12. asp.net authentication and authorization
TRANSCRIPT
-
8/10/2019 12. ASP.net Authentication and Authorization
1/46
Authentication &Authorization in ASP.NETForms Authentication, Users, Roles, Membership
Svetlin NakovTelerik Corporation
www.telerik.com
http://www.telerik.com/http://www.telerik.com/ -
8/10/2019 12. ASP.net Authentication and Authorization
2/46
Table of Contents
1. Basic principles
2. Authentication Types
Windows Authentication
Forms Authentication
3. Users & Roles
4. Membership and Providers5. Login / Logout Controls
-
8/10/2019 12. ASP.net Authentication and Authorization
3/46
Basics
Authentication
The process of verifying the identity
of a user or computer
Questions: Who are you? How you prove it?
Credentials can be password, smart card, etc.
Authorization
The process of determining what a user is
permitted to do on a computer or network
Question: What are you allowed to do?
-
8/10/2019 12. ASP.net Authentication and Authorization
4/46
Windows and FormAuthentication in ASP.NET
-
8/10/2019 12. ASP.net Authentication and Authorization
5/46
Authentication Types in ASP.NET
Windows Authentication
Uses the security features integrated into the
Windows operating systems
Uses Active Directory / Windows accounts
Forms Authentication
Uses a traditional login / logout pages
Code associated with a Web form handles users
authentication by username / password
Users are usually stored in a database
-
8/10/2019 12. ASP.net Authentication and Authorization
6/46
Windows Authentication
In Windows Authentication mode the Web
application uses the same security schemethat applies to your Windows network
Network resources and Web applications usethe same:
User names
Passwords Permissions
It is the default authentication when a new
Web site is created
-
8/10/2019 12. ASP.net Authentication and Authorization
7/46
Windows Authentication (2)
The user is authenticated against his username
and password in Windows
Known as NTLM authentication protocol
When a user is authorized: ASP.NET issues an authentication ticket
(which is a HTTP header)
Application executes using the permissionsassociated with the Windows account
The user's session ends when the browser is
closed or when the session times out
-
8/10/2019 12. ASP.net Authentication and Authorization
8/46
Windows Authentication (3)
Users who are logged on to the network
Are automatically authenticated
Can access the Web application
To set the authentication to Windows add tothe Web.config:
To deny anonymous users add:
-
8/10/2019 12. ASP.net Authentication and Authorization
9/46
Windows Authentication (4)
The Web server should have NTLM enabled:
GET /Default.aspx HTTP/1.1
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
GET /Default.aspx HTTP/1.1
Authorization: NTLM tESsB/
yNY3lb6a0L6vVQEZNqwQn0sqZ
HTTP/1.1 200 OK
HTTP requests: HTTP responses:
-
8/10/2019 12. ASP.net Authentication and Authorization
10/46
Windows AuthenticationLive Demo
-
8/10/2019 12. ASP.net Authentication and Authorization
11/46
Forms Authentication
Forms Authentication uses a Web form tocollect login credentials (username / password)
Users are authenticated by the C# code behindthe Web form
User accounts can be stored in:
Web.configfile
Separate user database
Users are local for the Web application
Not part of Windows or Active Directory
-
8/10/2019 12. ASP.net Authentication and Authorization
12/46
Forms Authentication (2)
Enabling forms authentication:
Set authentication mode in the Web.config
to "Forms"
Create a login ASPX page
Create a file or database to store the user
credentials (username, password, etc.)
