synapseindia dot net development-security

8/10/2019 Synapseindia Dot Net Development-Security

1/70

Chapter 10

ASP.NET Security


2/70

Introduction to Web Security

Categories

Issues

Components


3/70

Building a Secure Web Site

Three Categories of Web Security:

Content freely available to everyone (public).

Serve the general population but require a login(application-level security, protected).

Intranet sites for a controlled population of users a

companys employees (private).

Security Issues: Application-level security (users).

Deployment security (programmers).

Web Security Components: Authenticationidentifies the originator of requests (who).

Authorizationdefines who can access which pages (what).


4/70

Authentication

ASP.NET supports three types of authentication: Forms (Page-wide) Windows (Machine-wide) Passport (Internet-wide) None

Web.config

Note:

The authentication mode is an application-wide settingthat can be set only in the application root and cant beoverridden in subordinate Web.config files.

You cant use Windows authentication in one part of anapplication and forms authentication in another.


5/70

Setting authentication mode in the root

Web.config


6/70

Authorization

ASP.NET supports two forms of authorization: ACL (access control list) authorization, also

known as file authorization, based on filesystem permissions, typically used with

Windows authentication. URL authorization, relies on configuration

directives in Web.config files, most often used

with forms authentication.


7/70

Three Typical Security Scenarios

for Web Applications

Pages can be freely browsed by any: noapplication-level security

Intranet application: use Windowsauthentication and ACL authorization.

Internet application with secure page access:use forms authentication and URL

authorization.


8/70

Where is the Passport

passport.com

December 1999: Microsoft forgot to pay $35annual registration fee to Network Solutions.

Michael Chaney paid on the Christmas dayand get the site up next day.

Replaced by Widows Live ID. No more one-

login-for-all. Changed to Microsoft Account in 2012.


9/70

The Internal Working of

IIS and ASP.NET

Security


10/70

IIS Security IIS (Internet Information Services) Server

a Web server runs in process Inetinfo.exe as SYSTEM accepts connections responds to HTTP requests

Web applications are deployed in application directories. Remoteclients cant arbitrarily grab files outside application directories.

IIS assigns every request an access tokenrepresenting a Windowssecurity principal. The access token enables the operating system toperform ACL checkson resources targeted.

IIS supports IP address and domain name restrictions.

IIS supports encrypted HTTP connections using the Secure SocketsLayer (SSL)family of protocols.


11/70

IIS Security

Anonymous access (access byunauthenticated users)

Request from anonymous users are taggedwith IUSR_machinenames access token.

IUSR_machinename is an Internet guest

account created when IIS is installed,where machinename is usually the Webservers machine name.


12/70

The relationship between IIS and ASP.NET.


13/70

ASP.NET Security

Server Side Processing:(1) Client accesses .ASPX files=>

(2)Inetinfo.exe (IIS)generates an access token=>Aspnet_isapi.dllsents the request and the

token through named pipe or local procedurecalls (LPCs) =>

(3)Aspnet_wp.exe (ASP.NET)makes ACLcheckson the requested resource and passes

access tokento the targeted application =>(4) Targeted applicationuses a HTTP pipeline =>HTTP modules => HTTP handlers (mapped inMachine.config).


14/70

Two types of access tokens:

Authenticated user: authenticated security principal Unauthenticated user: IUSR_machinename for

anonymous login

Start->Settings->Control Panel->Administrative Tools->Computer Management->Local Users and Groups->Users

Start->Settings->Control Panel->Administrative Tools->Computer Management->Event Viewer->Security


15/70

The ASPNET Account

Created when ASP.NET is installed.

A member of the Users group (hidden now).

Aspnet_wp.exe runs as ASPNET by default.

Requests executed by ASP.NET use Aspnet_wp.exes

identity.

ASP.NET can impersonate to use the requests access

token.

