ASP.NET Authentication,

Authorization, and Security

Lifespan Biotechnologies

Overview

General process of authentication and authorization for any user who wishes to access secure information.

Internet Information Server (IIS) is a tool for Windows servers used in Visual Basic that processes browser requests.

Web Application Programming Interface (Web API) includes the interfaces which houses the libraries which will be utilized to successfully authenticate and authorize users.

http://i2.asp.net/media/3994461/webapi_auth01.png?cdn_id=2013-05-10-001

Authentication

Knowing the identity of the user

Used to maintain privacy (as opposed to public viewing)

To authenticate is to cross-reference credentials by a user with existing credentials

What is it and why do we need it?

Authentication

Web API assumes that authentication occurs in the host server and utilizes HTTPModule

ASP.NET has several built-in authentication modules and also allows for custom-defined authorization (more on these later)

When host authenticates a user, it creates a principal IPrincipal object

Contains security information/context by which the program is running under

Host attaches principal to current thread by setting Thread.CurrentPrincipal

The principal contains an Identity object that contains information about the user

State of user authentication can be accessed by Identity.IsAuthenticated

Self-hosting is available as well, but is limited in functionality and impractical for this project

General Overview

Authentication

Basic Authentication

Forms Authentication

Passport Authentication

Integrated Windows Authentication

Custom Authentication

Type of Authentication

Authentication

1) If a request requires authentication, the server returns 401 (unauthorized) and indicates that the server supports basic authentication with a WWW-Authenticate header

2) Another request is sent with credentials in the Authorization header and is formatted in name:password in base64-encoding

a. Credentials are not encrypted

b. Base64 is an encoding and NOT en encryption, so quite easy to decipher

Basic Authentication

Authentication

Credentials are valid only in the realm defined by the server

Vulnerable to CSRF attacks an attack where a users credentials are sent to an external party (i.e. via a URI that is the same as the original website but is owned by that external party) which then uses that users credentials to authenticate and authorize itself to all the information that the user is allowed to access

Add [Authorize] to any controller/action that needs authenticating (i.e. changing user information)

Browser clients automatically set basic authentication but can be set using HttpClient and HttpClientHandler

Basic Authentication (cont.)

Authentication

1) A request for an authorized resource comes in

2) If user is not authenticated, the server returns HTTP 302 (Found) and redirects to the login page (while storing original request)

3) User enters credentials and submits the form

4) Server returns another HTTP 302 and redirects to original URI

The response includes an authentication cookie

5) Client requests resource again. Request includes cookie so access is granted

Forms Authentication

Authentication

Similar to Basic Authentication except that response includes a cookie which is evaluated for authentication and authorization

Still does not encrypt user credentials, so is still prone to CSRF attacks

More effective than Basic Authentication but must use Secure Socket Layers (SSL) for security (more later)

Forms Authentication (Cont.)

Authentication

Allows a single sign-in that uses information from a member site in order to login

Must register site with the Passport service and requires minor additional modifications in code

Leaves authentication for the passport website

Impractical for early stages of development (if we are storing information), but may be useful later when used in conjunction with other sites similar to this

Passport Authentication

Authentication

Integrated Windows Authentication

1) Client sends credentials to authentication service to check for authentication and is given a ticket in return

2) Client sends ticket to ticket granting service and receives a service ticket in return

3) The user is now authenticated

http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication/21.jpg

Authentication

Integrated Windows Authentication (Cont.)

Utilizes either Kerberos v5 or Windows NT LAN Manager (NTLM) authentication

Effective in terms of security

However, only limited to Windows accounts and is not supported by some browsers; therefore impractical

Authentication

We are allowed to create our own custom authentication modules within an ASP.NET project

Remember back to the principal objects with custom authentication, we must set two properties within project

Thread.CurrentPrincipal must be set to the given IPrincipal object

HttpContext.Current.User should also be set to the IPrincipal object, given that Httpcontext.Current exists (does not exist in self-hosting)

BUT ASP.NET already provides us with everything that we need (and MUCH more)!

Therefore, we do not have to worry about creating a custom authentication (but it is always nice to learn!)

Custom Authentication

Authentication

As mentioned briefly, cross-site reference forgery attacks are attacks in which an external party is able to send requests to and authorized site where a user is currently logged in to

Does this when user (unknowingly) requests a URI similar to the authorized site and sends credentials along with the request

The malicious site now has the users information and can see and access everything that the user can see and access!

Cross-Site Request Forgery Attacks

Authentication

Use anti-forgery tokens (require that the server request verification tokens) 1) Client requests a page that requires authentication and contains a form 2) Server includes tokens in response. One is a cookie and one is placed in a hidden form field. Both are

randomly generated so third-parties cannot guess value 3) When client submits form, the client must send both tokens back. The form token in the form field is

automatically sent with cookie 4) If request foes not include both items, server rejects request

Effective because malicious pages can only send requests but cannot see users tokens due to

same-origin policies

This method should be used with any authorization protocol that silently sends credentials after user logs in

Should be used with requests that access nonsafe methods (actions that change data) such as POST, PUT, and DELETE, and the coder should confirm that safe methods are indeed safe

To include in project, use HtmlHelper.AntiForgeryToken helper method or can be randomly generated using AntiForgery.GetTokens if request is not HTML form data (tokens must then be separately extracted and validated)

Preventative Measures Against CSRF Attacks

Authentication

SSLs can be implemented for these aforementioned security practices

1) Create or get a certificate for SSL in IIS

2) Add an HTTPS binding (the appended S stands for Secure)

May allow some requests to be available as HTTP while others require SSL

Use action filter [RequireHttps] for these particular requests that require additional security

SSL provides authentication by Public Key Infrastructure (PKI) certificates

More secure than user/password and provides a complete, secure channel with authentication, message integrity and message encryption

However, must obtain and manage a PKI certificate and client must support SSL client certificate

Must configure IIS to accept client certificates

Obtain client certificate using GetClientCertificate, which returns X509Certificate2 typed object, which can then be used for authentication and authorization

Secure Sockets Layer (SSL)

Summary of Authentication

Authentication is a means of determining whether the user exists on the server, via credentials provided by the user

ASP.NET supports several forms of authentication, including built-in authentications (Basic, Forms, and Passport), Integrated Windows Authentication, and Custom (Coder-Defined) Authentication

A common attack on servers is a cross-site request forgery attack. These can be prevented by using anti-forgery tokens and Secure Sockets Layer

Authorization

Decides whether a user is permitted to perform a particular action, changing a password or editing personal account information

Happens later in the process pipeline, closer to the controller, as opposed to authorization

Is a user authorized to perform this action (does the user have the appropriate credentials)?

What is it and why do we need it?

Authorization

Authorization filters run before a controller action

If a request is not authorized, the filter will return an error response and the action is not invoked

Within a controller action, the authorization information of the user/principal can be accessed by the ApiController.User property

ASP.NET uses a built-in authorization filter, AuthorizeAttribute, that utilizes [Authorize] (this should look familiar)

Authorization

When filter is evaluated against credentials, it returns HTTP status code 401 (Unauthorized; this should again seem familiar) when credentials do not satisfy and does not invoke the action

Located in System.Web.Http for Web API and System.Web.Mvc for non-compatible controllers

This filter can be applied at the global level (applies to the Web API and thusly every controller class), at the controller level (applies to every defined within that controller), or at the action level (applies to everything within that particular action)

An [AllowAnonymous] filter can also be applied if the server wishes to allow public access. If this filter is found inside of an [Authorize] filter, public access has precedence

Filters can also be applied to specific users or roles by defining these variables within the filter declaration *Authorize (Users = praymond,jcary)+ would allow users praymond and jcary access this info

*Authorize (Roles = Administrator,Technician)+ would allow users with the roles Administrator or Technician to access this info

[Authorize] and [AllowAnonymous] filter

Authorization

Custom authorization filters can be defined instead and are derived from one of the following types:

AuthorizeAttribute performs authorization logic based on user and role

AuthorizationFilterAttribute performs synchronous authorization logic that is not necessarily based on user or role

IAuthorizationFilter performs asynchronous authorization logic

Custom Authorization Filters

Authorization

Allows authorization based on role or user (as shown previously in filter arguments)

Roles are not predefined in program, so it must be added additionally into database properties

Available roles checks that are available:

Manual Role Check utilizes the IPrincipal.IsInRole method to check role

Declarative Role Check utilizes PrincipalPermissionAttribute class to demand role membership (only supports logical OR and not logical AND)

Imperative Role Check utilizes PrincipalPermission.Demand within methods to perform authorization check

Match the data against the current Web requestor (HttpContext.User)

Role-Based Authorization

Summary of Authorization

Determines if a user is permitted to perform a particular action and is checked closer to the controller action

Utilizes [Authorize] and [AllowAnonymous] filters applied at the global, controller, and/or action level

Filters are defined by ASP.NET, or can be custom-defined using AuthorizeAttribute, AuthorizationFilterAttribute, and IAuthorizeFilter

Most practical form of authorization for this project, which allows users to define roles at registration, will be a role-based authorization

Additional Comments

Security will be particularly important and should be as secure as possible if we store sensitive information such as personal patient information, customer credit card information, etc.

Mashups a webpage or web application that uses and combines data, presentation,

or functionality from two or more sources to create new services. Main characteristics are combination, visualization and aggregation.

Useful if we wish to combine a large amount of information from various sources

Allows us to reuse existing data, rather than rewriting from scratch

i.e. integrating Google Map to find help clinics local to particular address

OAuth 2.0, another authorization/authentication method that utilizes accounts from other servers but limits resources, was omitted due to the current scale of the project but can be considered for later versions

Questions?