Title: Chapter 10 ASP.NET Security
1Chapter 10ASP.NET Security
2First Look _at_ A Secured Web Site
- http//winserv1.cs.uakron.edu/xiaotest/Forms1/Publ
icPage.aspx can be viewed by everyone. - http//winserv1.cs.uakron.edu/xiaotest/Forms1/Secr
et/ProtectedPage.aspx can only be viewed by
authorized users (wp/wp).
3Introduction to Web SecurityCategoriesIssuesCo
mponents
4Building a Secure Web Site
- Three Categories of Web Security
- Content freely available to everyone (public).
- Serve the general population but require a login
(application-level security, protected). - Intranet sites for a controlled population of
users a companys employees (private). - Security Issues
- Application-level security (users).
- Deployment security (programmers).
- Web Security Components
- Authentication identifies the originator of
requests (who). - Authorization defines who can access which pages
(what).
5Authentication
- ASP.NET supports a few types of authentication
- Forms (Page-wide)
- Windows (Machine-wide)
- None
- Web.config
- ltconfigurationgt  ltsystem.webgtÂ
-    ltauthentication mode"Forms"/gt Â
- lt/system.webgt lt/configurationgt
- Note
- The authentication mode is an application-wide
setting that can be set only in the application
root and cant be overridden in subordinate
Web.config files. - You cant use Windows authentication in one part
of an application and forms authentication in
another.
6Setting authentication mode in the root Web.config
7Authorization
- ASP.NET supports two forms of authorization
- ACL (access control list) authorization, also
known as file authorization, based on file system
permissions, typically used with Windows
authentication. - URL authorization, relies on configuration
directives in Web.config files, most often used
with forms authentication.
8Three Typical Security Scenarios for Web
Applications
- Pages can be freely browsed by any no
application-level security - Intranet application use Windows authentication
and ACL authorization. - Internet application with secure page access use
forms authentication and URL authorization.
9The Internal Working of IIS and ASP.NET
Security
10IIS Security
- IIS (Internet Information Services) Server
- a Web server
- runs in process Inetinfo.exe as SYSTEM
- accepts connections
- responds to HTTP requests
- Web applications are deployed in application
directories. Remote clients cant arbitrarily
grab files outside application directories. - IIS assigns every request an access token
representing a Windows security principal. The
access token enables the operating system to
perform ACL checks on resources targeted. - IIS supports IP address and domain name
restrictions. - IIS supports encrypted HTTP connections using the
Secure Sockets Layer (SSL) family of protocols.
11IIS Security
- Anonymous access (access by unauthenticated
users) - Request from anonymous users are tagged with
IUSR_WIN-XXXs access token. IUSR_WIN-XXX is an
Internet guest account created when IIS is
installed, where XXX is a coded string.
12The relationship between IIS and ASP.NET.
13IIS 6.0
- IIS 6.0 has a driver named http.sys to listen all
HTTP requests. - When an ASP.NET related request comes in,
http.sys will stat w3wp.exe as an IIS 6.0 worker
process. - w3wp now loads aspnet_isapi.dll as CLR host.
- The rest is the same as before.
14ASP.NET Security
- Server Side Processing
- (1) Client accesses .ASPX files gt
- (2) Inetinfo.exe (IIS) generates an access
token gt Aspnet_isapi.dll sents the request and
the token through named pipe or local procedure
calls (LPCs) gt - (3) Aspnet_wp.exe (ASP.NET) makes ACL checks on
the requested resource and passes access token to
the targeted application gt - (4) Targeted application uses a HTTP pipeline
gt HTTP modules gt HTTP handlers (mapped in
Machine.config).
15- Two types of access tokens
- Authenticated user authenticated security
principal - Unauthenticated user IUSR_machinename for
anonymous login - Start-gtSettings-gtControl Panel-gtAdministrative
Tools-gtComputer Management-gtLocal Users and
Groups-gtUsers - Start-gtSettings-gtControl Panel-gtAdministrative
Tools-gtComputer Management-gtEvent Viewer-gtSecurity
16The ASPNET Account
- Created when ASP.NET is installed.
- A member of the Users group (hidden now).
- Aspnet_wp.exe runs as ASPNET by default.
