xiaotest/Forms2/PublicPag
e.aspx, andhttp://winserv1.cs.uakron.edu/Examples/C10/Forms2/PublicPage.aspx can be viewed by anyone.
http://winserv1.cs.uakron.edu/xiaotest/Forms2/Secret/ProtectedPage.aspx and is available only to authenticatedusers (dev/dev).
8/10/2019 Synapseindia Dot Net Development-Security
31/70
Deploy Forms2 on Winserv1
Authenticated users means anyone who hassuccessfully logged in through LoginPage.aspx.
Valid users are stored in the database. The cookie containing the authentication ticket is a
session cookie, destroyed when the browser is closed.
You are not prompted for password again during asession.
8/10/2019 Synapseindia Dot Net Development-Security
32/70
Real-World Forms AuthenticationLoginPage.aspx Credential Matching:
SQL:select count(*) from users where username = dev'and pwd = dev;
It returns 0 if no matching credentials found.
MySQL notes:
(1) count (*) works for SQL Server but not MySQL due to the extra spaceafter count.(2) password is a keyword in MySQL (not SQL Server), therefore cant beused as database column names.(3) ExecuteScalar returns Int64 for count query.
FormsAuthentication.RedirectFromLoginPage (UserName.Text,Persistent.Checked);Persistent authentication cookie: be able to get back without logging inagain, even after shutting down.
8/10/2019 Synapseindia Dot Net Development-Security
33/70
Authentication Cookie Lifetime
Session authentication cookie.Machine.config
// 30 minutesWeb.config // 7 days
Proramming cookies.
HttpCookie cookie =Response.Cookies[FormsAuthentication.FormsCookieName];
cookie.Expires = DateTime.Now+ new TimeSpan (7, 0, 0, 0); // 7 days
Removing cookies as a user.IE->Tools->Internet Options->General->Delete Cookies.Netscape->Tools->Cookie Manager->Manage stored cookies->Remove all.FireFox->Tools->Clear Recent History: check Cookies.
8/10/2019 Synapseindia Dot Net Development-Security
34/70
Forms AuthenticationRole-Based Security
8/10/2019 Synapseindia Dot Net Development-Security
35/70
Forms Authentication and Role-Based Security (Forms3)
Use role membership to allow only some authenticatedusers to view Secret/ProtectedPage.aspx.
Without roles:
Deny all unauthenticated users.
Deny all users (users=*) except John and Alice.
Allow all except Jeff, Bob, and Mary:
and are order-sensitive.
ASP.NET will stop at and ignore any statementsthat appear after it.
8/10/2019 Synapseindia Dot Net Development-Security
36/70
Forms Authentication and Role-Based Security (Forms3)
With roles:
Users table has a field named role that stores each users role(group) membership.
Grant Developer access to Secret.
Map the roles to user accounts so that ASP.NET can determinewhether the requestor is a developer or not.
Place the mapping in the AuthenticateRequest event handler(invoked at the beginning of every request).
Can be done in a custom HTTP module or in Global.asax.
http://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspx
http://winserv1.cs.uakron.edu/xiaotest/Forms3/PublicPage.aspx
dev/dev/Developer can view ProtectedPage.aspx.
mgr/mgr/Manager cant.
http://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspxhttp://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspxhttp://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspx8/10/2019 Synapseindia Dot Net Development-Security
37/70
Programming Role-based Authentication
Getting Information about Authenticated Users in YourCode
ASP.NET stores user information in the HttpContext.Userproperty.
Access User through Page.Context.User or simplyPage.User, or HttpApplication.User.
The User property is of the type IPrincipal (an interfacedefined in System.Security.Principal).
Implemented by the WindowsPrincipal class for Windowsauthentication and GenericPrincipal class for other forms ofauthentication (along with Windows authentication).
GenericPrincipal is a device for representing user identitiesindependent of the authentication protocol being used.ASP.NET compares the role name in the GenericPrincipal tothe roles granted access through Web.config.
User.Identity contains some usefull properties:
8/10/2019 Synapseindia Dot Net Development-Security
38/70
Properties in User.Identity
Property Description
AuthenticationType Reveals which form ofauthentication was used
IsAuthenticated Reveals whether the user isauthenticated
Name Reveals an authenticated usersname
if (User.Identity.IsAuthenticated) {string name = User.Identity.Name; }
Name is of the form domain-name\user-name for Windows authentication,
user-typed login for forms authentication.
8/10/2019 Synapseindia Dot Net Development-Security
39/70
Programming Authentication - Roles
Retrieve a users role and create a Principal for the user.
void Application_AuthenticateRequest (Object sender, EventArgs e) {
HttpApplication app = (HttpApplication) sender;
if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity) {
FormsIdentity identity = (FormsIdentity) app.User.Identity;
// Find out what role (if any) the user belongs to string role = GetUserRole (identity.Name);
// Create a GenericPrincipal containing the role name // and assign it to the current request
if (role != null) app.Context.User = new GenericPrincipal (identity,
new string[] { role });
}
8/10/2019 Synapseindia Dot Net Development-Security
40/70
Programming Authentication - Roles
string GetUserRole (string name)
{
MySqlConnection connection = new MySqlConnection("server=db1.cs.uakron.edu;database=xiaotest;uid=xiaotest;pwd=wp2009;
allow zero datetime=yes)try {
connection.Open ();
StringBuilder builder = new StringBuilder ();builder.Append ("select role from users " +
"where username = \'"); builder.Append (name); builder.Append ("\'");MySqlCommand command = new MySqlCommand (builder.ToString (),
connection);object role = command.ExecuteScalar ();
if (role is DBNull) return null;
return (string) role;}catch (MySqlException) { return null; }
finally { connection.Close ();}}
8/10/2019 Synapseindia Dot Net Development-Security
41/70
More on Forms Authentication
Multiple Roles
Coding:
app.Context.User = new GenericPrincipal (identity,new string[] { "Developer", "Manager" });
Web.config
Configure subdirectories in root Web.config
M F A h i i
8/10/2019 Synapseindia Dot Net Development-Security
42/70
More on Forms Authentication
Signing Out
void OnLogOut (Object sender, EventArgs e)
{ FormsAuthentication.SignOut (); }
FormsAuthentication.SignOut( ): returns a Set-Cookie header, sets the cookies value to a nullstring and sets the cookies expiration date to adate in the past.
8/10/2019 Synapseindia Dot Net Development-Security
43/70
More on Forms Authentication
Attributes of forms element in Web.config:
Attribute Description Default
name Name assigned to authentication cookies .ASPXAUTH
loginUrl URL of the login page login.aspx
protection Level of protection (validation and
encryption) applied to authenticationcookies
All
timeout Lifetime of session authentication tickets inminutes
30
path Scope of authentication cookies /
The protection attributes specifies the desired level of protection for theauthentication cookies. All instructs ASP.NET to both encrypt and validate
authentication cookies.
8/10/2019 Synapseindia Dot Net Development-Security
44/70
Encrypt and Validate Authentication Cookies
Validationworks by appending the
machineKey elements validationKey to thecookie, the resulting value is hashed, and thehash is appended to the cookie. When thecookie is returned in a request, ASP.NET
verifies that it wasnt tampered with byrehashing the cookie and comparing the newhash to the one accompanying the cookie.
Encryptionworks by encrypting the cookiehash value and allwith machineKeysdecryptionKey attribute.
8/10/2019 Synapseindia Dot Net Development-Security
45/70
Encrypt and Validate Authentication Cookies
Validation consumes less CPU time than
encryption and prevents tampering. It does notprevent someone from intercepting anauthentication cookie and reading its contents.
To validate but not encrypt authentication
cookies:
Encryption provides insurance againsttampering and prevents the cookies contents
being read. To encrypt but not validate cookies:
E d V lid A h i i C ki
8/10/2019 Synapseindia Dot Net Development-Security
46/70
Encrypt and Validate Authentication Cookies
To disable both:
Encrypted cookies cant be read or altered, but can be stolen and used illicitly.Time-outs are the only protection.
The most reliable way to prevent someone from spoofing your site with a stolenauthentication cookie is to use an encrypted communications link (HTTPS).
This assumes the server supports HTTPS and Login.aspx is stored in adirectory configured to use HTTPS.
Caveat Emptor: ASP.NET does not protect HTML pages.Just renaming .html to .aspx to protect it.
http://winserv1.cs.uakron.edu/xiaotest/Forms3/PublicPage.aspx
http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/ProtectedPage.aspx http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/Calc.html http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/Calc.aspx
8/10/2019 Synapseindia Dot Net Development-Security
47/70
Windows
Authentication
Wi d A th ti ti
8/10/2019 Synapseindia Dot Net Development-Security
48/70
Windows Authentication It maps incoming requests to accounts on the
Web server or in the Web servers domain. Serve content to a well-defined populace
(intranet.)
Requires no programming. Authentication is doneby the system.
Wi d A th ti ti
8/10/2019 Synapseindia Dot Net Development-Security
49/70
Windows Authentication Dont use it to generically expose content to all
comers over the Internet. Windows authentication on the front end is
typically paired with ACL authorization(administrator controlled) on the back end.
Can be also used with URL authorization(programmer controlled).
8/10/2019 Synapseindia Dot Net Development-Security
50/70
Windows Authentication
Categories of Windows Authentication:
Basic authentication: login, piggyback on HTTP.
Digest authentication: login, piggyback on HTTP.
Integrated Windows authentication: Windows login.
SSL client certificates: limited primarily to intranet.
B i A th ti ti
8/10/2019 Synapseindia Dot Net Development-Security
51/70
Basic AuthenticationAn HTTP standard (documented in RFC 2617,ftp://ftp.isi.edu/in-notes/rfc2617.txt.)
How it works:
For the first time access, the Web server returns a 401status code indicating what type of authentication isrequired.
HTTP/1.1 401 Access Denied
Server: Microsoft IIS-5.0 . . .WWW-
Authenticate: Basic realm="uakron.edu"
A realmis a logical security space that encompassesall or part of a web site.
The browser pops up a dialog box (not part of yourASP generated HTML) asking for a user name andpassword.
Basic A thentication
8/10/2019 Synapseindia Dot Net Development-Security
52/70
Basic Authentication
It concatenates the user name and password to
an encoded string in the Authorization header ofan HTTP request.
Authorization: Basic SmVmZjppbWJhdG1hbg==
The browser includes the same Authorizationheader in each future request to the same realm.
IIS maps the user name and password to anaccount on the web server, producing an access
token. The access token is used to perform ACL-based
security checks.
Basic Authentication
8/10/2019 Synapseindia Dot Net Development-Security
53/70
Basic Authentication
Pros of Basic Authentication:
It works with virtually all browsers. Easy to use.
It works well with firewalls.
Cons of Basic Authentication:
Nothing prevents the HTTP requests with Authorizationheader from being intercepted and used to gain access
to your server. Some users consider pop-up dialogs intrusive.
Better to be used with HTTPS, not HTTP.
Digest Authentication
8/10/2019 Synapseindia Dot Net Development-Security
54/70
Digest Authentication
Documented in RFC 2617 (ftp://ftp.isi.edu/in-
notes/rfc2617.txt).
Similar to basic authentication.
The browser solicits a user name and password by
popping up a dialog box. The server uses the credentials toassign an identity to the request.
The big differencebetween basic and digest
authentication is that digest doesnt transmit clear-textpasswords. Instead, it passes an authentication token that iscryptographicallysecure. As a result, you can use it overunencrypted channels without fear of compromising yourWeb server.
Digest Authentication Cont
8/10/2019 Synapseindia Dot Net Development-Security
55/70
Digest Authentication Cont.
When the client first requests a resource guarded by
digest authentication, the server returns a 401 error andincludes a noncea string of 1s and 0sin a HTTP-Authenticate header.
The browser responds by prompting for a user name andpassword. It then transmits the user name back to the
server, along with a hashor digest computed from thecombined user name, password, and nonce.
The server authenticates the request by performing itsown hash on the user name, password, and nonce. The
password the server uses doesnt come from the client; itcomes from the server itself.
If the hashes match, the user is authenticated.