Write code to authenticate the users against
the users file or database
-
8/10/2019 12. ASP.net Authentication and Authorization
13/46
Configuring Authorizationin Web.config
To deny someone's access add in the tag
To allow someone's access add in the authorization tag
denies anonymous access
denies access to all users
-
8/10/2019 12. ASP.net Authentication and Authorization
14/46
Configuring Authorizationin Web.config(2)
Specifying authorization rules in Web.config:
The deny/allowstops the authorizationprocess at the first match
Example: if a user is authorized as Pesho, the tag
is not processed
-
8/10/2019 12. ASP.net Authentication and Authorization
15/46
Implementing Login / Logout
Logging-in using credentials from Web.config:
Logging-out the currently logged user:
Displaying the currently logged user:
if (FormsAuthentication.Authenticate(username, passwd))
{
FormsAuthentication.RedirectFromLoginPage(
username, false);
}
else{
lblError.Text = "Invalid login!";
}
FormsAuthentication.SignOut();
This method creates a cookie (or hiddenfield) holding the authentication ticket.
lblInfo.Text = "User: " + Page.User.Identity.Name;
-
8/10/2019 12. ASP.net Authentication and Authorization
16/46
Forms AuthenticationLive Demo
-
8/10/2019 12. ASP.net Authentication and Authorization
17/46
ASP.NET Users and RolesMembership Provider and Roles Provider
-
8/10/2019 12. ASP.net Authentication and Authorization
18/46
Users, Roles and Authentication
Useris a client with a Web browser running a
session with the Web application
Users can authenticate (login) in the Webapplication
Once a user is logged-in, a set of roles andpermissions are assigned to him
Authorization in ASP.NET isbased on users and roles
Authorization rules specify whatpermissions each user / role has
-
8/10/2019 12. ASP.net Authentication and Authorization
19/46
ASP.NET Membership Providers
Membership providers in ASP.NET
Simplify common authentication and user
management tasks
CreateUser()
DeleteUser()
GeneratePassword()
ValidateUser()
Can store user credentials in database / file / etc.
-
8/10/2019 12. ASP.net Authentication and Authorization
20/46
Roles in ASP.NET
Rolesin ASP.NET allow assigning permissions
to a group of users
E.g. "Admins" role could have more privilegesthan "Guests" role
A user account can be assigned to multipleroles in the same time
E.g. user "Peter" can be member of "Admins"and "TrustedUsers" roles
Permissions can be granted to multiple userssharing the same role
-
8/10/2019 12. ASP.net Authentication and Authorization
21/46
ASP.NET Role Providers
Role providers in ASP.NET
Simplify common authorization tasks and role
management tasks
CreateRole()
IsUserInRole()
GetAllRoles()
GetRolesForUser()
Can store user credentials in database / file / etc.
i i
-
8/10/2019 12. ASP.net Authentication and Authorization
22/46
Registering aMembership Provider
Adding membership provider to the Web.config
-
8/10/2019 12. ASP.net Authentication and Authorization
23/46
Registering a Role Provider
To register role provider in ASP.NET 4.0 add the
following to the Web.config:
h i i l
-
8/10/2019 12. ASP.net Authentication and Authorization
24/46
The SQL Registration Tool:aspnet_regsql
The built-in classes System.Web.Security.SqlMembershipProviderand System.Web.Security.SqlRoleProvideruse a set of standardtables in the SQL Server
Can be created by the ASP.NET SQL Server
Registration tool (aspnet_regsql.exe)
The aspnet_regsql.exeutility is installed as part
of with ASP.NET 4.0:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\
aspnet_regsql.exe
h d d
-
8/10/2019 12. ASP.net Authentication and Authorization
25/46
The Standard ASP.NETApplications Database Schema
-
8/10/2019 12. ASP.net Authentication and Authorization
26/46
aspnet_regsql.exeLive Demo
-
8/10/2019 12. ASP.net Authentication and Authorization
27/46
ASP.NET Membership API
Implementing login:
Implementing logout:
Creating new user:
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.RedirectFromLoginPage(
username, false);
}
FormsAuthentication.SignOut();
Membership.CreateUser(username, password);
-
8/10/2019 12. ASP.net Authentication and Authorization
28/46
ASP.NET Membership API (2)
Getting the currently logged user:
Creating new role:
Adding user to existing role:
Deleting user / role:
MembershipUser currentUser = Membership.GetUser();
Roles.AddUserToRole("admin", "Admins");
Membership.DeleteUser("admin", true);
Roles.DeleteRole("Admins");
Roles.CreateRole("Admins");
-
8/10/2019 12. ASP.net Authentication and Authorization
29/46
Membership ProviderLive Demo
-
8/10/2019 12. ASP.net Authentication and Authorization
30/46
-
8/10/2019 12. ASP.net Authentication and Authorization
31/46
Visual Studio Web SiteAdministration ToolLive Demo
-
8/10/2019 12. ASP.net Authentication and Authorization
32/46
Built-in Login Control
-
8/10/2019 12. ASP.net Authentication and Authorization
33/46
The LoginControl
The Login control provides the necessaryinterface through which a user can enter theirusername and password
The control uses the membership providerspecified in the Web.configfile
Adding the login control to the page:
-
8/10/2019 12. ASP.net Authentication and Authorization
34/46
The LoginControl (2)
The LoginName and
-
8/10/2019 12. ASP.net Authentication and Authorization
35/46
The LoginNameandLoginStatusControl
Once a user has logged in we can display hisusername just by adding the LoginNamecontrol to the page
The LoginStatuscontrol allows the user tolog in or log out of the application
The LoginName and
-
8/10/2019 12. ASP.net Authentication and Authorization
36/46
The LoginNameandLoginStatusControl
-
8/10/2019 12. ASP.net Authentication and Authorization
37/46
-
8/10/2019 12. ASP.net Authentication and Authorization
38/46
The CreateUserWizardControl
It is used to create new accounts
It works with the membership provider class
Offers many customizable features
Can quickly be added to and used using
The CreateUserWizard
-
8/10/2019 12. ASP.net Authentication and Authorization
39/46
The CreateUserWizardControl (2)
The PasswordRecovery
-
8/10/2019 12. ASP.net Authentication and Authorization
40/46
The PasswordRecoveryControl
It is used to retrieve passwords
The user is first prompted to enter username
Once users enter valid user names, they must
answer their secret questions The password is sent via e-mail
To add this control use:
The ChangePassword
-
8/10/2019 12. ASP.net Authentication and Authorization
41/46
The ChangePasswordControl
Allows users to change their passwords It uses the membership provider specified in
the Web.config
Can be added to any page with the followingtag:
The ChangePassword
-
8/10/2019 12. ASP.net Authentication and Authorization
42/46
The ChangePasswordControl
A h i i & A h i i
-
8/10/2019 12. ASP.net Authentication and Authorization
43/46
Authentication & Authorization
Questions?
E i
-
8/10/2019 12. ASP.net Authentication and Authorization
44/46
Exercises
1. Create a database Schoolin SQL Server. Using
aspnet_regsql.exeadd the SQL Servermembership tables to support users / roles.
2. Using the ASP.NET Web Site Configuration Tool
create a new role "Student" and two users thathave the new role. Create a login page and try to
enter the site with one of these two accounts.
3. Create a Web site and restrict access to a it for
unregistered users. Implement login page, userregistration page and logout link in the master
page. The site should have the following pages:
E i ( )
-
8/10/2019 12. ASP.net Authentication and Authorization
45/46
Exercises (2)
Login.aspxaccessible to everyone
Register.aspx
accessible to everyone
allowsvisitors to register
Main.aspxaccessible to logged-in users only
Admin.aspx
accessible to Administrators roles onlyallows users to be listed and deleted
4. Implement a site map and navigation menu that
defines the pages in the Web site and specifieswhich pages which roles require. Hide theinaccessible pages from the navigation.
E i ( )
-
8/10/2019 12. ASP.net Authentication and Authorization
46/46
Exercises (3)
5. Create your own membership provider that uses a
database of your choice. Define the tables: Users(ID, username, PasswordSHA1)
Roles(ID, Name)
6. Create the following ASP.NET pages:
Login.aspxaccessible to everyone
Register.aspxaccessible to Administrators only
Main.aspx
accessible to logged-in users only