ASP.

NET Security

By

SRIRAM. B
ASP.NET Security Overview
 Authentication &  Authentication & Authorization
Authorization  Login Controls

 Authentication Modes  Membership & Role

Management
 Windows
Authentication
 Forms Authentication
 Passport Authentication
 User Class
 Authorization
 Impersonation
 Authentication &
Authorization
Authentication & Authorization
 Authentication is the process of obtaining some credential
from users and using those credentials to verify the users
identity.

 Authorization is the process of allowing an authenticated

user access to resources.

 Authentication always procedded to Authorization.

 Authentication
Modes
Authentication Modes
 Windows

ASP.NET authentication services attach a WindowsPrincipal

(System.Security.Principal.WindowsPrincipal) to the current request
to enable authorization against NT users or groups.

 Forms

ASP.NET authentication services manage cookies and redirect

unauthenticated users to a logon page. This is often used in
conjunction with the IIS option to allow anonymous access to an
application.
 Passport

ASP.NET authentication services provide a convenient wrapper

around the services provided by the Passport SDK, which must be
installed on the machine.
Windows
Authentication
Windows Authentication
 It can be enabled by default. Users can be identified by the
windows account names, the roles corresponds to windows
groups.

 It delegates the responsibility of identifying users to IIS. IIS can be

configured to use the following authentications:- <authentication
mode = “Windows”/>
 Anonymous

If any one is allowed to access the ASP.NET application , IIS does

not perform any authentication
 Basic

User must provide a windows username and password to

connect. However the information is sent over the network in clear
text, It become in-secure for internet based applications.
Windows Authentication
 Digest

The user can provide the windows username and password to

connect. However the password is in hashed format before it is sent
across the network. The windows accounts to be stored in the active
directory.
 Windows Integrated

In windows integrated authentication, passwords never cross the

network. Users must still have a username and password, but the
application uses either Kebros / Challenge response protocols
authenticate the user. It will be used for intranet based applications.
 Forms
Authentication
Forms Authentication
 ASP.NET authenticates users, redirects unauthenticated users to
the logon page, and performs all the necessary cookie
management. This sort of authentication is a popular technique
used by many Web sites and handle your own custom logic.

In web.config <authentication mode = “Forms”/>

 Using Form based authentication to denying access to

anonymous users
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?" /> </authorization>
</system.web>
</configuration>
Forms Authentication..
 Administrators use forms-based authentication to configure the
name of the cookie to use, the protection type, the URL to use for
the logon page, length of time the cookie is in effect, and the path
to use for the issued cookie.
<authentication mode="Forms">
<forms name=".ASPXCOOKIEDEMO" loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All" timeout="30" path="/" requireSSL="false"
slidingExpiration="true" enableCrossAppRedirects="false"
cookieless="UseDeviceProfile" domain="">
<!-- protection="[All|None|Encryption|Validation]" -->
<!-- cookieless="[UseUri | UseCookies | AutoDetect |
UseDeviceProfile]" -->
</forms>
</authentication>
Forms Authentication..
 After the application has been configured, you need to provide a
logon page. When it is run, it requests the Default.aspx page.
Unauthenticated requests are redirected to the logon page
(Login.aspx), which presents a simple form that prompts for an
e-mail address and a password. (Use
Username="someone@www.contoso.com" and
Password="password" as credentials.)
 Default.aspx

Page Load -> Label1.Text = "Hello, " + User.Identity.Name;

Signout -> FormsAuthentication.SignOut(); Response.Redirect("login.aspx");

 Login.aspx
if ((UserEmail.Value == "someone@www.contoso.com") && (UserPass.Value ==
"password")) {
FormsAuthentication.RedirectFromLoginPage(UserEmail.Value,
PersistCookie.Checked); }

else { Msg.Text = "Invalid Credentials: Please try again"; }

Forms Authentication
 Attributes :-
 Cookieless (UseDeviceProfile(default), Autodetect)
 DefaultUrl
 Domain
 EnableCrossAppRedirects
 LoginUrl
 Name
 Path
 Protection
 RequireSSL
 SlidingExpiration
 timeout
Forms Authentication..
 Authentication Against Values in web.config file
<System.web><authentication mode = “Forms”>

<credentials passwordFormat="clear" > <user name="Bill" password="secret"/>

</credentials> </authentication>

<authorization> <deny users=”?”/> </System.web>

You can change the Login.aspx to work with web.config file

if (formsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text)) {
FormsAuthentication.RedirectFromLoginPage((TextBox1.Text, True); }

else { Respose. Write( "Invalid Credentials: Please try again"); }

The following values of the passwordFormat attribute:

Hash Type Description
Clear Passwords are stored in cleartext

SHA1 Passwords are stored as SHA1 digests

MD5 Passwords are stored as MD5 digests

Forms Authentication..
 Using Encrypted Passwords
<authentication>

<credentials passwordFormat="SHA1" >

<user name="Mary" password="94F85995C7492EEC546C321821AA4BECA9A3E2B1"/>

<user name="John" password="5753A498F025464D72E088A9D5D6E872592D5F91"/>

</credentials>

</authentication>

You can generate the hashed representation of the password by

using

FormsAuthentication.HashPasswordForStoringInConfigFile((TextBox1.Text,”S
HA1”);
 Passport
Authentication
Passport Authentication
 Passport uses encrypted cookie mechanism to indicate
authenticated users.

 When your application is enabled for passport

authentication, the request is redirected to the Microsoft
Passport Site where the user can enter his credentials

 If the authentication is successful the user is authorized to

proceed and the request is redirected back to your
application.
User Class
User Class
 Page.User Class or HtttpContext.User property to retrieve the information about
the current user.

 The principal object also includes an Identity Property that enables you to get the
information about the current users identity. It supports the following properties:-

 AuthenticationType string authType = User.Identity.AuthenticationType;

 IsAuthenticated bool authUser = User.Identity.IsAuthenticated();
 Name string UserName = User.Identity.Name;

 The principal object supports the following Method: -

IsInRole()-> Enables you to check whether the user is a member of a particular

role.
If (User.IsInRole(“BUILTIN\Administrators”) ){ // Private Information }
else { // Public Information }
Authorization
Authorization
 Process of identifying the resources that you are allowed to
access. You can control authorization by adding an authorization
element to a web.config file. You can use authorization in the
same way for Windows, Forms & Passport

 To block the unauthenticated user

<authorization> <deny users=”?”/> </authorization>

 Authorization allows only for Bill and denies for others

<authorization> <allow users=”Bill”/> <deny users=”?”/>

<authorization>

 Authorizing by Role for Administrator

<authorization> <allow roles=”Administrator”/> <deny

users=”*”/> <authorization>

 Authorizing Files by Location

<location path = “Secret.aspx”>

Impersonation
Impersonation
 ASP.NET can execute the request using the identity of the
client, who is making the request is called impersonation.
<IDENTITY impersonate="true" />

 Identity is a webconfig declaration under System.web, which

helps to control the application Identity of the web
applicaton.

 It can be at any
level(Machine,Site,application,subdirectory,or page),
attribute impersonate with "true" as value specifies that
client impersonation is used.
Demo
Session Ends
Exercise
Relax