Authorization, Authentication, And Security

Published on June 2016 | Categories: Documents | Downloads: 42 | Comments: 0 | Views: 259
of 25
Download PDF   Embed   Report

Summary of research on AAS



ASP.NET Authentication, Authorization, and Security

Lifespan Biotechnologies


General process of authentication and authorization for any user who wishes to access secure information. Internet Information Server (IIS) is a tool for Windows servers used in Visual Basic that processes browser requests. Web Application Programming Interface (Web API) includes the interfaces which houses the libraries which will be utilized to successfully authenticate and authorize users.

What is it and why do we need it?
• Knowing the identity of the user • Used to maintain privacy (as opposed to public viewing) • To “authenticate” is to cross-reference credentials by a user with existing credentials

General Overview
• Web API assumes that authentication occurs in the host server and utilizes HTTPModule • ASP.NET has several built-in authentication modules and also allows for customdefined authorization (more on these later)

• When host authenticates a user, it creates a principal IPrincipal object
• • • • Contains security information/context by which the program is running under Host attaches principal to current thread by setting Thread.CurrentPrincipal The principal contains an Identity object that contains information about the user State of user authentication can be accessed by Identity.IsAuthenticated

• Self-hosting is available as well, but is limited in functionality and impractical for this project

Type of Authentication
• Basic Authentication • Forms Authentication • Passport Authentication • Integrated Windows Authentication • Custom Authentication

Basic Authentication
1) If a request requires authentication, the server returns 401 (unauthorized) and indicates that the server supports basic authentication with a WWW-Authenticate header 2) Another request is sent with credentials in the Authorization header and is formatted in “name:password” in base64-encoding
a. b. Credentials are not encrypted Base64 is an encoding and NOT en encryption, so quite easy to decipher

Basic Authentication (cont.)
• Credentials are valid only in the realm defined by the server • Vulnerable to CSRF attacks – an attack where a user’s credentials are sent to an external party (i.e. via a URI that is the “same” as the original website but is owned by that external party) which then uses that user’s credentials to authenticate and authorize itself to all the information that the user is allowed to access

• Add [Authorize] to any controller/action that needs authenticating (i.e. changing user information)
• Browser clients automatically set basic authentication but can be set using HttpClient and HttpClientHandler

Forms Authentication
1) A request for an authorized resource comes in 2) If user is not authenticated, the server returns HTTP 302 (Found) and redirects to the login page (while storing original request) 3) User enters credentials and submits the form 4) Server returns another HTTP 302 and redirects to original URI
• The response includes an authentication cookie

5) Client requests resource again. Request includes cookie so access is granted

Forms Authentication (Cont.)
• Similar to Basic Authentication except that response includes a cookie which is evaluated for authentication and authorization • Still does not encrypt user credentials, so is still prone to CSRF attacks • More effective than Basic Authentication but must use Secure Socket Layers (SSL) for security (more later)

Passport Authentication
• Allows a single sign-in that uses information from a member site in order to login

• Must register site with the Passport service and requires minor additional modifications in code
• Leaves authentication for the passport website • Impractical for early stages of development (if we are storing information), but may be useful later when used in conjunction with other sites similar to this

Integrated Windows Authentication

1) Client sends credentials to authentication service to check for authentication and is given a ticket in return 2) Client sends ticket to ticket granting service and receives a service ticket in return 3) The user is now authenticated

Integrated Windows Authentication (Cont.)
• Utilizes either Kerberos v5 or Windows NT LAN Manager (NTLM) authentication • Effective in terms of security • However, only limited to Windows accounts and is not supported by some browsers; therefore impractical

Custom Authentication
• We are allowed to create our own custom authentication modules within an ASP.NET project

• Remember back to the principal objects – with custom authentication, we must set two properties within project
• Thread.CurrentPrincipal must be set to the given IPrincipal object • HttpContext.Current.User should also be set to the IPrincipal object, given that Httpcontext.Current exists (does not exist in self-hosting)

• BUT… ASP.NET already provides us with everything that we need (and MUCH more)! • Therefore, we do not have to worry about creating a custom authentication (but it is always nice to learn!)

Cross-Site Request Forgery Attacks
• As mentioned briefly, cross-site reference forgery attacks are attacks in which an external party is able to send requests to and authorized site where a user is currently logged in to • Does this when user (unknowingly) requests a URI similar to the authorized site and sends credentials along with the request • The malicious site now has the user’s information and can see and access everything that the user can see and access!

Preventative Measures Against CSRF Attacks
• Use anti-forgery tokens (require that the server request verification tokens)
1) 2) Client requests a page that requires authentication and contains a form Server includes tokens in response. One is a cookie and one is placed in a hidden form field. Both are randomly generated so third-parties cannot guess value When client submits form, the client must send both tokens back. The form token in the form field is automatically sent with cookie If request foes not include both items, server rejects request


• Effective because malicious pages can only send requests but cannot see user’s tokens due to same-origin policies • This method should be used with any authorization protocol that silently sends credentials after user logs in • Should be used with requests that access nonsafe methods (actions that change data) such as POST, PUT, and DELETE, and the coder should confirm that safe methods are indeed safe • To include in project, use HtmlHelper.AntiForgeryToken helper method or can be randomly generated using AntiForgery.GetTokens if request is not HTML form data (tokens must then be separately extracted and validated)

Secure Sockets Layer (SSL)
• SSLs can be implemented for these aforementioned security practices
1) 2) Create or get a certificate for SSL in IIS Add an HTTPS binding (the appended “S” stands for Secure)

• May allow some requests to be available as HTTP while others require SSL
• Use action filter [RequireHttps] for these particular requests that require additional security

• SSL provides authentication by Public Key Infrastructure (PKI) certificates
• More secure than user/password and provides a complete, secure channel with authentication, message integrity and message encryption • However, must obtain and manage a PKI certificate and client must support SSL client certificate • Must configure IIS to accept client certificates

• Obtain client certificate using GetClientCertificate, which returns X509Certificate2 typed object, which can then be used for authentication and authorization

Summary of Authentication
• Authentication is a means of determining whether the user exists on the server, via credentials provided by the user • ASP.NET supports several forms of authentication, including built-in authentications (Basic, Forms, and Passport), Integrated Windows Authentication, and Custom (Coder-Defined) Authentication • A common attack on servers is a cross-site request forgery attack. These can be prevented by using anti-forgery tokens and Secure Sockets Layer

What is it and why do we need it?
• Decides whether a user is permitted to perform a particular action, changing a password or editing personal account information • Happens later in the process pipeline, closer to the controller, as opposed to authorization • Is a user “authorized” to perform this action (does the user have the appropriate credentials)?

• Authorization filters run before a controller action • If a request is not authorized, the filter will return an error response and the action is not invoked

• Within a controller action, the authorization information of the user/principal can be accessed by the ApiController.User property
• ASP.NET uses a built-in authorization filter, AuthorizeAttribute, that utilizes [Authorize] (this should look familiar)

[Authorize] and [AllowAnonymous] filter
• When filter is evaluated against credentials, it returns HTTP status code 401 (Unauthorized; this should again seem familiar) when credentials do not satisfy and does not invoke the action • Located in System.Web.Http for Web API and System.Web.Mvc for non-compatible controllers • This filter can be applied at the global level (applies to the Web API and thusly every controller class), at the controller level (applies to every defined within that controller), or at the action level (applies to everything within that particular action) • An [AllowAnonymous] filter can also be applied if the server wishes to allow public access. If this filter is found inside of an [Authorize] filter, public access has precedence • Filters can also be applied to specific users or roles by defining these variables within the filter declaration
• *Authorize (Users = “praymond,jcary ”)+ would allow users praymond and jcary access this info • *Authorize (Roles = “Administrator,Technician”)+ would allow users with the roles Administrator or Technician to access this info

Custom Authorization Filters
• Custom authorization filters can be defined instead and are derived from one of the following types:
• AuthorizeAttribute – performs authorization logic based on user and role • AuthorizationFilterAttribute – performs synchronous authorization logic that is not necessarily based on user or role • IAuthorizationFilter – performs asynchronous authorization logic

Role-Based Authorization
• Allows authorization based on role or user (as shown previously in filter arguments) • Roles are not predefined in program, so it must be added additionally into database properties • Available roles checks that are available:
• Manual Role Check – utilizes the IPrincipal.IsInRole method to check role • Declarative Role Check – utilizes PrincipalPermissionAttribute class to demand role membership (only supports logical OR and not logical AND) • Imperative Role Check – utilizes PrincipalPermission.Demand within methods to perform authorization check

• Match the data against the current Web requestor (HttpContext.User)

Summary of Authorization
• Determines if a user is permitted to perform a particular action and is checked closer to the controller action • Utilizes [Authorize] and [AllowAnonymous] filters applied at the global, controller, and/or action level • Filters are defined by ASP.NET, or can be custom-defined using AuthorizeAttribute, AuthorizationFilterAttribute, and IAuthorizeFilter • Most practical form of authorization for this project, which allows users to define roles at registration, will be a role-based authorization

Additional Comments
• Security will be particularly important and should be as secure as possible if we store sensitive information such as personal patient information, customer credit card information, etc. • Mashups – a webpage or web application that uses and combines data, presentation, or functionality from two or more sources to create new services. Main characteristics are combination, visualization and aggregation.
• Useful if we wish to combine a large amount of information from various sources • Allows us to reuse existing data, rather than rewriting from scratch • i.e. integrating Google Map to find help clinics local to particular address

• OAuth 2.0, another authorization/authentication method that utilizes accounts from other servers but limits resources, was omitted due to the current scale of the project but can be considered for later versions


Sponsor Documents

Or use your account on


Forgot your password?

Or register your new account on


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in