Its also compatible with proxy servers.
Digest Authentication Cont
8/10/2019 Synapseindia Dot Net Development-Security
56/70
Digest Authentication Cont.
Pros of Digest Authentication:
Easy to understand. Works with firewalls.
Far more secure over ordinary HTTP than basicauthentication.
Cons of Digest Authentication:
Uses pop-up dialog boxes for user names andpasswords.
Doesnt support delegation (the ability to make a callfrom one machine to another and have the call execute
as the caller on the remote machine) on Windows2000 servers.
Digest authentication is not widely used.
Integrated Windows Authentication
8/10/2019 Synapseindia Dot Net Development-Security
57/70
Integrated Windows Authentication
Uses Windows login credentials to authenticate users.
Identifies the user (on the server) by using that personslogin identity on the client.
The browser asks for a user name and password only ifthe user does not have a valid account on the server.
The client and server negotiate a trust in a series ofexchanges that involve user names, domain names,
nonces, and hashes.
All done automatically by the OS on the server and thebrowser on the client.
Integrated Windows Authentication
8/10/2019 Synapseindia Dot Net Development-Security
58/70
Integrated Windows Authentication
Pros of Windows Authentication:
Doesnt force users who have already logged in toWindows to provide a user name and password again.
Secure, even over unencrypted channels, becauseplain-text passwords are never transmitted.
Good for in-house use and behind firewalls.
Cons of Windows Authentication:
Cant work through firewalls.
Proprietary to Windows and Internet Explorer.
Not for general Internet use.
Wi d A h i i / ACL A h i i i A i
8/10/2019 Synapseindia Dot Net Development-Security
59/70
Windows Authentication / ACL Authorization in ActionCorpNet
T:\Xiao\Windows Programming\Examples\C10\Basic
About CorpNet
It models a simple intranet-type application (e.g. an internalapplication for a company).
It uses Windows (basic) authentication and ACL authorizationto restrict access to its pages.
Code:
General.aspx provides general information.
Salaries.aspx lists the salary. Bonuses.aspx lists the bonuses.
Anyone in the company can view General.aspx, only selectedindividuals can view Salaries.aspx and Bonuses.aspx.
Windows Authentication / ACL Authorization in Action
8/10/2019 Synapseindia Dot Net Development-Security
60/70
Windows Authentication / ACL Authorization in Action
Deployment on your home computer:
Create your own directory:C:\inetpub\wwwroot\yourLoginID Copy
T:\Xiao\Windows Programming\Examples\C10\Basic
ToC:\inetpub\wwwroot\yourLoginID
Make the directory a web application.Access the aspx pages (as an anonymous user):
http://localhost/yourLogin/Basic/general.aspxhttp://localhost/yourLoginI/Basic/salaries.aspx(access accepted but no salary entry).http://localhost/yourLoginID/Basic/bonuses.aspx
Windows Authentication and
8/10/2019 Synapseindia Dot Net Development-Security
61/70
Anonymous Access (No Authorization Control)
Use Web.config in the root directory to set the authentication mode.
Access CorpNet as an anonymous user on winserv1http://winserv1.cs.uakron.edu/xiaotest/basic/general.aspxhttp://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspxhttp://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx
Access CorpNet as an anonymous on your own computerhttp://localhost/xiaotest/basic/general.aspxhttp://localhost/xiaotest/basic/salaries.aspxhttp://localhost/xiaotest/basic/bonuses.aspx
Basic Authentication, No Authorization Control
8/10/2019 Synapseindia Dot Net Development-Security
62/70
(on your own computer)
Use Control Panel -> Administrative Tools -> IIS manager
to configure the application to require authentication and todisallow anonymous access.
In IIS Manager, find and click on Basic application.(WINSERV1\Sites\Default Web Site\xiaotest\Basic)
In the IIS pane, double-click on Authentication
Disable Anonymous Authentication
Enable Basic Authenticationhttp://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspx
Login prompt provided by the browser.
User Name: cs\xiaotest, Password: ???
