asp.net 13 - security
TRANSCRIPT
Chapter 13Security, Membership, and Role Management
If thou be’st not immortal, look about you: security gives way to conspiracy. The mighty gods defend thee!William Shakespeare, Julius Caesar, Act II, Scene 3
2 Security2Overview
This chapter is about security in ASP.NET.
It covers: how security is built into ASP.NET concepts of authentication,
authorization, and trust. the different levels of security in an
ASP.NET Web application. the two principal forms of
authentication available to ASP.NET developers: Windows Authentication and forms authentication.
the provider model. the Membership and the Role
Management systems the login controls introduced with
ASP.NET 2.0
3 SecurityIntro to ASP.NET Security
By default, a Web application is available to anyone who can access its Web server.
However, almost every Web site has some resources within the site that are not meant to be publicly available. E.g., configuration files, subscription-
only content, and administration pages .
The principal focus of Web application security is to restrict access to site resources to the appropriate users.
4 SecurityIntro to ASP.NET Security
ASP.NET provides a multilayered approach to security: ASP.NET .NET Framework IIS Windows
5 SecuritySecurity Concepts
Authentication the process of verifying the identity of
the user. This is typically achieved by having
the user enter credentials, such as a user name and password.
If the credentials are valid (usually by checking them against a database or a list of operating system user accounts), the entity that submitted the credentials is considered an authenticated identity.
6 SecuritySecurity Concepts
Authorization the process of determining whether
the authenticated identity (i.e., the user) has permission to access certain resources.
The most common approach for authorization is role-based authorization
authorization based not on the user but on the role or group to which the user belongs.
Thus, permissions are assigned to different roles, and then users are assigned to different roles.
7 SecurityIIS Security
The first level of security checks is that imposed by IIS. Recall that all HTTP requests for
ASP.NET Web application resources are initially handled by IIS.
The request is first checked by IIS to see if the IP address of the request is allowed access to the domain of the requested resource.
The next check is to authenticate the user if necessary. If successful, the request is passed on
to ASP.NET. If either of these two checks fails, the
user receives an access denied response.
8 SecurityIIS Security
By default, IIS allows anonymous access to a Web application. This means the user of the request
does not actually have to be authenticated.
However, a Web application can be configured to require IIS authentication
9 SecurityIIS Authentication
IIS supports several types of authentication: Basic
The user name and password are encoded and transmitted in an HTTP header.
The user and password are checked to see if they match a Windows account on the server.
Should only be used with HTTPS Digest
The password is subjected to a special calculation (a hash), the result of which is sent to the server.
the server performs the same calculation and compares it to the received value.
Hashing algorithms are not encryption.
10 SecurityIIS Authentication
IIS supports several types of authentication: Certificate
uses certificates as a means of verifying the identity of a given site.
In public-key cryptography, a certificate uses a digital signature to bind together a public key with an identity
The certificate is then used to verify that a public key belongs to an individual.
Certificates must be purchased (generally for about $100 to $500 a year) from a known certificate authority.
11 SecurityIIS Authentication
IIS supports several types of authentication: Integrated Windows Authentication
IIS authenticates the user against a Windows user account.
When used within a corporate intranet, Windows Authentication allows IIS to determine the requester’s identity based on her Windows login.
12 SecurityASP.NET Security
ASP.NET can also be configured to perform its own security checks.
13 SecurityImpersonation
Impersonation refers to the process by which a Web application “pretends” to be a different account than the actual account that is running the application.
14 SecurityImpersonation Impersonation refers to the process
by which a Web application “pretends” to be a different account than the actual account that is running the application.
When impersonation is enabled for a Web application (in the web.config file), the application runs under an identity specified by a security token that is passed by IIS.
This might be used in Web applications that rely on IIS to
authenticate the user, for server environments that host
applications from different customers. Impersonation is often used in such a
situation, because each Web application could be provided with a separate Windows account to absolutely prevent one application from accessing another application’s resources
15 SecurityImpersonation
By default, impersonation is disabled. When disabled, all ASP.NET requests
runs under the default process identity for ASP.NET applications typically either ASPNET (for IIS 5) or
NETWORK SERVICE (for IIS 6). The ASPNET user account is a local
account created when the .NET Framework is installed
the NETWORK SERVICE account is predefined in Windows Server 2003 and has the same set of somewhat limited permissions as the ASPNET account.
16 SecurityCode Access Security
One of the principal security features in .NET is the support in the CLR for code access security. code in an assembly is given a
security zone classification that constrains what types of things the code can do when executing.
Because ASP.NET assemblies are dynamically generated, security policies can be specified declaratively in a trust level.
Thus, a trust level is a declarative set of rules that define what .NET Framework classes your ASP.NET application can use.
Trust levels can be set using the trust element in the application’s Web.config file or globally via the machine.config file.
17 SecurityTrust Levels 17
Trust Name Description
Full The application is fully trusted. All .NET code is allowed to run and thus any .NET classes can be used (however, still subject to operating system and Windows ACL limitations).
This is the default.
High Code can use most of the .NET Framework. The limitations are no unmanaged code, no enterprise services, and limited use of reflection.
Medium Permissions are limited to what the application can access in its own folder structure. Thus, although a medium trust application can access a SQL Server database, it cannot access files or folders outside its own virtual directory hierarchy. As well, it has no reflection permissions, so those applications that require reflection (such as the typical object/relational mapper) may not work.
Intended to be used for hosting environments that contain multiple customers’ sites.
Low Models a read-only application because no network access to other servers is allowed.
Minimal No capability to interact with resources. Intended for sites with little dynamic content.
18 SecurityASP.NET Authentication
Like IIS, ASP.NET has its own authentication methods.
When IIS receives a request for an ASP.NET resource such as an .aspx file, it performs its own authentication and then passes on the request and a security token to the ASP.NET runtime.
The ASP.NET authentication mode is set in the web.config file
<system.web> … <authentication mode="Windows" /></system.web>
19 SecurityASP.NET Authentication ASP.NET supports the following
authentication modes: None
ASP.NET does not perform any authentication. Windows
Uses the result of the configured IIS authentication mechanism.
Generally only makes sense for intranet applications with a known set of users existing in the operating system’s user list.
Forms allows you to authenticate the user via a login
Web form that you create. Unauthenticated requests are redirected to
this login page, where the user can provide credentials and submit the form.
With this mode, the Web application, not the underlying operating system, must authenticate the request.
Because the Web application will perform the authentication, you generally configure IIS to enable anonymous access for this application.
20 SecurityForms Authentication
<system.web> … <authentication mode="Forms" > <forms loginUrl="Login.aspx" /> </authentication>
<authorization> <deny users="?"/> </authorization></system.web>
21 SecurityForms Authentication
You can customize the authentication approach used in your Web application on a folder-by-folder basis by using a separate Web.config file in each folder in your application.
22 SecurityWhere to store user credentials? Application-defined source
Database, etc Within web.config file
Only makes sense for sites with a few users
Use the built-in Membership Provider Uses either SQL Server or Windows
ACL
23 SecurityForm Authentication After the user has been authenticated, any
subsequent requests for allowable ASP.NET resources are processed without requiring authentication again.
When the server receives the request for pageB.aspx, how does the server “know” that the user has already been authenticated? HTTP is a stateless protocol, so some type of
state mechanism must be working behind the scenes
24 SecurityHow does it work?
By default, forms authentication in ASP.NET makes use of a browser cookie to maintain the state of the user’s authentication across requests. The cookie contains an encrypted and
hashed instance of something called a forms authentication ticket.
This ticket contains information that is used by the forms authentication module to identify a previously authenticated user.
25 SecurityHow does it work?
26 SecurityCookieless Tickets
In ASP.NET 2.0, applications can be configured to use cookieless authentication tickets. In this case, the ticket information is
embedded within the URL. A cookie-based ticket can be persistent.
that is, it can last far beyond the individual user session.
This can be a great usability improvement for sites in which their users infrequently visit
Cookieless authentication tickets are especially vulnerable to replay attacks.
E.g., user bookmarks a page on a public computer, then someone else can log-in,
Need to make cookieless authentication timeout values very low (say 60 minutes).
27 SecurityProvider Model
The provider model is one of the chief architectural features of ASP.NET 2.0.
A provider is a software class (or classes) that provide a uniform programming interface between a service and a data source. Thus, a provider is a contract between
the service and its implementation in that it implements a guaranteed interface.
Instead of programming directly against data sources, key ASP.NET services now use providers to read and write data.
28 SecurityProviders
Providers are an abstraction of the physical storage medium. As such, the use of providers makes a
given service very extensible, because you can create your own providers or purchase them from third-party sources.
29 SecurityProvider Model
30 SecurityBenefits of Provider Model
it enforces a separation between the code for accessing a service and the code that implements the service.
makes it easier to implement a division of labor amongst the developers on a project. Back-end developers can work on
custom providers, whereas page developers need only worry about working with the API of the provider.
you can change the specific provider used by a Web application for a service declaratively in the Web.config file without any programming changes.
31 SecurityProvider-based Services
Service Description
Encryption Handles encryption and decryption of sections of the ASP.NET configuration files.
Membership Manages user accounts.
Profile Manages user preferences and user information across visits.
Role management
Handles role-based security.
Session state Maintains user state between requests.
Site map Provides a description of a site’s structure.
Web events Used by ASP.NET health monitoring subsystem that allows the monitoring of a Web application.
Web Parts Manages the special set of controls for creating Web sites that enable end users to modify the content, appearance, and behavior of Web pages directly within the browser.
32 SecurityProvider Classes
33 SecurityMembership Provider
The Membership Provider is a set of classes built on top of the forms authentication system that allows the developer to more easily implement the typical functionality a site needs for managing and authenticating users.
It can be used to: Create new users Store membership information in
Microsoft SQL Server, Active Directory, or some other data source
Authenticates users Use role-based security Manage passwords, which includes
creating, changing, and resetting them
34 SecuritySqlMembership Provider
The default membership provider is the SqlMembershipProvider. It requires some configuration steps
before you can use it in your site. Easiest way to do this is via the
Website Administration Tool (WAT). This is a browser-based application that
can be launched from Visual Studio that allows you to view and modify security, application, and provider configuration settings in the application’s Web.config file.
The WAT creates a SQL Server 2005 Express database file in the Web application’s APP_DATA folder.
35 SecurityWAT
36 SecurityMembership API
The Membership API works quite seamlessly with the ASP.NET login controls. As a result, it is possible to implement
many of the most common security-related user display tasks (such as logging in and out, displaying the current user, and creating a user) without any programming.
For special tasks, such as user management (deleting, renaming, listing), the Membership API can be used.
37 SecurityMembership ClassName DescriptionCreateUser Adds a new user to the membership data store.
DeleteUser Deletes an existing user from the membership data store.
FindUsersByEmail
Returns a MembershipUserCollection of users whose email matches the passed email.
FindUsersByName
Returns a MembershipUserCollection of users whose user name matches the passed user name.
GeneratePassword
Generates a random password of the specified length.
GetAllUsers Returns a MembershipUserCollection of all users.
GetNumberOfUsersOnline
Gets the number of users that is currently accessing the application.
GetUser Returns a MembershipUser object for the current logged on user.
GetUserNameByEmail
Returns the user name for the specified email.
UpdateUser Updates the data source with the information contained in the specified MembershipUser object.
ValidateUser Returns true if the specified user name and password are valid (i.e., exist in the data store).
38 SecurityRole Management Provider
The Role Management Provider and API allows developers to associate users with roles and performs role checks declaratively and programmatically.
Role management lets you treat groups of users as a unit by assigning users to roles that you create, such as administrator, editor, or member.
Default Role provider is the SqlRoleProvider, and can be configured via the WAT.
You can also programmatically manipulate roles via the Role Management API.
39 SecurityLogin Controls
The new ASP.NET login controls work in conjunction with the membership system and provide a quick solution to the typical user interface features needed for authenticating users.
These new controls encapsulate virtually all of the logic required to prompt users for credentials and validate the credentials in the membership system.
40 SecurityLogin Controls
Name Description
ChangePassword Lets users change their password.
CreateUserWizard Based on the Wizard control covered in Chapter 4. A multistep process for gathering the user name, password, email address, and password question and answer.
Login Displays a customizable user interface for gathering user credentials.
LoginName Displays the name of the authenticated user.
LoginStatus Displays a login link for nonauthenticated users and a logout link for authenticated users.