- Requests executed by ASP.NET use Aspnet_wp.exes
identity. - ASP.NET can impersonate to use the requests
access token. - To make Aspnet_wp.exe to run as SYSTEM, change
processModel in Machine.config to - ltprocessModel userName"SYSTEM" ... /gt
17The ASPNET Account
- You can also run the ASP.NET worker process
(aspnet_wp.exe or w3wp.exe) under a user account - https//msdn.microsoft.com/en-us/library/bakfs900.
aspx
18Programming Forms Authentication
19Forms Authentication
- Forms authentication allows applications to setup
web authentications independently from the
authentications of the operating systems. It
works well with URL authorization, which relies
on configuration directives in Web.config files. - Forms/URL security is useful to protect an
e-commerce site (an external Internet application
for servicing customs of a company).
20Forms Authentication Static Structure
- Security settings in an ASP.NET-based web
application are configured in the Web.config
files. - The Web.config file in the root directory (which
must be an application directory) specifies the
authentication mode, application-specific login
page. - The Web.config file in a subdirectory sets the
authorization specifics for the directory. - User credentials can be stored in a database
(preferred) or in the root Web.config file.
21Forms Authentication Dynamic Behavior
-
- The first time a user accesses a protected
resource, ASP.NET redirects the user to the login
page. - If the login is successful, ASP.NET then issues
the user an authentication ticket in the form of
a cookie (cookies need to be enabled by the
client) and redirects the user to the page
originally requested. - The ticket allows that user to revisit protected
portions without having to login again. - The tickets lifetime can be controlled to
determine how long the login is good for.
22A First Look at Forms Authentication
- Forms1 Web Application
- Examples\C10\Forms1
- At the application root
- PublicPage.aspx can be viewed by anyone
- Web.config
- LoginPage.aspx
- In the Secret subdirectory
- ProtectedPage.aspx is available only to
authenticated users (wp/wp). - Web.config
23Deploy Forms1 on Winserv1
- Create a web application (Forms1).
- C\inetpub\wwwroot\xiaotest\Forms1
- You need to have admin privilege.
- On winserv1, use an existing web application
directory already created for you. Save the
current web.config file. - Copy everything from
- Examples\C10\Forms1
- to the above directory.
- http//winserv1.cs.uakron.edu/xiaotest/Forms1/Pub
licPage.aspx can be viewed by everyone.
(http//winserv1.cs.uakron.edu/Examples/C10/Forms1
/PublicPage.aspx)
24Deploy Forms1 on Winserv1
- http//winserv1.cs.uakron.edu/xiaotest/Forms1/Secr
et/ProtectedPage.aspx is available only to
authenticated users (wp/wp). - Authenticated users means anyone who has
successfully logged in through LoginPage.aspx. - Valid users are stored in Web.config.
- The cookie containing the authentication ticket
is a session cookie, destroyed when the browser
is closed. - You are not prompted for password again during a
session.
25Programming Forms Security
- Authentication in the root Web.config
- ltauthentication mode"Forms"gt Â
- ltforms loginUrl"LoginPage.aspx"gt
- ltcredentials passwordFormat"Clear"gt Â
- ltuser name"wp" passwordwp"/gtÂ
- ltuser name"John" password"redrover" /gt
- Authorization (directory-wise) in
Secret/Web.config - ltauthorizationgt Â
- ltdeny users"?" /gt
- URL authorization to deny ? (anonymous) users.
26Programming Forms Security
- PublicPage.aspx
- void OnViewSecret (Object sender, EventArgs e)Â
-  Response.Redirect ("Secret/ProtectedPage.asp
x") - LoginPage.aspx.
- void OnLogIn (Object sender, EventArgs e) Â
- Â if(FormsAuthentication.Authenticate(UserName
.Text, Password.Text))     - FormsAuthentication.RedirectFromLoginPage (User
Name.Text, false) - // true for persistent cookie     Â
- else Output.Text "Invalid login" Â
-
- System.Web.Security.FormsAuthentication.Authentic
method returns true if the user name and password
are in the credentials section of Web.config.
27Internal Works
- ASP.NET creates an authentication cookie,
attaches it to the outgoing response, and
redirects the user to the page that he or she
originally requested. The lifetime of a
persistent cookie is independent of the browser
session. - Authorization is applied on a directory-by-directo
ry basis. Web.config files in each directory
specify exactly how the files are to be
protected. - ASP.NET checks to see whether a valid
authentication cookie is attached to the request.
