ASP.

Net Security
Presented by Paul Turner
pturner@eds.com

Overview
Web Security Authentication Modes Web.config
Authentication Authorization Securing Directories

Putting it together
After Authentication

Demo

Web application security

Physical security, Firewalls and DoS (port security), SSL and HTTPS (protocol security), IIS security, ASP.Net security, SQL Server security, Windows security, COM and others

Authentication and Authorization

Authentication identifies a user (Who are you?)
Windows, Forms, Passport, and None (Custom).

Authorization controls what they can see and do.

Authentication Modes
Windows
Best used in internal applications and intranets, Can use no prompts, Must be Windows Domain user, Can use either
Basic Authentication (clear text passwords)
Simple Base64 encoded password may not be secure enough

Digest Authentication (encrypted passwords)

Internet Explorer only

Integrated Authentication (Kerberos)

Generally wont work through a firewall or over the internet

Cannot be persistent. Can be cookieless.

Authentication Modes cont

Forms
Familiar to commercial web sites, Can present a nice looking login screen, Can use no prompts (if persistent), Can be any type of user, Can be persistent (via cookies), Can be cookieless.

Sidebar Cookieless
By default, the authentication process will create a client side cookie.
Speeds up page access i.e. does not need to do a full check for each page. Some browsers will reject cookies. So. Make it cookieless <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" cookieless="true" timeout="20" />

Beware of the URLs it creates i.e.

http://localhost/MagMan/(r3q03p454vvgx345tf5k4455)/General/Default.aspx

Authentication Modes cont

Passport
Some commercial web sites but mainly Microsofts sites, Strict guidelines for branding and use, Child protection features, Licensed, and Hosted by Microsoft.

Authentication Modes cont

None
This is really just Anonymous access
Dont need to do anything Runs under IUSER_machinename by default (via impersonation).

Roll your own authentication via ISAPI.

Web.config
Controls all security for a site Only one per site (not really true)
Can have more in sub directories but they are structured differently.

The important parts:

<authentication mode=Mode /> <authorization> <allow users = ?, *, user or group" /> <deny users = "?, *, user or group" /> <allow roles = role" /> <deny roles = "role" /> <allow verb = GET, POST, HEAD users = ?, *, user or group /> <deny verb = GET, POST, HEAD users = ?, *, user or group /> </authorization >

Web.Config Windows Authentication

Just need to specify the mode:
<authentication mode=Windows />

Web.Config Forms Authentication

Need to specify the mode and login forms location. Can include credentials if you are going to authenticate against the Web.config. There are many reasons why you may not want to do this
<authentication mode="Forms"> <forms loginUrl=loginform.aspx other options can go here />
<credentials passwordFormat=SHA1, MD5 or Clear> <user name=Joe password=joespassword /> </credentials>

</authentication>

Web.Config Passport Authentication

Download the Passport SDK. Development Licence is free, production licence is NOT. Specify the mode:
<authentication mode=Passport />

Web.Config None Authentication

Mainly for anonymous sites. Lets you handle authentication and authorization completely via ISAPI. Just need to specify the mode:
<authentication mode=None />

Web.Config Authorization
Anonymous users (? Users) Authenticated users (* Users) Role based
Applies to Windows Authentication. Everything else is custom i.e. via the Web.config or in code.

Verb based
GET, POST or HEAD (based on HTTP protocol)

Web.Config Authorization
Two types of access and two identities.

<authorization> <allow users = "?" /> <allow roles = "Builtin\Administrators" /> <deny users = "*" /> <deny verb = HEAD users = ? /> </authorization>
? = Anonymous users * = Everyone

Web.Config Securing Directories and Pages

Add a location element to your Web.config

<configuration> <location =somepage.aspx> <system.web> <authorization> </authorization > </system.web> </location> </configuration>

Web.Config Securing Directories and Pages cont

Create a Web.config file and put it in the directory. Just needs to contain: <configuration> <system.web> <authorization> </authorization > </system.web> </configuration>

Putting it together
Decide on the Mode (Windows, Forms, Passport, None) Decide on who will have access (Authorization and Web.config file)

Windows Mode
Create/edit your Web.config. Setup your Windows accounts/groups. Start using it!

<configuration> <system.web> <authentication mode=Windows /> <authorization> </authorization > </system.web> </configuration>

Forms Mode
Create/edit your Web.config. Create your login form. Choose your user credentials repository:
Web.config (Why is it not recommended?), A text/xml file (Why is it not recommended?), An Database server, A web service, Others NDS, Lotus Notes, Websphere

Forms Mode cont

<configuration> <system.web> <authentication mode=Forms> <forms loginUrl=login.aspx> </authentication> <authorization> </authorization > </system.web> </configuration>

Creating a login form

Create a new aspx file. Add username and password text boxes. Add a Remember Me check box (optional). Add a button.

Behind the button

If you are using <credentials>

FormsAuthentication.Authenticate( string username, string password);

Reads the Web.config credentials then returns either True or False Then if the user is authentic, call

FormsAuthentication.RedirectFromLoginPage( string AuthName, bool Persistent);

Behind the button cont

If you are using your own authentication method you must decide if the username and password are OK. Then if the user is authentic, call
FormsAuthentication.RedirectFromLoginPage( string AuthName, bool Persistent);

If the user is not authentic..

Response.Redirect(string Url);

After authentication
Get the user Identity Get authorization details
IsInRole (Windows Only), Personalization, and Storing stuff in the Session Object.

Authenticated Users
System.Web.Security namespace
User property can be either:
GenericPrincipal
GenericIdentity FormsIdentity PassportIdentity (separate topic).

WindowsPrincipal
WindowsIdentity

WindowsPrincipal contains extra functionality for Windows based authentication

GenericPrincipal
GenericIdentity
AuthenticationType property, Name property, and IsAuthenticated property.

GenericPrincipal
FromsIdentity
Same as GenericIdentity plus Ticket property (this is the cookie).

GenericPrincipal
PassportIdentity
Same as GenericIdentity plus many other things Separate topic.

WindowsPrincipal
WindowsIdentity
Same as GenericIdentity plus IsAnonymous property, IsGuest property, IsSystem property, Token property (Users Windows account identifier, can be used to access ADSI), and Impersonate method.

Common Methods/Properties
Using System.Web.Security; String User.Identity.Name; Bool User.Identity.IsAuthenticated; Bool User.IsInRole(string role); (Windows Mode, can be coded for other modes) FormsAuthentication.SignOut();

Demo
Windows Authentication Forms Authentication
Via Credentials Via Database

Subdirectory security Cookieless

Summary
Remember security is not just a username and password Authentication and Authorization, learn the difference Decide on your mode Learn about the Web.config file Have a look at MSDN Part of Developing Web Applications with
VB.Net (Exam 70-305) C#.Net (Exam 70-315)