PDN-C10-PPT - Chapter 10 ASP.NET Security Yingcai Xiao...

Info icon This preview shows pages 1–12. Sign up to view the full content.

View Full Document Right Arrow Icon
Chapter 10 ASP.NET Security Yingcai Xiao
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Introduction to Web Security Categories Issues Components
Image of page 2
Building a Secure Web Site Three Categories of Web Security : Content freely available to everyone (public). Serve the general population but require a login (application-level security, protected). Intranet sites for a controlled population of users — a company’s employees (private). Security Issues: Application-level security (users). Deployment security (programmers). Web Security Components: Authentication identifies the originator of requests (who). Authorization defines who can access which pages (what).
Image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Authentication ASP.NET supports three types of authentication: Forms (Page-wide) Windows (Machine-wide) Passport (Internet-wide) None Web.config <configuration> <system.web> <authentication mode="Forms"/> </system.web> </configuration> Note: The authentication mode is an application-wide setting that can be set only in the application root and can’t be overridden in subordinate Web.config files. You can’t use Windows authentication in one part of an application and forms authentication in another.
Image of page 4
Setting authentication mode in the root Web.config
Image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Authorization ASP.NET supports two forms of authorization: ACL (access control list) authorization , also known as file authorization, based on file system permissions, typically used with Windows authentication. URL authorization , relies on configuration directives in Web.config files, most often used with forms authentication.
Image of page 6
Three Typical Security Scenarios for Web Applications Pages can be freely browsed by any: no application-level security Intranet application: use Windows authentication and ACL authorization. Internet application with secure page access: use forms authentication and URL authorization.
Image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
The Internal Working of IIS and ASP.NET Security
Image of page 8
IIS Security IIS (Internet Information Services) Server a Web server runs in process Inetinfo.exe as SYSTEM accepts connections responds to HTTP requests Web applications are deployed in application directories . Remote clients can’t arbitrarily grab files outside virtual directories. IIS assigns every request an access token representing a Windows security principal. The access token enables the operating system to perform ACL checks on resources targeted. IIS supports IP address and domain name restrictions . IIS supports encrypted HTTP connections using the Secure Sockets Layer (SSL) family of protocols.
Image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IIS Security Anonymous access (access by unauthenticated users) Request from anonymous users are tagged with IUSR_machinename’s access token. IUSR_machinename is an Internet guest account created when IIS is installed, where machinename is usually the Web server’s machine name.
Image of page 10
ASP.NET Security Server Side Processing: (1) Client accesses .ASPX files => (2) Inetinfo.exe (IIS) generates an access token => Aspnet_isapi.dll sents the request and the
Image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern