L23 - 6. Forms Security(3)-2 - Chapter 6 Security and Reliability of Distributed Software and Systems Lecture 23 Forms-Based Security Text Chapter 6.2

L23 - 6. Forms Security(3)-2 - Chapter 6 Security and...

This preview shows page 1 - 8 out of 49 pages.

Chapter 6 Security and Reliability of Distributed Software and Systems Lecture 23 Forms-Based Security Text Chapter 6.2 Yinong Chen
Y. Chen 2 Roadmap of Chapter 6 General Security & Reliability Concepts (Text Section 6.1) IIS Roles and Windows-Based Security Mechanism Forms-Based Security Creating an independent security system for Web access control and resource authorization (Text Section 6.2) Data Encryption and Decryption Reliability and Security in Windows Communication Foundation Error Control and Secure Socket Layer for Secure HTTP Connection
Y. Chen Security Check Overview 3 Forms authentication successful? Impersonation enabled ? IP address and domain permitted? Use impersonated account Use configuration account Windows authentication successful? Other resource allowed? Access Allowed Access Denied Client Browser Windows Sever IIS ASP .Net “Windows” Forms Yes True Yes Yes False No No No No “None” token token none Check Web.config authentication attribute
Y. Chen 4 Entry Point Control in Web.config File <configuration> <system.web> <authentication mode=“ Forms " /> <identity impersonate =“false"/> </system.web> </configuration> Make sure that the same credential coming from the IIS is applied Can be Forms, Windows, or None The identity element’s attribute impersonate is used for control the access to the resources (files) on the server’s hard drive.
Y. Chen Impersonation enabled with true or false value <identity impersonate = " true " userName="domain\user" password="password" /> ASP.NET impersonates the token generated using this identity specified in the Web.config file given in the identity element. This feature is useful for developers to test the program using a different account. <identity impersonate = " false " > ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account. This is the common use . 6
Y. Chen 7 Forms Security Forms security is a common way of implementing access control in Web applications. Simply ask a user to type credentials (typically a user name and a password) into a Web form. The credentials can be issued by the administrator, e.g., using a password generator, or through self-registration The credentials can be saved in different places and in different

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture