ASP NET Security MIS 424 Professor Sandvig Overview
- Slides: 29
ASP. NET Security MIS 424 Professor Sandvig
Overview Today n Security Concepts & Terminology Authentication and Authorization Role-based security HTTPS n ASP. NET approaches: Do-it-yourself ASP. NET Identity Windows authentication
Security Terminology Authentication n n Process of identifying the user User provides credentials n n n Username / Password ID card, key, finger print, eye scan… Authentication done once at login
Security Terminology Authorization n n Which resources user is allowed to access Permissions Type of access n n Read, write, modify, delete, change permissions… Performed with every request
Example - WWU Library Authentication n Who are you? WWU student Lost Canadian Authorization n What are you allowed to do? WWU student n Checkout books, laptops, IIL services… Lost Canadian n Look at books, use restrooms, stay warm
Security Terminology n Principle of least privilege Every program and every user of the system should operate using the least set of privileges necessary to complete their job. n Benefits: Protects data Protects organization Protects individuals
Role-based Security Permissions assigned based upon organizational role
Role-based Security Create roles Financial Aid counselor Academic counselor Network Administrator Database Administrator Payroll Roles are assigned specific permissions n Principle of least privilege
Role-Based Security Groups Collections of individuals n Examples: Students Faculty Help Desk technicians Department administrators
Role-based Security Assign Users and groups to roles Source: https: //docs. oracle. com/cd/E 19226 -01/820 -7627/bnbxj/index. html
Role Permissions Source: ITGlue content management system
WWU Roles
Role Permissions WWU P drive
ASP. NET Security Approaches: n n n Do-it-yourself ASP. NET Identity Windows authentication
Do-it-yourself Authentication Each action method checks for authorization Redirect unauthorized users to login Single line of code: if (Session["authenticated"] == null) return Redirect. To. Action("Login");
Do it yourself Authentication Advantages n n n Simple Flexible Write own authentication code Disadvantages n n More work? Your responsibility
ASP. NET Identity Individual user accounts VS creates models & database Username, password, roles stored in DB
ASP. NET Identity Features n Contains views for: Creating account Modify account Password recovery Change password
ASP. NET Identity Features n Can use social providers for authentication Facebook, Google, Twitter n Create roles Assign users to roles
ASP. NET Identity Decorate action methods with Authorization rules n n Individuals Roles Authenticates against database, Active Directory, cloud based authentication, … Example: Secured Admin Pages
Windows Authentication Authenticate against Windows users and roles n Active Directory Take advantage of organizational roles Group email, file permissions, chat…
Windows Authentication MVC Implementation n Specify in web. config <authentication mode="Windows" /> n Enable Windows Authentication in IIS
Windows Authentication
Windows Authentication
Windows Authentication Benefits: n Use existing Active Directory user & groups Intranet Not public web n n Single sign-in within organization Fine-level control of permissions Example 1: Windows. Authentication Example 2: Lab. Inspection
Web Security Always use HTTPS n n Secure Socket Layers Encrypts all data Session Hijacking n n n All security methods pass cookie identifying user as authenticated. Hacker gets cookie data Impersonates authenticated user
Session Hijacking
Adding HTTPS • Individual controllers: namespace mis 424 Assignments. Controllers { [Require. Https] [Authorize] public class Retail. Controller : Controller • Entire Site • Global. asax protected void Application_Start() { Global. Filters. Add(new Require. Https. Attribute()); }
Summary Application Security options: n n n Do-it-yourself Identity User Accounts Windows authentication Security n n Complex topic Discuss other aspects later
- Classic asp to asp.net migration
- Axel sandvig
- Promotion from assistant to associate professor
- Private secuirty
- Asp.net xss bypass
- Who is this
- Session tracking in asp.net
- Asp.net execution model
- Asp.net agenda
- Inurl:bug bounty intext:token of appreciation
- Asp net session state
- Timeline asp.net
- What is aspnet
- Asp.net server controls
- Introduction to asp.net
- Custom controls in asp.net
- Asp.net soap
- Tutorialspoint asp.net mvc
- Net core 1
- Agenda master page
- Hlgoogle translate
- Authentication filters in mvc 5
- Asp net load testing
- Asp.net core 5 odata
- Asp net core roadmap
- Crud asp.net c# web forms
- 大阪 microsoft asp.net
- Reflection in asp net
- Asp net feature flags
- 大阪 microsoft asp.net