Scribd
Upload
144 views

MVC Authorisation

ASP.NET Web Forms Security Authorize Attribute Secure Application With ASP.NET Webforms Authorize Attribute AuthorizeAttribute with Forms Authentication Windows Authentication Forms Authentication Authorize Attribute - Role Membership OAuth & OpenID Security Vectors in a Web Application Threat: Cross-Site Scripting (XSS) Passive Injection Active Injection Preventing XSS Using AntiXSS References: Professional ASP.NET MVC4 Developing Windows Azure and Web Services

Uploaded by

Amareswara Rao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
144 views

MVC Authorisation

ASP.NET Web Forms Security Authorize Attribute Secure Application With ASP.NET Webforms Authorize Attribute AuthorizeAttribute with Forms Authentication Windows Authentication Forms Authentication Authorize Attribute - Role Membership OAuth & OpenID Security Vectors in a Web Application Threat: Cross-Site Scripting (XSS) Passive Injection Active Injection Preventing XSS Using AntiXSS References: Professional ASP.NET MVC4 Developing Windows Azure and Web Services

Uploaded by

Amareswara Rao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Never , ever trust any data your users give you . Ever .

Membership,
Authorization, and Security
By
Amareswar Rao

Hackers, crackers, spammers, viruses, malware


1
ASP.NET Web Forms
Security
ASP.NET MVC doesn't have as many automatic protections
as ASP.NET Web Forms

Web forms security

Event Validation helps prevent injection attack

View State is encrypted

Request Validation (<% @page validaterequest=true %> )

Server Components HTML-encode displayed values and


attributes to help prevent XSS attacks.

2
Authorize Attribute

authentication is verifying that users are


who they say they are, using some form
of login mechanism

Authorization is verifying that they can


do what they want to do with respect to
your site. This is usually achieved using
some type of role-based system.

3
Secure Application With
ASP.NET Webforms
A common means of securing an application with Web
Forms is to use URL authorization.

For example, if you have an admin section and you want to


restrict it to users who are in the Admins role, you might
place all your admin pages in an admin folder and deny
access to everyone except those in the Admins role to that
subfolder.

<location path=Admin allowOverride=false>


<system.web> <authorization> <allow roles=Administrator
/> <deny users=? /> </authorization> </system.web> </
location>

4
AuthorizeAttribute
If you don't specify any roles or users, the current user must
simply be authenticated

If a user attempts to access an action method with this


attribute applied and fails the authorization check, the filter
causes the server to return a 401 Unauthorized HTTP status
code.

In the case that forms authentication is enabled and a login


URL is specified in the web.config , ASP.NET will handle this
response code and redirect the user to the login page. This is
an existing behavior of ASP.NET and is not new to ASP.NET
MVC.

Install-Package Wrox.ProMvc4.Security.Authorize
5
AuthorizeAttribute with
Forms Authentication
IPrincipal user = httpContext.User; if (!
user.Identity.IsAuthenticated) { return false; }

HTTP 401 - HttpUnauthorizedResult

<authentication mode="Forms"> <forms


loginUrl="/Account/LogOn" timeout="2880"
/> </authentication>

[Authorize] public ActionResult Buy(int id)

6
Windows Authentication

<authentication mode="Windows" /> In


Web.config

IIS 7

IIS 8

IIS Express

7
Forms Authentication
[Authorize] public ActionResult Buy(int id)

[Authorize] public class CheckoutController :


Controller

RegisterGlobalFilters(GlobalFilterCollection filters)
{ filters.Add(new
System.Web.Mvc.AuthorizeAttribute());
filters.Add(new HandleErrorAttribute()); }

[AllowAnonymous] public ActionResult Login()

8
Web Forms and static resources map to file
paths and can be secured using the
authorization element in your web.config

ASP.NET handler security is more complex;


like an MVC action, a handler can map to
multiple URLs.

Securing handlers is normally handled via


custom code in the ProcessRequest method.
For example, you may check
User.Identity.IsAuthenticated and redirect or
return an error if the authentication check fails.

9
Authorize Attribute - Role
Membership
[Authorize(Roles="Administrator")] public class
StoreManagerController : Controller

[Authorize(Roles="Administrator,SuperAdmin")] public class


TopSecretController:Controller

[Authorize(Users="Jon,Phil,Scott,Brad")] public class


TopSecretController:Controller

[Authorize(Roles="UsersNamedScott", Users="Jon,Phil,Brad")]
public class TopSecretController:Controller

Role and Membership classes found in the System.Web.Security


namespace.

10
OAuth & OpenID
OAuth and OpenID are open standards
for authorization. These protocols allow
your users to log in to your site using
their existing accounts on other trusted
sites (called providers ), such as Google,
Twitter, Microsoft, and others.

OpenID providers: Google, Yahoo, and


myOpenID

11
App_Start\AuthConfig.cs

12
13
Require SSL for Login

14

You might also like