To make Aspnet_wp.exe to run as SYSTEM, change

processModel in Machine.config to


16/70

Programming Forms Authentication


17/70

Forms Authentication Forms authentication allows applications to setupweb

authentications independently from the authentications ofthe operating systems. It works well with URLauthorization, which relies on configuration directives inWeb.config files.

Forms/URL security is useful to protect an e-commercesite (an external Internet application for servicing customsof a company).


18/70

Forms Authentication: Static Structure

Security settings in an ASP.NET-based webapplication are configured in the Web.configfiles.

The Web.config file in the root directory (which

must be an application directory) specifies theauthentication mode, application-specific loginpage.

The Web.config file in a subdirectory sets the

authorization specifics for the directory. User credentials can be stored in a database

(preferred) or in the root Web.config file.


19/70

Forms Authentication : Dynamic Behavior

The first time a user accesses a protected resource,ASP.NET redirects the user to the login page.

If the login is successful, ASP.NET then issues the user

an authentication ticket in the form of a cookie (cookies

need to be enabled by the client) and redirects theuser to the page originally requested.

The ticket allows that user to revisit protected portions

without having to login again.

The tickets lifetime can be controlled to determine how

long the login is good for.


20/70

A First Look at Forms Authentication

Forms1 Web Application

T:\Xiao\Windows Programming\Examples\C10\Forms1

At the application root

PublicPage.aspx can be viewed by anyone

Web.config LoginPage.aspx

In the Secret subdirectory

ProtectedPage.aspx is available only to

authenticated users (wp/wp). Web.config


21/70

Deploy Forms1 on Winserv1

Create a web application (Forms1).C:\inetpub\wwwroot\xiaotest\Forms1You need to have admin privilege.

On winserv1, use an existing web application directoryalready created for you.

Copy everything fromT:\Xiao\Windows Programming\Examples\C10\Forms1to the above directory(C:\inetpub\wwwroot\xiaotest\Forms1)

http://winserv1.cs.uakron.edu/xiaotest/Forms1/PublicPage.aspx can be viewed by everyone.(http://winserv1.cs.uakron.edu/Examples/C10/Forms1/PublicPage.aspx)


22/70


http://winserv1.cs.uakron.edu/xiaotest/Forms1/Secret/ProtectedPage.aspx is available only to authenticated users(wp/wp).

Authenticated users means anyone who hassuccessfully logged in through LoginPage.aspx.

Valid users are stored in Web.config. The cookie containing the authentication ticket is a

session cookie, destroyed when the browser is closed. You are not prompted for password again during a

session.


23/70

Programming Forms Security

Authentication in the root Web.config


24/70

Programming Forms Security PublicPage.aspx

void OnViewSecret (Object sender, EventArgs e)

{ Response.Redirect ("Secret/ProtectedPage.aspx"); }

LoginPage.aspx.

void OnLogIn (Object sender, EventArgs e)

{ if(FormsAuthentication.Authenticate(UserName.Text, Password.Text))

FormsAuthentication.RedirectFromLoginPage (UserName.Text, false);

// true for persistent cookie

else Output.Text = "Invalid login";

}

System.Web.Security.FormsAuthentication.Authentic method returns true if the user

name and password are in the credentials section of Web.config.


25/70

Internal Works

ASP.NET creates an authentication cookie,

attaches it to the outgoing response, andredirects the user to the page that he or sheoriginally requested. The lifetime of a persistentcookie is independent of the browser session.

Authorization is applied on a directory-by-directory basis. Web.config files in each directoryspecify exactly how the files are to be protected.

ASP.NET checks to see whether a valid

authentication cookie is attached to the request. Ifthe cookie exists, ASP.NET extracts identityinformation. If the cookie doesnt exist, ASP.NETredirects the request to the login page.


26/70

Real-World Forms Authentication

Forms2Forms3


27/70

Real-World Forms Authentication(Forms2)

Storing user names and passwords in a database(MySQL).

Creating the database, creating the users table andadding users.

Logo on to winserv1.

