PDN-C10-PPT - Chapter 10 ASP.NET Security Yingcai Xiao...

Info iconThis preview shows pages 1–11. Sign up to view the full content.

View Full Document Right Arrow Icon
Chapter 10 ASP.NET Security Yingcai Xiao
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Introduction to Web Security Categories Issues Components
Background image of page 2
Building a Secure Web Site Three Categories of Web Security : Content freely available to everyone (public). Serve the general population but require a login (application-level security, protected). Intranet sites for a controlled population of users — a company’s employees (private). Security Issues: Application-level security (users). Deployment security (programmers). Web Security Components: Authentication identifies the originator of requests (who). Authorization defines who can access which pages (what).
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Authentication ASP.NET supports three types of authentication: Forms (Page-wide) Windows (Machine-wide) Passport (Internet-wide) None Web.config <configuration> <system.web> <authentication mode="Forms"/> </system.web> </configuration> Note: The authentication mode is an application-wide setting that can be set only in the application root and can’t be overridden in subordinate Web.config files. You can’t use Windows authentication in one part of an application and forms authentication in another.
Background image of page 4
Setting authentication mode in the root Web.config
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Authorization ASP.NET supports two forms of authorization: ACL (access control list) authorization , also known as file authorization, based on file system permissions, typically used with Windows authentication. URL authorization , relies on configuration directives in Web.config files, most often used with forms authentication.
Background image of page 6
Three Typical Security Scenarios for Web Applications Pages can be freely browsed by any: no application-level security Intranet application: use Windows authentication and ACL authorization. Internet application with secure page access: use forms authentication and URL authorization.
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
The Internal Working of IIS and ASP.NET Security
Background image of page 8
IIS Security IIS (Internet Information Services) Server a Web server runs in process Inetinfo.exe as SYSTEM accepts connections responds to HTTP requests Web applications are deployed in application directories . Remote clients can’t arbitrarily grab files outside virtual directories. IIS assigns every request an access token representing a Windows security principal. The access token enables the operating system to perform ACL checks on resources targeted. IIS supports IP address and domain name restrictions . IIS supports encrypted HTTP connections using the Secure Sockets Layer (SSL) family of protocols.
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Anonymous access (access by unauthenticated users) Request from anonymous users are tagged with IUSR_machinename’s access token. IUSR_machinename is an Internet guest
Background image of page 10
Image of page 11
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 69

PDN-C10-PPT - Chapter 10 ASP.NET Security Yingcai Xiao...

This preview shows document pages 1 - 11. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online