Anda di halaman 1dari 25

ASP.

NET Authentication, Authorization, and Security

Lifespan Biotechnologies

Overview

http://i2.asp.net/media/3994461/webapi_auth01.png?cdn_id=2013-05-10-001

General process of authentication and authorization for any user who wishes to access secure information. Internet Information Server (IIS) is a tool for Windows servers used in Visual Basic that processes browser requests. Web Application Programming Interface (Web API) includes the interfaces which houses the libraries which will be utilized to successfully authenticate and authorize users.

Authentication
What is it and why do we need it?
Knowing the identity of the user Used to maintain privacy (as opposed to public viewing) To authenticate is to cross-reference credentials by a user with existing credentials

Authentication
General Overview
Web API assumes that authentication occurs in the host server and utilizes HTTPModule ASP.NET has several built-in authentication modules and also allows for customdefined authorization (more on these later)

When host authenticates a user, it creates a principal IPrincipal object


Contains security information/context by which the program is running under Host attaches principal to current thread by setting Thread.CurrentPrincipal The principal contains an Identity object that contains information about the user State of user authentication can be accessed by Identity.IsAuthenticated

Self-hosting is available as well, but is limited in functionality and impractical for this project

Authentication
Type of Authentication
Basic Authentication Forms Authentication Passport Authentication Integrated Windows Authentication Custom Authentication

Authentication
Basic Authentication
1) If a request requires authentication, the server returns 401 (unauthorized) and indicates that the server supports basic authentication with a WWW-Authenticate header 2) Another request is sent with credentials in the Authorization header and is formatted in name:password in base64-encoding
a. b. Credentials are not encrypted Base64 is an encoding and NOT en encryption, so quite easy to decipher

Authentication
Basic Authentication (cont.)
Credentials are valid only in the realm defined by the server Vulnerable to CSRF attacks an attack where a users credentials are sent to an external party (i.e. via a URI that is the same as the original website but is owned by that external party) which then uses that users credentials to authenticate and authorize itself to all the information that the user is allowed to access

Add [Authorize] to any controller/action that needs authenticating (i.e. changing user information)
Browser clients automatically set basic authentication but can be set using HttpClient and HttpClientHandler

Authentication
Forms Authentication
1) A request for an authorized resource comes in 2) If user is not authenticated, the server returns HTTP 302 (Found) and redirects to the login page (while storing original request) 3) User enters credentials and submits the form 4) Server returns another HTTP 302 and redirects to original URI
The response includes an authentication cookie

5) Client requests resource again. Request includes cookie so access is granted

Authentication
Forms Authentication (Cont.)
Similar to Basic Authentication except that response includes a cookie which is evaluated for authentication and authorization Still does not encrypt user credentials, so is still prone to CSRF attacks More effective than Basic Authentication but must use Secure Socket Layers (SSL) for security (more later)

Authentication
Passport Authentication
Allows a single sign-in that uses information from a member site in order to login

Must register site with the Passport service and requires minor additional modifications in code
Leaves authentication for the passport website Impractical for early stages of development (if we are storing information), but may be useful later when used in conjunction with other sites similar to this

Authentication
Integrated Windows Authentication

1) Client sends credentials to authentication service to check for authentication and is given a ticket in return 2) Client sends ticket to ticket granting service and receives a service ticket in return 3) The user is now authenticated

http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication/21.jpg

Authentication
Integrated Windows Authentication (Cont.)
Utilizes either Kerberos v5 or Windows NT LAN Manager (NTLM) authentication Effective in terms of security However, only limited to Windows accounts and is not supported by some browsers; therefore impractical

Authentication
Custom Authentication
We are allowed to create our own custom authentication modules within an ASP.NET project

Remember back to the principal objects with custom authentication, we must set two properties within project
Thread.CurrentPrincipal must be set to the given IPrincipal object HttpContext.Current.User should also be set to the IPrincipal object, given that Httpcontext.Current exists (does not exist in self-hosting)

BUT ASP.NET already provides us with everything that we need (and MUCH more)! Therefore, we do not have to worry about creating a custom authentication (but it is always nice to learn!)

Authentication
Cross-Site Request Forgery Attacks
As mentioned briefly, cross-site reference forgery attacks are attacks in which an external party is able to send requests to and authorized site where a user is currently logged in to Does this when user (unknowingly) requests a URI similar to the authorized site and sends credentials along with the request The malicious site now has the users information and can see and access everything that the user can see and access!

Authentication
Preventative Measures Against CSRF Attacks
Use anti-forgery tokens (require that the server request verification tokens)
1) 2) Client requests a page that requires authentication and contains a form Server includes tokens in response. One is a cookie and one is placed in a hidden form field. Both are randomly generated so third-parties cannot guess value When client submits form, the client must send both tokens back. The form token in the form field is automatically sent with cookie If request foes not include both items, server rejects request

3)
4)

Effective because malicious pages can only send requests but cannot see users tokens due to same-origin policies This method should be used with any authorization protocol that silently sends credentials after user logs in Should be used with requests that access nonsafe methods (actions that change data) such as POST, PUT, and DELETE, and the coder should confirm that safe methods are indeed safe To include in project, use HtmlHelper.AntiForgeryToken helper method or can be randomly generated using AntiForgery.GetTokens if request is not HTML form data (tokens must then be separately extracted and validated)

Authentication
Secure Sockets Layer (SSL)
SSLs can be implemented for these aforementioned security practices
1) 2) Create or get a certificate for SSL in IIS Add an HTTPS binding (the appended S stands for Secure)

May allow some requests to be available as HTTP while others require SSL
Use action filter [RequireHttps] for these particular requests that require additional security

SSL provides authentication by Public Key Infrastructure (PKI) certificates


More secure than user/password and provides a complete, secure channel with authentication, message integrity and message encryption However, must obtain and manage a PKI certificate and client must support SSL client certificate Must configure IIS to accept client certificates

Obtain client certificate using GetClientCertificate, which returns X509Certificate2 typed object, which can then be used for authentication and authorization

Summary of Authentication
Authentication is a means of determining whether the user exists on the server, via credentials provided by the user ASP.NET supports several forms of authentication, including built-in authentications (Basic, Forms, and Passport), Integrated Windows Authentication, and Custom (Coder-Defined) Authentication A common attack on servers is a cross-site request forgery attack. These can be prevented by using anti-forgery tokens and Secure Sockets Layer

Authorization
What is it and why do we need it?
Decides whether a user is permitted to perform a particular action, changing a password or editing personal account information Happens later in the process pipeline, closer to the controller, as opposed to authorization Is a user authorized to perform this action (does the user have the appropriate credentials)?

Authorization
Authorization filters run before a controller action If a request is not authorized, the filter will return an error response and the action is not invoked

Within a controller action, the authorization information of the user/principal can be accessed by the ApiController.User property
ASP.NET uses a built-in authorization filter, AuthorizeAttribute, that utilizes [Authorize] (this should look familiar)

Authorization
[Authorize] and [AllowAnonymous] filter
When filter is evaluated against credentials, it returns HTTP status code 401 (Unauthorized; this should again seem familiar) when credentials do not satisfy and does not invoke the action Located in System.Web.Http for Web API and System.Web.Mvc for non-compatible controllers This filter can be applied at the global level (applies to the Web API and thusly every controller class), at the controller level (applies to every defined within that controller), or at the action level (applies to everything within that particular action) An [AllowAnonymous] filter can also be applied if the server wishes to allow public access. If this filter is found inside of an [Authorize] filter, public access has precedence Filters can also be applied to specific users or roles by defining these variables within the filter declaration
*Authorize (Users = praymond,jcary )+ would allow users praymond and jcary access this info *Authorize (Roles = Administrator,Technician)+ would allow users with the roles Administrator or Technician to access this info

Authorization
Custom Authorization Filters
Custom authorization filters can be defined instead and are derived from one of the following types:
AuthorizeAttribute performs authorization logic based on user and role AuthorizationFilterAttribute performs synchronous authorization logic that is not necessarily based on user or role IAuthorizationFilter performs asynchronous authorization logic

Authorization
Role-Based Authorization
Allows authorization based on role or user (as shown previously in filter arguments) Roles are not predefined in program, so it must be added additionally into database properties Available roles checks that are available:
Manual Role Check utilizes the IPrincipal.IsInRole method to check role Declarative Role Check utilizes PrincipalPermissionAttribute class to demand role membership (only supports logical OR and not logical AND) Imperative Role Check utilizes PrincipalPermission.Demand within methods to perform authorization check

Match the data against the current Web requestor (HttpContext.User)

Summary of Authorization
Determines if a user is permitted to perform a particular action and is checked closer to the controller action Utilizes [Authorize] and [AllowAnonymous] filters applied at the global, controller, and/or action level Filters are defined by ASP.NET, or can be custom-defined using AuthorizeAttribute, AuthorizationFilterAttribute, and IAuthorizeFilter Most practical form of authorization for this project, which allows users to define roles at registration, will be a role-based authorization

Additional Comments
Security will be particularly important and should be as secure as possible if we store sensitive information such as personal patient information, customer credit card information, etc. Mashups a webpage or web application that uses and combines data, presentation, or functionality from two or more sources to create new services. Main characteristics are combination, visualization and aggregation.
Useful if we wish to combine a large amount of information from various sources Allows us to reuse existing data, rather than rewriting from scratch i.e. integrating Google Map to find help clinics local to particular address

OAuth 2.0, another authorization/authentication method that utilizes accounts from other servers but limits resources, was omitted due to the current scale of the project but can be considered for later versions

Questions?