Start->All Programs->My SQL->My SQL Query Browser. Server Host: db1.cs.uakron.edu Port 3306 Username: yourLoginID Password: yourPassword for MySQL Default Schema: your DB name File->Open Script:

T:\Xiao\Windows Programming\Examples\C10\MySQL-Table-Creation\Weblogin.sql

Execute!


28/70

Real-World Forms AuthenticationWeblogin.sql

CREATE TABLE users(

username varchar(32) NOT NULL,password varchar(32) NOT NULL,role varchar(32)

);

INSERT INTO users (username, password, role) VALUES (dev', dev', 'Developer');INSERT INTO users (username, password, role) VALUES (mgr', mgr', 'Manager');

AddUsers.sql

INSERT INTO users (username, password, role) VALUES ('wpd1', 'wp2009', 'Developer'); INSERT INTO users (username, password, role) VALUES ('wpd2', 'wp2009', 'Developer');


29/70


Create a web application directory.C:\inetpub\wwwroot\xiaotest\Forms2You need to have admin privilege.

On winserv1, use an existing web application directoryalready created for you.

Copy everything fromT:\Xiao\Windows Programming\Examples\C10\Forms2to the above directory(C:\inetpub\wwwroot\xiaotest\Forms2)


30/70


To access http://winserv1.cs.uakron.edu/xiaotest/Forms2/PublicPag

e.aspx, andhttp://winserv1.cs.uakron.edu/Examples/C10/Forms2/PublicPage.aspx can be viewed by anyone.

http://winserv1.cs.uakron.edu/xiaotest/Forms2/Secret/ProtectedPage.aspx and is available only to authenticatedusers (dev/dev).


31/70


Authenticated users means anyone who hassuccessfully logged in through LoginPage.aspx.

Valid users are stored in the database. The cookie containing the authentication ticket is a

session cookie, destroyed when the browser is closed.

You are not prompted for password again during asession.


32/70

Real-World Forms AuthenticationLoginPage.aspx Credential Matching:

SQL:select count(*) from users where username = dev'and pwd = dev;

It returns 0 if no matching credentials found.

MySQL notes:

(1) count (*) works for SQL Server but not MySQL due to the extra spaceafter count.(2) password is a keyword in MySQL (not SQL Server), therefore cant beused as database column names.(3) ExecuteScalar returns Int64 for count query.

FormsAuthentication.RedirectFromLoginPage (UserName.Text,Persistent.Checked);Persistent authentication cookie: be able to get back without logging inagain, even after shutting down.


33/70

Authentication Cookie Lifetime

Session authentication cookie.Machine.config

// 30 minutesWeb.config // 7 days

Proramming cookies.

HttpCookie cookie =Response.Cookies[FormsAuthentication.FormsCookieName];

cookie.Expires = DateTime.Now+ new TimeSpan (7, 0, 0, 0); // 7 days

Removing cookies as a user.IE->Tools->Internet Options->General->Delete Cookies.Netscape->Tools->Cookie Manager->Manage stored cookies->Remove all.FireFox->Tools->Clear Recent History: check Cookies.


34/70

Forms AuthenticationRole-Based Security


35/70

Forms Authentication and Role-Based Security (Forms3)

Use role membership to allow only some authenticatedusers to view Secret/ProtectedPage.aspx.

Without roles:

Deny all unauthenticated users.

Deny all users (users=*) except John and Alice.

Allow all except Jeff, Bob, and Mary:

and are order-sensitive.

ASP.NET will stop at and ignore any statementsthat appear after it.


36/70

Forms Authentication and Role-Based Security (Forms3)

With roles:

Users table has a field named role that stores each users role(group) membership.

Grant Developer access to Secret.

Map the roles to user accounts so that ASP.NET can determinewhether the requestor is a developer or not.

Place the mapping in the AuthenticateRequest event handler(invoked at the beginning of every request).