If the cookie exists, ASP.NET extracts identity
information. If the cookie doesnt exist, ASP.NET
redirects the request to the login page.
28Real-World Forms AuthenticationForms2Forms3
29Real-World Forms Authentication (Forms2)
- Storing user names and passwords in a database
(MySQL). - Creating the database, creating the users table
and adding users. - Logo on to winserv1.
- Start-gtAll Programs-gtMy SQL-gtMy SQL Query
Browser. - Server Host db1.cs.uakron.edu
- Port 3306
- Username yourLoginID
- Password yourPassword for MySQL
- Default Schema your DB name
- File-gtOpen Script
- Examples\C10\MySQL-Table-Creation\Weblogin.sql
- Execute!
- Â
30Real-World Forms Authentication
- Weblogin.sql
- CREATE TABLE users
- (
- username varchar(32) NOT NULL,
- password varchar(32) NOT NULL,
- role varchar(32)
- )
- INSERT INTO users (username, password, role)
VALUES (dev', dev', 'Developer') - INSERT INTO users (username, password, role)
VALUES (mgr', mgr', 'Manager') -
- AddUsers.sql
- INSERT INTO users (username, password, role)
VALUES ('wpd1', 'wp2009', 'Developer') - INSERT INTO users (username, password, role)
VALUES ('wpd2', 'wp2009', 'Developer') -
31Deploy Forms2 on Winserv1
- On winserv1, use an existing web application
directory already created for you. - C\inetpub\wwwroot\WP_s2016\yourID
- Copy everything from
- Examples\C10\Forms2
- to the above directory.
-
32Deploy Forms2 on Winserv1
- Move web.config, login.aspx and Global.asax from
- C\inetpub\wwwroot\WP_s2016\yourID\Forms2 to
- C\inetpub\wwwroot\WP_s2016\yourID
- Save the old files you already have there.
- Move the dll from
- C\inetpub\wwwroot\WP_s2016\yourID\Forms2\bin to
- C\inetpub\wwwroot\WP_s2016\yourID\bin
- Start a browser on the server.
- Use the following URL to access Forms2
- http//winserv1.cs.uakron.edu/yourID/Forms2/Pub
licPage.aspx -
33Deploy Forms2 on Winserv1
34Deploy Forms2 on Winserv1
- To access
- http//winserv1.cs.uakron.edu/xiaotest/Forms2/Publ
icPage.aspx, can be viewed by anyone. - http//winserv1.cs.uakron.edu/xiaotest/Forms2/Secr
et/ProtectedPage.aspx and is available only to
authenticated users (dev/dev).
35Deploy Forms2 on Winserv1
- Authenticated users means anyone who has
successfully logged in through LoginPage.aspx. - Valid users are stored in the database.
- The cookie containing the authentication ticket
is a session cookie, destroyed when the browser
is closed. - You are not prompted for password again during a
session.
36Real-World Forms Authentication
- LoginPage.aspx
- Credential Matching
- SQL
- select count() from users where username  dev'
 and pwd dev - It returns 0 if no matching credentials found.
- MySQL notes
- (1) count () works for SQL Server but not MySQL
due to the extra space after count. - (2) password is a keyword in MySQL (not SQL
Server), therefore cant be used as database
column names. - (3) ExecuteScalar returns Int64 for count
query. - FormsAuthentication.RedirectFromLoginPage (UserNam
e.Text, Persistent.Checked) - Persistent authentication cookie be able to get
back without logging in again, even after
shutting down. No expiration.
37Authentication Cookie Lifetime
- Session authentication cookie.
- Machine.config
- ltforms ... timeout"30"gt // 30 minutes
- Web.config
- ltforms loginUrl"LoginPage.aspx" timeout"10080"
/gt // 7 days - Proramming cookies.
- HttpCookie cookie Response.CookiesFormsAuthent
ication.FormsCookieName - cookie.Expires DateTime.Now
- new TimeSpan (7, 0, 0, 0) // 7 days
- Removing cookies as a user.