No salary information is available for xiaotest
Modify salaries.aspx to enter a salary for xiaotest
ACL Authorization
8/10/2019 Synapseindia Dot Net Development-Security
63/70
ACL Authorization
Change the permissions on Salaries.aspx and Bonuses.xml todeny CS\xiaotest read privilege.
Right-click on the file -> properties ->Security->Edit->Addlocation: CSobject name: xiaotestokDeny: Read
ok; ok(advanced for inheritance)If you dont see the security tab in the properties window:right-click on Start, open, tools, folder options, view, advancedsettings, files and folders, uncheck Use simple file sharing.
Tests:
http://winserv1.cs.uakron.edu/xiaotest/basic/general.aspx (ok)http://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspx (denied)http://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx (ok)
Security Inside
8/10/2019 Synapseindia Dot Net Development-Security
64/70
Security Inside Note: ACL Control is set per user and per file
manually. User: xiaotest access denied for Basic/Bonuses.xml
Why you can still read Bonuses.xml throughBonuses.aspx?
IIS checks the loginand passes access token toASP.NET if the login is correct.
ASP.NET makes ACL checks using the callersidentity against the ASPX filesto be accessed andpasses access token to the application (ASPX files).
Web applications run inside ASP.NET which is runby user ASPNET, and can programmatically accessanything that ASPNET is allowed to access.
8/10/2019 Synapseindia Dot Net Development-Security
65/70
Impersonation
To execute a request using the access tokenprovided by IIS.
Add the following in Web.config
The identities assigned to the ASP.NET worker
process and to the requests that it executesplay crucial roles.
After IIS 6.0, W3WP.exe connects toaspnet_isapi.dll.
Impersonation
8/10/2019 Synapseindia Dot Net Development-Security
66/70
Impersonation Impersonationmakes web applications run as the caller.
Any programmatically
access will subject ACL check using the callers identity.
Start a new browser http://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx
500 - Internal error occurred.
The following does work on winserv1 IIS Manager, double-click on the Basic application.
In the IIS pane, double-click on Authentication
Enable ASP.NET Impersonation
CorpNet demonstrates several important principles for
8/10/2019 Synapseindia Dot Net Development-Security
67/70
CorpNet demonstrates several important principlesforusing Windows authentication: Windows authentication is enabled in ASP.NET by including an
statement in Web.config. Ithas the scope of the Web.config at application level (not pagelevel).
ASP.NET applications that use Windows authentication canprevent users from viewing files by using ACLs to deny access toselected security principals.
ASP.NET applications that use Windows authentication mustenable impersonation if they want resources protected by ACLs tobe protected from programmatic accesses by code executedwithin a request.
ASP.NET applications that use Windows authentication canpersonalize content for individual users by reading user namesfrom Page.User.Identity.Name.
ACL authorization requires system administratorsof the webserver to manually set the security control for each application(even each page/file).
Windows Authentication and URL Authorizations
8/10/2019 Synapseindia Dot Net Development-Security
68/70
Windows Authentication and URL Authorizations
Change web.config to use URL authorization so the programmercan set the security control (per directory not per file).
CS\YourUnixID" is not allowed to access any APSX pages in Basic.Note only one \ after CS.
Based on string names not Windows security IDs (SIDs). The deny statement needs to be before the allow statement in the
above case. URL authorizations usually not used with Windows authentication.
Windows Authentication and Role-Based Security
8/10/2019 Synapseindia Dot Net Development-Security
69/70
Windows Authentication and Role Based Security
Role-based security restricts access based on roles (groups) that the users belongto. For ACL authorizations, control the access by giving permission to the selectedgroups.
For URL authorizations, use Web.config to restrict groups.
e.g. add the WP group and a test2 user in the group.
Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Groups
Action->New Group
Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Users
test2->properties->Member Of->AddAction->New Users
Web.config
8/10/2019 Synapseindia Dot Net Development-Security
70/70
SummarySecurity
Authentication
FormsWindows
Basic, Digest, Integrated, SSL Client CertificatesPassport
Authorization: ACL, URL
IIS/ASP.NET Server-Side Security ProcessingApplication Security ScenariosEncryption and ValidationDatabase Based AuthenticationRole Based Authorization
Anonymous LoginImpersonationRealm