Can be done in a custom HTTP module or in Global.asax.

http://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspx

http://winserv1.cs.uakron.edu/xiaotest/Forms3/PublicPage.aspx

dev/dev/Developer can view ProtectedPage.aspx.

mgr/mgr/Manager cant.
http://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspxhttp://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspxhttp://winserv1.cs.uakron.edu/Examples/C10/Forms3/PublicPage.aspx


37/70

Programming Role-based Authentication

Getting Information about Authenticated Users in YourCode

ASP.NET stores user information in the HttpContext.Userproperty.

Access User through Page.Context.User or simplyPage.User, or HttpApplication.User.

The User property is of the type IPrincipal (an interfacedefined in System.Security.Principal).

Implemented by the WindowsPrincipal class for Windowsauthentication and GenericPrincipal class for other forms ofauthentication (along with Windows authentication).

GenericPrincipal is a device for representing user identitiesindependent of the authentication protocol being used.ASP.NET compares the role name in the GenericPrincipal tothe roles granted access through Web.config.

User.Identity contains some usefull properties:


38/70

Properties in User.Identity

Property Description

AuthenticationType Reveals which form ofauthentication was used

IsAuthenticated Reveals whether the user isauthenticated

Name Reveals an authenticated usersname

if (User.Identity.IsAuthenticated) {string name = User.Identity.Name; }

Name is of the form domain-name\user-name for Windows authentication,

user-typed login for forms authentication.


39/70

Programming Authentication - Roles

Retrieve a users role and create a Principal for the user.

void Application_AuthenticateRequest (Object sender, EventArgs e) {

HttpApplication app = (HttpApplication) sender;

if (app.Request.IsAuthenticated && app.User.Identity is FormsIdentity) {

FormsIdentity identity = (FormsIdentity) app.User.Identity;

// Find out what role (if any) the user belongs to string role = GetUserRole (identity.Name);

// Create a GenericPrincipal containing the role name // and assign it to the current request

if (role != null) app.Context.User = new GenericPrincipal (identity,

new string[] { role });

}


40/70

Programming Authentication - Roles

string GetUserRole (string name)

{

MySqlConnection connection = new MySqlConnection("server=db1.cs.uakron.edu;database=xiaotest;uid=xiaotest;pwd=wp2009;

allow zero datetime=yes)try {

connection.Open ();

StringBuilder builder = new StringBuilder ();builder.Append ("select role from users " +

"where username = \'"); builder.Append (name); builder.Append ("\'");MySqlCommand command = new MySqlCommand (builder.ToString (),

connection);object role = command.ExecuteScalar ();

if (role is DBNull) return null;

return (string) role;}catch (MySqlException) { return null; }

finally { connection.Close ();}}


41/70

More on Forms Authentication

Multiple Roles

Coding:

app.Context.User = new GenericPrincipal (identity,new string[] { "Developer", "Manager" });

Web.config

Configure subdirectories in root Web.config

M F A h i i


42/70


Signing Out

void OnLogOut (Object sender, EventArgs e)

{ FormsAuthentication.SignOut (); }

FormsAuthentication.SignOut( ): returns a Set-Cookie header, sets the cookies value to a nullstring and sets the cookies expiration date to adate in the past.


43/70


Attributes of forms element in Web.config:

Attribute Description Default

name Name assigned to authentication cookies .ASPXAUTH

loginUrl URL of the login page login.aspx

protection Level of protection (validation and

encryption) applied to authenticationcookies

All

timeout Lifetime of session authentication tickets inminutes

30

path Scope of authentication cookies /

The protection attributes specifies the desired level of protection for theauthentication cookies. All instructs ASP.NET to both encrypt and validate

authentication cookies.


44/70

Encrypt and Validate Authentication Cookies

Validationworks by appending the

machineKey elements validationKey to thecookie, the resulting value is hashed, and thehash is appended to the cookie. When thecookie is returned in a request, ASP.NET

verifies that it wasnt tampered with byrehashing the cookie and comparing the newhash to the one accompanying the cookie.

Encryptionworks by encrypting the cookiehash value and allwith machineKeysdecryptionKey attribute.


45/70


Validation consumes less CPU time than

encryption and prevents tampering. It does notprevent someone from intercepting anauthentication cookie and reading its contents.

To validate but not encrypt authentication

cookies:

Encryption provides insurance againsttampering and prevents the cookies contents

being read. To encrypt but not validate cookies:

E d V lid A h i i C ki


46/70


To disable both:

Encrypted cookies cant be read or altered, but can be stolen and used illicitly.Time-outs are the only protection.

The most reliable way to prevent someone from spoofing your site with a stolenauthentication cookie is to use an encrypted communications link (HTTPS).

This assumes the server supports HTTPS and Login.aspx is stored in adirectory configured to use HTTPS.

Caveat Emptor: ASP.NET does not protect HTML pages.Just renaming .html to .aspx to protect it.

http://winserv1.cs.uakron.edu/xiaotest/Forms3/PublicPage.aspx

http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/ProtectedPage.aspx http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/Calc.html http://winserv1.cs.uakron.edu/xiaotest/Forms3/Secret/Calc.aspx


47/70

Windows

Authentication

Wi d A th ti ti


48/70

Windows Authentication It maps incoming requests to accounts on the

Web server or in the Web servers domain. Serve content to a well-defined populace

(intranet.)

Requires no programming. Authentication is doneby the system.

Wi d A th ti ti


49/70

Windows Authentication Dont use it to generically expose content to all

comers over the Internet. Windows authentication on the front end is

typically paired with ACL authorization(administrator controlled) on the back end.

Can be also used with URL authorization(programmer controlled).


50/70

Windows Authentication

Categories of Windows Authentication:

Basic authentication: login, piggyback on HTTP.

Digest authentication: login, piggyback on HTTP.

Integrated Windows authentication: Windows login.

SSL client certificates: limited primarily to intranet.

B i A th ti ti


51/70

Basic AuthenticationAn HTTP standard (documented in RFC 2617,ftp://ftp.isi.edu/in-notes/rfc2617.txt.)

How it works:

For the first time access, the Web server returns a 401status code indicating what type of authentication isrequired.

HTTP/1.1 401 Access Denied

Server: Microsoft IIS-5.0 . . .WWW-

Authenticate: Basic realm="uakron.edu"

A realmis a logical security space that encompassesall or part of a web site.

The browser pops up a dialog box (not part of yourASP generated HTML) asking for a user name andpassword.

Basic A thentication


52/70

Basic Authentication

It concatenates the user name and password to

an encoded string in the Authorization header ofan HTTP request.

Authorization: Basic SmVmZjppbWJhdG1hbg==

The browser includes the same Authorizationheader in each future request to the same realm.

IIS maps the user name and password to anaccount on the web server, producing an access

token. The access token is used to perform ACL-based

security checks.



53/70


Pros of Basic Authentication:

It works with virtually all browsers. Easy to use.

It works well with firewalls.

Cons of Basic Authentication:

Nothing prevents the HTTP requests with Authorizationheader from being intercepted and used to gain access

to your server. Some users consider pop-up dialogs intrusive.

Better to be used with HTTPS, not HTTP.

Digest Authentication


54/70

Digest Authentication

Documented in RFC 2617 (ftp://ftp.isi.edu/in-

notes/rfc2617.txt).

Similar to basic authentication.

The browser solicits a user name and password by

popping up a dialog box. The server uses the credentials toassign an identity to the request.

The big differencebetween basic and digest

authentication is that digest doesnt transmit clear-textpasswords. Instead, it passes an authentication token that iscryptographicallysecure. As a result, you can use it overunencrypted channels without fear of compromising yourWeb server.

Digest Authentication Cont


55/70

Digest Authentication Cont.

When the client first requests a resource guarded by

digest authentication, the server returns a 401 error andincludes a noncea string of 1s and 0sin a HTTP-Authenticate header.