- IE-gt Tools -gtInternet Options-gtGeneral-gtBrowsing
history-gtDelete -gt Cookies and website data -gt
Delete. - FireFox-gtOpen Menu-gtHistory-gtClear All History
check Cookies. - Netscape-gtTools-gtCookie Manager-gtManage stored
cookies-gtRemove all. - Google Chrome-gtCustomize-gtMore Tools-gtClear
Browser Data-gtCookies - Safari -gt Preferences -gtPrivacy -gt Remove All
Website Data
38Forms AuthenticationRole-Based
Securityhttp//winserv1.cs.uakron.edu/xiaotest/F
orms3/PublicPage.aspx http//winserv1.cs.uakron.e
du/xiaotest/Forms3/Secret/ProtectedPage.aspx
39Real-World Forms Authentication (Forms3)
- Storing user names and passwords in a database
(MySQL). - Creating the database, creating the users table
and adding users. - Logo on to winserv1.
- Start-gtAll Programs-gtMy SQL-gtMy SQL Query
Browser. - Server Host db1.cs.uakron.edu
- Port 3306
- Username yourLoginID
- Password yourPassword for MySQL
- Default Schema your DB name
- File-gtOpen Script
- Examples\C10\MySQL-Table-Creation\Weblogin.sql
- Execute!
- Â
40Real-World Forms Authentication
- Weblogin.sql
- CREATE TABLE users
- (
- username varchar(32) NOT NULL,
- password varchar(32) NOT NULL,
- role varchar(32)
- )
- INSERT INTO users (username, password, role)
VALUES (dev', dev', 'Developer') - INSERT INTO users (username, password, role)
VALUES (mgr', mgr', 'Manager') -
- AddUsers.sql
- INSERT INTO users (username, password, role)
VALUES ('wpd1', 'wp2020', 'Developer') - INSERT INTO users (username, password, role)
VALUES ('wpd2', 'wp2020', 'Developer') -
41Deploy Forms3 on Winserv1
- On winserv1, use an existing web application
directory already created for you. - C\inetpub\wwwroot\WP_s2016\yourID
- Copy everything from
- Examples\C10\Forms3
- to the above directory.
-
42Deploy Forms3 on Winserv1
- Move web.config, login.aspx and Global.asax from
- C\inetpub\wwwroot\WP_s2016\yourID\Forms3 to
- C\inetpub\wwwroot\WP_s2016\yourID
- Save the old files you already have there.
- Move the dll from
- C\inetpub\wwwroot\WP_s2016\yourID\Forms2\bin to
- C\inetpub\wwwroot\WP_s2016\yourID\bin
- Start a browser on the server.
- Use the following URL to access Forms3
- http//winserv1.cs.uakron.edu/yourID/Forms3/Pub
licPage.aspx -
43Deploy Forms2 on Winserv1
44Deploy Forms3 on Winserv1
- To access
- http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
icPage.aspx, can be viewed by anyone. - http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
et/ProtectedPage.aspx and is available only to
authenticated users (dev/dev).
45Forms Authentication and Role-Based Security
(Forms3)
- Use role membership to allow only some
authenticated users to view Secret/ProtectedPage.a
spx. - Without roles
- Deny all unauthenticated users.
- ltdeny users"?" /gt
- Deny all users (users) except John and
Alice. - ltallow users"John, Alice" /gt     Â
- ltdeny users"" /gt
- Allow all except Jeff, Bob, and Mary
- ltdeny users"Jeff, Bob, Mary" /gt     Â
- ltallow users"" /gt
- ltallowgt and ltdenygt are order-sensitive.
- ASP.NET will stop at lt gt and ignore any
statements that appear after it.
46Forms Authentication and Role-Based Security
(Forms3)
- With roles
- Users table has a field named role that
stores each users role (group) membership. - Grant Developer access to Secret.
- ltallow roles"Developer" /gt    Â
- ltdeny users"" /gt
- Map the roles to user accounts so that ASP.NET
can determine whether the requestor is a
developer or not. - Place the mapping in the AuthenticateRequest
event handler (invoked at the beginning of every
request). - Can be done in a custom HTTP module or in
Global.asax. - http//winserv1.cs.uakron.edu/Examples/C10/Forms3/
PublicPage.aspx - http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
icPage.aspx - dev/dev/Developer can view ProtectedPage.aspx.
- mgr/mgr/Manager cant.
