1 / 10

ASP.NET Security

ASP.NET Security. Securing your ASP.NET web site. General security terms. Identity: Who are you? Examples: user name, CPR, email address, etc. Authentication: How can you prove who you are? Examples: Password Authorization: What are you allowed to do? Permission rules for the user

anana
Télécharger la présentation

ASP.NET Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASP.NET Security Securing your ASP.NET web site ASP.NET Security

  2. General security terms • Identity: Who are you? • Examples: user name, CPR, email address, etc. • Authentication: How can you prove who you are? • Examples: Password • Authorization: What are you allowed to do? • Permission rules for the user • Authorization rules for the resources • Roles (security groups) • A user is assigned to a number of roles • Members of a role has access to certain resources ASP.NET Security

  3. ASP.NET Application Services • Membership • Manage and use ”user accounts” • Roles • Manage and use ”roles” • Profile • Store user-specific data in database • Figure from • http://imar.spaanjaars.com/404/using-the-microsoft-access-providers-to-replace-the-built-in-sql-server-providers ASP.NET Security

  4. Login Controls • Login • Form used for login (username + password) • LoginView • Display different data to different users • AnonymousTemplate • LoggedInTemplate • RoleGroups • LoginStatus • Show whether the current user is logged in or not • LoginName • Show the name of the current user • Example • Aspnet/security/logincontrol ASP.NET Security

  5. Login controls, continued • CreateUserWizard • Form to create a new user • PasswordRecovery • Form to recover a lost password • Send by email • ChangePassword • Form to change password ASP.NET Security

  6. Role management • Users are assigned to one or more roles • Each role has access to a number of resources • Like files and folders ASP.NET Security

  7. WSATWeb Site Administration Tool • WSAT is used for • Managing users • Managing roles • Managing access rules • Etc. • Information is stored in a database • ASPNETDB.MDF in the project’s App_Data folder • Visual Studio • ”Website” menu -> ASP.NET Configuration ASP.NET Security

  8. Access rules • Access rules are set in web.config • Enable the roles manager • <roleManager enabled="true" /> • Protect the files in a specific folder <location path="secrets"> <system.web> <authorization> <allow roles="teacher"/> <deny users="*"/> </authorization> </system.web> </location> • If no rule is satisfied, access is granted! • That’s why <deny users="*"/> is necessary • Dis-allowing anonymous users • <deny users=”?” /> ASP.NET Security

  9. Programmatically checking roles • Checking roles in the code behind (C#) • If (User.IsInRole(someRole)) … • Roles manager not needed • If (Roles.IsUserInRole(someRole)… • Roles manager needed • Example: logincontrol/default.aspx.cs ASP.NET Security

  10. Further readings, etc. • Imar SpaanjaarsBeginning ASP.NET 4 in C# and VB, Wrox 2010 • Chapter 16 Security in your ASP.NET 4 web site, page 579-618 • Bill EvjenProfessional ASP.NET 4 in C# and VB, Wrox 2010 • Chapter 20 Security, page 805-833 • George ShepherdMicrosoft ASP.NET 4 Step-by-step, Microsoft Press 2010 • Chapter 9 Logging In, page 181-206 • Joe StagnerLogin Controls (video) • http://www.asp.net/general/videos/login-controls • Joe Stagner Security Videos • http://www.asp.net/security/videos ASP.NET Security

More Related