The browser responds by prompting for a user name andpassword. It then transmits the user name back to the

server, along with a hashor digest computed from thecombined user name, password, and nonce.

The server authenticates the request by performing itsown hash on the user name, password, and nonce. The

password the server uses doesnt come from the client; itcomes from the server itself.

If the hashes match, the user is authenticated.

Its also compatible with proxy servers.

Digest Authentication Cont


56/70

Digest Authentication Cont.

Pros of Digest Authentication:

Easy to understand. Works with firewalls.

Far more secure over ordinary HTTP than basicauthentication.

Cons of Digest Authentication:

Uses pop-up dialog boxes for user names andpasswords.

Doesnt support delegation (the ability to make a callfrom one machine to another and have the call execute

as the caller on the remote machine) on Windows2000 servers.

Digest authentication is not widely used.

Integrated Windows Authentication


57/70


Uses Windows login credentials to authenticate users.

Identifies the user (on the server) by using that personslogin identity on the client.

The browser asks for a user name and password only ifthe user does not have a valid account on the server.

The client and server negotiate a trust in a series ofexchanges that involve user names, domain names,

nonces, and hashes.

All done automatically by the OS on the server and thebrowser on the client.



58/70


Pros of Windows Authentication:

Doesnt force users who have already logged in toWindows to provide a user name and password again.

Secure, even over unencrypted channels, becauseplain-text passwords are never transmitted.

Good for in-house use and behind firewalls.

Cons of Windows Authentication:

Cant work through firewalls.

Proprietary to Windows and Internet Explorer.

Not for general Internet use.

Wi d A h i i / ACL A h i i i A i


59/70

Windows Authentication / ACL Authorization in ActionCorpNet

T:\Xiao\Windows Programming\Examples\C10\Basic

About CorpNet

It models a simple intranet-type application (e.g. an internalapplication for a company).

It uses Windows (basic) authentication and ACL authorizationto restrict access to its pages.

Code:

General.aspx provides general information.

Salaries.aspx lists the salary. Bonuses.aspx lists the bonuses.

Anyone in the company can view General.aspx, only selectedindividuals can view Salaries.aspx and Bonuses.aspx.

Windows Authentication / ACL Authorization in Action


60/70

Windows Authentication / ACL Authorization in Action

Deployment on your home computer:

Create your own directory:C:\inetpub\wwwroot\yourLoginID Copy

T:\Xiao\Windows Programming\Examples\C10\Basic

ToC:\inetpub\wwwroot\yourLoginID

Make the directory a web application.Access the aspx pages (as an anonymous user):

http://localhost/yourLogin/Basic/general.aspxhttp://localhost/yourLoginI/Basic/salaries.aspx(access accepted but no salary entry).http://localhost/yourLoginID/Basic/bonuses.aspx

Windows Authentication and


61/70

Anonymous Access (No Authorization Control)

Use Web.config in the root directory to set the authentication mode.

Access CorpNet as an anonymous user on winserv1http://winserv1.cs.uakron.edu/xiaotest/basic/general.aspxhttp://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspxhttp://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx

Access CorpNet as an anonymous on your own computerhttp://localhost/xiaotest/basic/general.aspxhttp://localhost/xiaotest/basic/salaries.aspxhttp://localhost/xiaotest/basic/bonuses.aspx

Basic Authentication, No Authorization Control


62/70

(on your own computer)

Use Control Panel -> Administrative Tools -> IIS manager

to configure the application to require authentication and todisallow anonymous access.

In IIS Manager, find and click on Basic application.(WINSERV1\Sites\Default Web Site\xiaotest\Basic)

In the IIS pane, double-click on Authentication

Disable Anonymous Authentication

Enable Basic Authenticationhttp://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspx

Login prompt provided by the browser.

User Name: cs\xiaotest, Password: ???