47Programming Role-based Authentication
- Getting Information about Authenticated Users in
Your Code - ASP.NET stores user information in the
HttpContext.User property. - Access User through Page.Context.User or simply
Page.User, or HttpApplication.User. - The User property is of the type IPrincipal (an
interface defined in System.Security.Principal). - Implemented by the WindowsPrincipal class for
Windows authentication and GenericPrincipal class
for other forms of authentication (along with
Windows authentication). - GenericPrincipal is a device for representing
user identities independent of the authentication
protocol being used. ASP.NET compares the role
name in the GenericPrincipal to the roles granted
access through Web.config. - User.Identity contains some usefull properties
48Properties in User.Identity
Property Description
AuthenticationType Reveals which form of authentication was used
IsAuthenticated Reveals whether the user is authenticated
Name Reveals an authenticated users name
if (User.Identity.IsAuthenticated) string name
  User.Identity.Name Name is of the form
domain-name\user-name for Windows authentication,
user-typed login for forms authentication.
49Programming Authentication - Roles
- Retrieve a users role and create a Principal for
the user. - lt_at_ Import Namespace"System.Security.Principal"
gt - ltscript language"C" runat"server"gt
- void Application_AuthenticateRequest (Object
sender, EventArgs e) -
- HttpApplication app (HttpApplication)
sender - if (app.Request.IsAuthenticated
- app.User.Identity is FormsIdentity)
- FormsIdentity identity
(FormsIdentity) app.User.Identity - // Find out what role (if any) the user
belongs to - string role GetUserRole
(identity.Name) - // Create a GenericPrincipal containing
the role name - // and assign it to the current request
- if (role ! null)
- app.Context.User new
GenericPrincipal (identity, - new string role )
50Programming Authentication - Roles
- string GetUserRole (string name)
-
- MySqlConnection connection new
MySqlConnection - ("serverdb1.cs.uakron.edudatabasexiao
testuidxiaotestpwdwp2009 - allow zero datetimeyes)
- try
- connection.Open ()
- StringBuilder builder new
StringBuilder () - builder.Append ("select role from users
" - "where username \'")
builder.Append (name) builder.Append ("\'") - MySqlCommand command new MySqlCommand
(builder.ToString (), connection) - object role command.ExecuteScalar ()
- if (role is DBNull) return null
- return (string) role
-
- catch (MySqlException) return null
- finally connection.Close ()
-
51More on Forms Authentication
- Multiple Roles
- Coding
- app.Context.User new GenericPrincipal
(identity, - new string "Developer", "Manager" )
- Web.config
- ltallow roles"Manager, Developer" /gt
- ltdeny users"" /gt
- Configure subdirectories in root Web.config
- ltlocation path"Secret"gt
- ltsystem.webgt
- ltauthorizationgt
- ltallow roles" Developer" /gt
- ltdeny users"" /gt
- lt/authorizationgt
- lt/system.webgt
- lt/locationgt
52More on Forms Authentication
- Signing Out
- ltaspButton Text"Log Out"
- OnClick"OnLogOut" RunAt"server" /gt
- ltscript language"C" runat"server"gt
- void OnLogOut (Object sender, EventArgs e)
- FormsAuthentication.SignOut ()
- FormsAuthentication.SignOut( ) returns a
Set-Cookie header, sets the cookies value to a
null string and sets the cookies expiration date
to a date in the past.
53More on Forms Authentication
- Attributes of forms element in Web.config
Attribute Description Default
name Name assigned to authentication cookies .ASPXAUTH
loginUrl URL of the login page login.aspx
protection Level of protection (validation and encryption) applied to authentication cookies All
timeout Lifetime of session authentication tickets in minutes 30
path Scope of authentication cookies /
The protection attributes specifies the desired
level of protection for the authentication
cookies. All instructs ASP.NET to both encrypt
and validate authentication cookies.
54Encrypt and Validate Authentication Cookies
- Validation works by appending the machineKey
elements validationKey to the cookie, the
resulting value is hashed, and the hash is
appended to the cookie. When the cookie is
returned in a request, ASP.NET verifies that it
wasnt tampered with by rehashing the cookie and
comparing the new hash to the one accompanying
the cookie. - Encryption works by encrypting the cookiehash
value and allwith machineKeys decryptionKey
attribute.
55Encrypt and Validate Authentication Cookies
- Validation consumes less CPU time than encryption
and prevents tampering. It does not prevent
someone from intercepting an authentication
cookie and reading its contents. - To validate but not encrypt authentication
cookies - ltforms ... protection"Validation" /gt
- Encryption provides insurance against tampering
and prevents the cookies contents being read. - To encrypt but not validate cookies
- ltforms ... protection" Encryption " /gt
56Encrypt and Validate Authentication Cookies
- To disable both
- ltforms ... protection"None" /gt
- Encrypted cookies cant be read or altered, but
can be stolen and used illicitly. Time-outs are
the only protection. - The most reliable way to prevent someone from
spoofing your site with a stolen authentication
cookie is to use an encrypted communications link
(HTTPS). - ltforms ... loginUrl"https//www.wintellect.com/l
ogin.aspx" /gt - This assumes the server supports HTTPS and
Login.aspx is stored in a directory configured to
use HTTPS. - Caveat Emptor ASP.NET does not protect HTML
pages. - Just renaming .html to .aspx to protect it.
- http//winserv1.cs.uakron.edu/xiaotest/Forms3/Publ
icPage.aspx - http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
et/ProtectedPage.aspx - http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
et/Calc.html - http//winserv1.cs.uakron.edu/xiaotest/Forms3/Secr
et/Calc.aspx
57Windows Authentication
58Windows Authentication
- It maps incoming requests to accounts on the Web
server or in the Web servers domain. - Serve content to a well-defined populace
(intranet.) - Requires no programming. Authentication is done
by the system.
59Windows Authentication
- Dont use it to generically expose content to all
comers over the Internet. - Windows authentication on the front end is
typically paired with ACL authorization
(administrator controlled) on the back end. - Can be also used with URL authorization
(programmer controlled).
60Windows Authentication
- Categories of Windows Authentication
- Basic authentication login, piggyback on HTTP.
- Digest authentication login, piggyback on HTTP.
- Integrated Windows authentication Windows login.
- SSL client certificates limited primarily to
intranet.
61Basic Authentication
- An HTTP standard (documented in RFC 2617,
ftp//ftp.isi.edu/in-notes/rfc2617.txt.) - How it works
- For the first time access, the Web server returns
a 401 status code indicating what type of
authentication is required. - HTTP/1.1 401 Access Denied
- Server Microsoft IIS-5.0  .  .  .WWW-Authenticat
e Basic realm"uakron.edu" - A realm is a logical security space that
encompasses all or part of a web site. - The browser pops up a dialog box (not part of
your ASP generated HTML) asking for a user name
and password.
62Basic Authentication
- It concatenates the user name and password to an
encoded string in the Authorization header of an
HTTP request. Authorization Basic SmVmZjppbWJhdG1
hbg - The browser includes the same Authorization
header in each future request to the same realm. - IIS maps the user name and password to an account
on the web server, producing an access token. - The access token is used to perform ACL-based
security checks.
63Basic Authentication
- Pros of Basic Authentication
- It works with virtually all browsers.
- Easy to use.
- It works well with firewalls.
- Cons of Basic Authentication
- Nothing prevents the HTTP requests with
Authorization header from being intercepted and
used to gain access to your server. - Some users consider pop-up dialogs intrusive.
- Better to be used with HTTPS, not HTTP.
64Digest Authentication
- Documented in RFC 2617 (ftp//ftp.isi.edu/in-notes
/rfc2617.txt). - Similar to basic authentication.
- The browser solicits a user name and password by
popping up a dialog box. The server uses the
credentials to assign an identity to the request.
- The big difference between basic and digest
authentication is that digest doesnt transmit
clear-text passwords. Instead, it passes an
authentication token that is cryptographically
secure. As a result, you can use it over
unencrypted channels without fear of compromising
your Web server.
65Digest Authentication Cont.
- When the client first requests a resource guarded
by digest authentication, the server returns a
401 error and includes a noncea string of 1s
and 0sin a HTTP-Authenticate header. - The browser responds by prompting for a user name
and password. It then transmits the user name
back to the server, along with a hash or digest
computed from the combined user name, password,
and nonce. - The server authenticates the request by
performing its own hash on the user name,
password, and nonce. The password the server uses
doesnt come from the client it comes from the
server itself. - If the hashes match, the user is authenticated.
- Its also compatible with proxy servers.
66Digest Authentication Cont.
- Pros of Digest Authentication
- Easy to understand.
- Works with firewalls.
- Far more secure over ordinary HTTP than basic
authentication. - Cons of Digest Authentication
- Uses pop-up dialog boxes for user names and
passwords. - Doesnt support delegation (the ability to make a
call from one machine to another and have the
call execute as the caller on the remote machine)
on Windows 2000 servers. - Digest authentication is not widely used.
67Integrated Windows Authentication
- Uses Windows login credentials to authenticate
users. - Identifies the user (on the server) by using that
persons login identity on the client. - The browser asks for a user name and password
only if the user does not have a valid account on
the server. - The client and server negotiate a trust in a
series of exchanges that involve user names,
domain names, nonces, and hashes. - All done automatically by the OS on the server
and the browser on the client.
68Integrated Windows Authentication
- Pros of Windows Authentication
- Doesnt force users who have already logged in to
Windows to provide a user name and password
again. - Secure, even over unencrypted channels, because
plain-text passwords are never transmitted. - Good for in-house use and behind firewalls.
- Cons of Windows Authentication
- Cant work through firewalls.
- Proprietary to Windows and Internet Explorer.
- Not for general Internet use.
69Windows Authentication / ACL Authorization in
Action
- CorpNet
- Examples\C10\Basic
- About CorpNet
- It models a simple intranet-type application
(e.g. an internal application for a company). - It uses Windows (basic) authentication and ACL
authorization to restrict access to its pages. - Code
- General.aspx provides general information.
- Salaries.aspx lists the salary.
- Bonuses.aspx lists the bonuses.
- Anyone in the company can view General.aspx,
only selected individuals can view Salaries.aspx
and Bonuses.aspx.
70Windows Authentication / ACL Authorization in
Action
- Deployment on your home computer
- Create your own directory
- C\inetpub\wwwroot\yourLoginID
- Copy
- Examples\C10\Basic
- To
- C\inetpub\wwwroot\yourLoginID
- Make the directory a web application.
- Access the aspx pages (as an anonymous user)
- http//localhost/yourLogin/Basic/general.aspx
- http//localhost/yourLoginI/Basic/salaries.aspx
- (access accepted but no salary entry).
- http//localhost/yourLoginID/Basic/bonuses.aspx
71Windows Authentication and Anonymous Access (No
Authorization Control)
- Use Web.config in the root directory to set the
authentication mode. - ltconfigurationgt Â
- ltsystem.webgt   Â
- ltauthentication mode"Windows"/gt Â
- lt/system.webgt
- lt/configurationgt
- Access CorpNet as an anonymous user on winserv1
- http//winserv1.cs.uakron.edu/xiaotest/basic/gener
al.aspx - http//winserv1.cs.uakron.edu/xiaotest/basic/salar
ies.aspx - http//winserv1.cs.uakron.edu/xiaotest/basic/bonus
es.aspx - Access CorpNet as an anonymous on your own
computer - http//localhost/xiaotest/basic/general.aspx
- http//localhost/xiaotest/basic/salaries.aspx
- http//localhost/xiaotest/basic/bonuses.aspx
72Basic Authentication, No Authorization Control
(on your own computer)
- Use Control Panel -gt Administrative Tools -gt IIS
manager - to configure the application to require
authentication and to disallow anonymous access. - In IIS Manager, find and click on Basic
application. (WINSERV1\Sites\Default Web
Site\xiaotest\Basic) - In the IIS pane, double-click on Authentication
- Disable Anonymous Authentication
- Enable Basic Authentication
- http//winserv1.cs.uakron.edu/xiaotest/basic/salar
ies.aspx - Login prompt provided by the browser.
- User Name CS\xiao, Password ???
- No salary information is available for xiaotest
- Modify salaries.aspx to enter a salary for
xiaotest
73ACL Authorization
- Change the permissions on Salaries.aspx and
Bonuses.xml to deny CS\xiaotest read privilege. - Right-click on the file -gt properties
-gtSecurity-gtEdit-gtAdd - location CS
- object name xiaotest
- ok
- Deny Read
- ok ok
- (advanced for inheritance)
- If you dont see the security tab in the
properties window - right-click on Start, open, tools, folder
options, view, advanced settings, files and
folders, uncheck Use simple file sharing. - Tests
- http//winserv1.cs.uakron.edu/xiaotest/basic/gene
ral.aspx (ok) - http//winserv1.cs.uakron.edu/xiaotest/basic/sala
ries.aspx (denied) - http//winserv1.cs.uakron.edu/xiaotest/basic/bonu
ses.aspx (ok)
74Security Inside
- Note ACL Control is set per user and per file
manually. - User xiaotest access denied for
Basic/Bonuses.xml - Why you can still read Bonuses.xml through
Bonuses.aspx? - IIS checks the login and passes access token to
ASP.NET if the login is correct. - ASP.NET makes ACL checks using the callers
identity against the ASPX files to be accessed
and passes access token to the application (ASPX
files). - Web applications run inside ASP.NET which is run
by user ASPNET, and can programmatically access
anything that ASPNET is allowed to access.