LoginView Displays one of two possible interfaces: one for authenticated users and one for anonymous users.
PasswordRecovery Allows user passwords to be retrieved and sent to the email for that account.
41 SecurityLogin Control
<asp:Login ID="logSignin2" runat="server" TextLayout="TextOnTop" CssClass="loginStyle">
<TitleTextStyle CssClass="loginTitle" /> <InstructionTextStyle Font-Italic="True" ForeColor="Black" /> <TextBoxStyle Font-Size="0.8em" /> <LoginButtonStyle CssClass="buttonStyle" />
</asp:Login>
42 SecurityOther Controls
LoginName Displays the name of the
authenticated user. LoginStatus
displays a login link for nonauthenticated users and a logout link for authenticated users.
43 SecurityLoginName and LoginStatus Controls
<asp:LoginName ID="logName" runat="server" FormatString="Welcome {0}" />
<asp:LoginStatus ID="logStat" runat="server" LoginImageUrl="images/btn_login.gif" LogoutImageUrl="images/btn_logout.gif" LogoutAction="Refresh" />
44 SecurityLoginView Control
allows you to specify a user interface for authenticated users and a different user interface for anonymous users. also allows you to customize the user
interface based on the authenticated user’s role.
For instance, this control could allow you to define content for administrators, content for members, and content for unauthenticated visitors.
45 SecurityLoginView Controls
<asp:LoginView ID="logView" runat="server"> <AnonymousTemplate> <strong>For more features</strong><br /> <asp:LoginStatus ID="logStat" runat="server" LoginImageUrl="images/btn_login.gif" LogoutImageUrl="images/btn_logout.gif" LogoutAction="Refresh" /> </AnonymousTemplate>
<LoggedInTemplate> <strong>Rate this book</strong><br /> <asp:RadioButtonList ID="radList" runat="server"> <asp:ListItem Selected="true"> No Rating</asp:ListItem> <asp:ListItem> <img src='images/stars1.gif'/></asp:ListItem> <asp:ListItem> <img src='images/stars2.gif'/></asp:ListItem> <asp:ListItem> <img src='images/stars3.gif'/></asp:ListItem> <asp:ListItem> <img src='images/stars4.gif'/></asp:ListItem> <asp:ListItem> <img src='images/stars5.gif'/></asp:ListItem> </asp:RadioButtonList> <asp:Button ID="btnRate" runat="server" Text="Rate Book" /> </LoggedInTemplate></asp:LoginView>
46 SecurityChangePassword Control
allows users to change their password.
The control works regardless of whether the user is or is not already authenticated. the control can ask the user for the
user name as well as the old and new passwords.
47 SecurityChangePassword
<asp:ChangePassword ID="chngPass" runat="server" CssClass="passChangeStyle" >
<CancelButtonStyle CssClass="buttonStyle" /> <ChangePasswordButtonStyle CssClass="buttonStyle" /> <ContinueButtonStyle CssClass="buttonStyle" /> <TitleTextStyle CssClass="titleStyle" /> <TextBoxStyle CssClass="textboxStyle" />
</asp:ChangePassword>
48 SecurityPasswordRecovery Control
allows a member’s passwords to be retrieved and sent to the email address for that account.
However, users can only recover passwords when the membership provider supports clear text or encrypted passwords. hashed passwords can only be reset
49 SecurityPasswordRecovery
<asp:PasswordRecovery ID="passRec" runat="server" CssClass="passRecovStyle">
<InstructionTextStyle CssClass="instructionStyle" /> <SuccessTextStyle CssClass="instructionStyle" /> <TextBoxStyle CssClass="textboxStyle" /> <TitleTextStyle CssClass="titleStyle" /> <SubmitButtonStyle CssClass="buttonStyle" />
<MailDefinition From="[email protected]" Subject="Password Recovery" />
</asp:PasswordRecovery>
50 SecurityCreateUserWizard Control
provides a multistep process for creating a new user.
It is a subclass of the Wizard control
51 SecurityCreateUserWizard Control
<asp:CreateUserWizard ID="createUser" runat="server" … >
<WizardSteps> <asp:WizardStep > … </asp:WizardStep> <asp:WizardStep > … </asp:WizardStep> </WizardSteps>
</asp:CreateUserWizard>