No salary information is available for xiaotest

Modify salaries.aspx to enter a salary for xiaotest

ACL Authorization


63/70

ACL Authorization

Change the permissions on Salaries.aspx and Bonuses.xml todeny CS\xiaotest read privilege.

Right-click on the file -> properties ->Security->Edit->Addlocation: CSobject name: xiaotestokDeny: Read

ok; ok(advanced for inheritance)If you dont see the security tab in the properties window:right-click on Start, open, tools, folder options, view, advancedsettings, files and folders, uncheck Use simple file sharing.

Tests:

http://winserv1.cs.uakron.edu/xiaotest/basic/general.aspx (ok)http://winserv1.cs.uakron.edu/xiaotest/basic/salaries.aspx (denied)http://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx (ok)

Security Inside


64/70

Security Inside Note: ACL Control is set per user and per file

manually. User: xiaotest access denied for Basic/Bonuses.xml

Why you can still read Bonuses.xml throughBonuses.aspx?

IIS checks the loginand passes access token toASP.NET if the login is correct.

ASP.NET makes ACL checks using the callersidentity against the ASPX filesto be accessed andpasses access token to the application (ASPX files).

Web applications run inside ASP.NET which is runby user ASPNET, and can programmatically accessanything that ASPNET is allowed to access.


65/70

Impersonation

To execute a request using the access tokenprovided by IIS.

Add the following in Web.config

The identities assigned to the ASP.NET worker

process and to the requests that it executesplay crucial roles.

After IIS 6.0, W3WP.exe connects toaspnet_isapi.dll.

Impersonation


66/70

Impersonation Impersonationmakes web applications run as the caller.

Any programmatically

access will subject ACL check using the callers identity.

Start a new browser http://winserv1.cs.uakron.edu/xiaotest/basic/bonuses.aspx

500 - Internal error occurred.

The following does work on winserv1 IIS Manager, double-click on the Basic application.

In the IIS pane, double-click on Authentication

Enable ASP.NET Impersonation

CorpNet demonstrates several important principles for


67/70

CorpNet demonstrates several important principlesforusing Windows authentication: Windows authentication is enabled in ASP.NET by including an

statement in Web.config. Ithas the scope of the Web.config at application level (not pagelevel).

ASP.NET applications that use Windows authentication canprevent users from viewing files by using ACLs to deny access toselected security principals.

ASP.NET applications that use Windows authentication mustenable impersonation if they want resources protected by ACLs tobe protected from programmatic accesses by code executedwithin a request.

ASP.NET applications that use Windows authentication canpersonalize content for individual users by reading user namesfrom Page.User.Identity.Name.

ACL authorization requires system administratorsof the webserver to manually set the security control for each application(even each page/file).

Windows Authentication and URL Authorizations


68/70

Windows Authentication and URL Authorizations

Change web.config to use URL authorization so the programmercan set the security control (per directory not per file).

CS\YourUnixID" is not allowed to access any APSX pages in Basic.Note only one \ after CS.

Based on string names not Windows security IDs (SIDs). The deny statement needs to be before the allow statement in the

above case. URL authorizations usually not used with Windows authentication.

Windows Authentication and Role-Based Security


69/70

Windows Authentication and Role Based Security

Role-based security restricts access based on roles (groups) that the users belongto. For ACL authorizations, control the access by giving permission to the selectedgroups.

For URL authorizations, use Web.config to restrict groups.

e.g. add the WP group and a test2 user in the group.

Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Groups

Action->New Group

Start->Settings->Control Panel->User Accounts->Advanced->Advanced->Users

test2->properties->Member Of->AddAction->New Users

Web.config


70/70

SummarySecurity

Authentication

FormsWindows

Basic, Digest, Integrated, SSL Client CertificatesPassport

Authorization: ACL, URL

IIS/ASP.NET Server-Side Security ProcessingApplication Security ScenariosEncryption and ValidationDatabase Based AuthenticationRole Based Authorization

Anonymous LoginImpersonationRealm

synapseindia dot net development-security

Documents