2009 - nrw conf: (asp).net membership
TRANSCRIPT
(ASP).NET MembershipBuilt in securityDaniel [email protected]
ASP.NET Membership In the .NET Framework since the
beginning Part of ASP.NET• But who cares
Membership
Membership.ValidateUser(userName, password);
Var user = Membership.GetUser(1);user.Email = "[email protected]";
Membership.UpdateUser(user);
Roles
const string adminRole = "Administrator";
if(!Roles.Role.Exists(adminRole)){
Role.CreateRole(adminRole);}
IPrinciple user = HttpContext.Current.User;User.IsInRole(adminRole);
Based on IPrincipal An essential part of the .NET
Framework• System.Threading• System.Environment• ...
What about my data?
Ist not always a green field Membership API is provider based
Membership API
Configuration
Membership ProviderMembership ProviderMembership ProviderMembership ProviderMembership Provider
Membership Configuraton<configuration> <system.Web> <membership defaultProvider="SqlProvider"> <providers> <add
name="SqlProvider" ... />
<providers> </membership> </system.Web></configuration>
Membership ProviderMethods
protected MembershipProvider();public abstract bool ChangePassword();public abstract bool ChangePasswordQuestionAndAnswer();public abstract MembershipUser CreateUser();protected virtual byte[] DecryptPassword();public abstract bool DeleteUser();internal string EncodePassword();protected virtual byte[] EncryptPassword();public abstract MembershipUserCollection FindUsersByEmail();public abstract MembershipUserCollection FindUsersByName();internal string GenerateSalt();public abstract MembershipUserCollection GetAllUsers();public abstract int GetNumberOfUsersOnline();public abstract string GetPassword(string username, string answer);public abstract MembershipUser GetUser();public abstract MembershipUser GetUser();internal MembershipUser GetUser();public abstract string GetUserNameByEmail();protected virtual void OnValidatingPassword();public abstract string ResetPassword();internal string UnEncodePassword();public abstract bool UnlockUser();public abstract void UpdateUser();public abstract bool ValidateUser();
Membership ProviderProperties
public abstract string ApplicationName { get; set; }public abstract bool EnablePasswordReset { get; }public abstract bool EnablePasswordRetrieval { get; }public abstract int MaxInvalidPasswordAttempts { get; }public abstract int MinRequiredNonAlphanumericCharacters { get; }public abstract int MinRequiredPasswordLength { get; }public abstract int PasswordAttemptWindow { get; }public abstract MembershipPasswordFormat PasswordFormat { get; }public abstract string PasswordStrengthRegularExpression { get; }public abstract bool RequiresQuestionAndAnswer { get; }public abstract bool RequiresUniqueEmail { get; }
Custom Membership Providers
demo!
Beyond the web...
What about the rest? There are not only ASP.NET Web
Applications• AJAX• Desktop• Web Services• Rich Internet Applications
Sys.Web.Services ASP.NET AJAX supports Membership
authentication out of the box. Just enable it in the config
Sys.Services Configuraton<configuration> <system.web.extensions> <scripting> <webServices> <authenticationService enabled="true" /> </webServices> </scripting> </system.web.extensions> </configuration>
Membership for AJAX Apps
demo!
Membership Services Visual Studio 2008 offers desktop
applications to enable Membership features with "one click".
Membership for Desktop Apps
demo!
Limitations Microsoft ships a provider for• ASP.NET Database schema• Windows Accounts• Active directory
The API offers full administration of your authorization store• BUT...• The providers running against SAM/AD do not
support a few things...• Like editing other user accounts
WCFSecurity Windows Communications Foundation
is one of the most pluggable and configurable thing the world has seen.
Of course this is also true for its security features.
WCF Authentication Derive from the base class UserNamePasswordValidator.Override the method Validate.
Configure the class in the service behavior section as service credentials to use.
Authentication Configuraton<configuration> <system.serviceModel> <behaviors> <serviceBehaviors> <behavior name="MyBahavior"> <serviceCredentials> <userNameAuthentication
customUserNamePasswordValidatorType="..."
userNamePasswordValidationMode="Custom" />
</serviceCredentials> </behavior>
</serviceBehaviors> </system.serviceModel> </configuration>
WCF Authorization Implement the interface
IAuthorizationPolicy. Configure the extension in the service
behavior section as service authorization to use.
Authorization Configuraton<configuration> <system.serviceModel> <behaviors> <serviceBehaviors> <behavior name="MyBahavior"> <serviceAuthorization
principalPermissionMode="Custom"> <authorizationPolicies> <add policyType="..."/> </authorizationPolicies> </serviceAuthorization>
</behavior> </serviceBehaviors>
</system.serviceModel> </configuration>
Membership for Web Services
demo!
Rich Internet Applications There is no Membership in Silverlight • But we can use the AJAX API...
So the limiting factor is the network connectivity...
Membership for Rich Internet Applications
demo!
Q&A
Thank you!
devcoach® SOFTWARE://DEVELOPMENT+ARCHITECTURE+CONSULTING