75- Impersonation
- To execute a request using the access token
provided by IIS. - Add the following in Web.config
- ltidentity impersonate"true" /gt
- The identities assigned to the ASP.NET worker
process and to the requests that it executes play
crucial roles in ASP.NET security. - After IIS 6.0, W3WP.exe connects to
aspnet_isapi.dll.
76Impersonation
- Impersonation makes web applications run as the
caller. Any programmatically access will subject
ACL check using the callers identity. - ltconfigurationgt
- ltsystem.webgt
- ltauthentication mode"Windows" /gt
- ltidentity impersonate"true" /gt
- lt/system.webgt
- lt/configurationgt
- Start a new browser
- http//winserv1.cs.uakron.edu/xiaotest/basic/bonus
es.aspx - 500 - Internal error occurred.
- The following does work on winserv1
- IIS Manager, double-click on the Basic
application. - In the IIS pane, double-click on Authentication
- Enable ASP.NET Impersonation
77- CorpNet demonstrates several important principles
for using Windows authentication - Windows authentication is enabled in ASP.NET by
including an ltauthentication modeWindows /gt
statement in Web.config. It has the scope of the
Web.config at application level (not page level). - ASP.NET applications that use Windows
authentication can prevent users from viewing
files by using ACLs to deny access to selected
security principals. - ASP.NET applications that use Windows
authentication must enable impersonation if they
want resources protected by ACLs to be protected
from programmatic accesses by code executed
within a request. - ASP.NET applications that use Windows
authentication can personalize content for
individual users by reading user names from
Page.User.Identity.Name. - ACL authorization requires system administrators
of the web server to manually set the security
control for each application (even each
page/file).
78Windows Authentication and URL Authorizations
- In the Basic/Secret directory, edit web.config
- Change web.config to use URL authorization so the
system administrator can set security control per
directory not per file. - ltconfigurationgt
- ltsystem.webgt
- ltauthorizationgt
- ltdeny users"CS\xiaotest" /gt
- ltallow users"" /gt
- lt/authorizationgt
- lt/system.webgt
- lt/configurationgt
- CS\xiaotest" is not allowed to access any APSX
pages in Secret. (Note only one \ after CS.) - Based on string names not Windows security IDs
(SIDs). - The deny statement needs to be before the allow
statement in the above case. - URL authorizations usually not used with Windows
authentication.
79Windows Authentication and Role-Based Security
- Role-based security restricts access based on
roles (groups) that the users belong to. For
ACL authorizations, control the access by giving
permission to the selected groups. - For URL authorizations, use Web.config to
restrict groups. - e.g. add the WP group and a test2 user in
the group. - Start-gtSettings-gtControl Panel-gtUser
Accounts-gtAdvanced-gtAdvanced-gtGroups - Action-gtNew Group
- Start-gtSettings-gtControl Panel-gtUser
Accounts-gtAdvanced-gtAdvanced-gtUsers - test2-gtproperties-gtMember Of-gtAdd
- Action-gtNew Users
- Web.config
- ltauthorizationgt
- ltallow rolesServerName\WP" /gt
- ltdeny users"" /gt
- lt/authorizationgt
- Deny test but allow test2.
- Allow should be first here. ( should be at the
end).
80Summary
- Security
- Authentication
- Forms
- Windows
- Basic, Digest, Integrated, SSL Client
Certificates - Passport
- Authorization ACL, URL
- IIS/ASP.NET Server-Side Security Processing
- Application Security Scenarios
- Encryption and Validation
- Database Based Authentication
- Role Based Authorization
- Anonymous Login
- Impersonation
- Realm
81Good References
- Microsoft Security Tutorials
- ASP.NET authentication and authorization
- by Shivprasad Koirala
- http//www.codeproject.com/Articles/98950/ASP-NET-
authentication-and-authorizationAuthentication20
and20Authorization