Академический Документы
Профессиональный Документы
Культура Документы
Net Security
Presented by Paul Turner
pturner@eds.com
Overview
Web Security Authentication Modes Web.config
Authentication Authorization Securing Directories
Putting it together
After Authentication
Demo
Authentication Modes
Windows
Best used in internal applications and intranets, Can use no prompts, Must be Windows Domain user, Can use either
Basic Authentication (clear text passwords)
Simple Base64 encoded password may not be secure enough
Sidebar Cookieless
By default, the authentication process will create a client side cookie.
Speeds up page access i.e. does not need to do a full check for each page. Some browsers will reject cookies. So. Make it cookieless <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" cookieless="true" timeout="20" />
Web.config
Controls all security for a site Only one per site (not really true)
Can have more in sub directories but they are structured differently.
</authentication>
Web.Config Authorization
Anonymous users (? Users) Authenticated users (* Users) Role based
Applies to Windows Authentication. Everything else is custom i.e. via the Web.config or in code.
Verb based
GET, POST or HEAD (based on HTTP protocol)
Web.Config Authorization
Two types of access and two identities.
<authorization> <allow users = "?" /> <allow roles = "Builtin\Administrators" /> <deny users = "*" /> <deny verb = HEAD users = ? /> </authorization>
? = Anonymous users * = Everyone
<configuration> <location =somepage.aspx> <system.web> <authorization> </authorization > </system.web> </location> </configuration>
Putting it together
Decide on the Mode (Windows, Forms, Passport, None) Decide on who will have access (Authorization and Web.config file)
Windows Mode
Create/edit your Web.config. Setup your Windows accounts/groups. Start using it!
<configuration> <system.web> <authentication mode=Windows /> <authorization> </authorization > </system.web> </configuration>
Forms Mode
Create/edit your Web.config. Create your login form. Choose your user credentials repository:
Web.config (Why is it not recommended?), A text/xml file (Why is it not recommended?), An Database server, A web service, Others NDS, Lotus Notes, Websphere
After authentication
Get the user Identity Get authorization details
IsInRole (Windows Only), Personalization, and Storing stuff in the Session Object.
Authenticated Users
System.Web.Security namespace
User property can be either:
GenericPrincipal
GenericIdentity FormsIdentity PassportIdentity (separate topic).
WindowsPrincipal
WindowsIdentity
GenericPrincipal
GenericIdentity
AuthenticationType property, Name property, and IsAuthenticated property.
GenericPrincipal
FromsIdentity
Same as GenericIdentity plus Ticket property (this is the cookie).
GenericPrincipal
PassportIdentity
Same as GenericIdentity plus many other things Separate topic.
WindowsPrincipal
WindowsIdentity
Same as GenericIdentity plus IsAnonymous property, IsGuest property, IsSystem property, Token property (Users Windows account identifier, can be used to access ADSI), and Impersonate method.
Common Methods/Properties
Using System.Web.Security; String User.Identity.Name; Bool User.Identity.IsAuthenticated; Bool User.IsInRole(string role); (Windows Mode, can be coded for other modes) FormsAuthentication.SignOut();
Demo
Windows Authentication Forms Authentication
Via Credentials Via Database
Summary
Remember security is not just a username and password Authentication and Authorization, learn the difference Decide on your mode Learn about the Web.config file Have a look at MSDN Part of Developing Web Applications with
VB.Net (Exam 70-305) C#.Net (Exam 70-315)