Understanding Security Framework Model in ASP.NET 3.5
Why security is important: Security is important part of any web application development which is necessary to protect assets from unauthorized actions. This can encapsulates verifying users, granting or denying access to sensitive information, or protecting data stored on the server.
What ASP.NET has to offer: ASP.NET gives a built in functionality in form of security framework which includes classes for authentications and authorization, set of base classes for implementing confidentially and integrity. ASP.NET security model is extension ASP.NET 2.0, or you can say it’s the foundation of ASP.NET 3.5 security model. ASP.NET 3.5 extends this Infrastructure with functionality for integration into Ajax.
How ASP.NET implement security model: Gatekeepers.
ASP.NET implements many components that enforce security for application. Gatekeepers are conceptual patterns that apply a pipelining model to a security infrastructure. In this pipeline, security mechanism is implemented by these individual components or gatekeeper. So this pipeline look something like below.
You can in above image; you can see a pipeline of gatekeepers. At the end of the pipeline, you can see the protected resource which could be anything like custom page code. The protected resource will be accessed or executed only if every gatekeeper grants access. If just one gatekeeper denies access, the request processing is returned to the caller with a security exception
What is this pipeline and gatekeeper in ASP.NET? This pipeline is HTTP pipeline and ASP.NET implements the concept of gatekeepers through HTTP modules.
These modules are just classes which are implementing the interface IHttpModule. Although HTTP module are of multiple use, but most of them are dedicated to security level.
How ASP.NET HTTP Modules acts as security gatekeepers: We know that web applications communication is based on HTTP which is stateless, which is that no information is retained for the user between requests. So it becomes important and necessary to authenticate and authorize the user at the beginning of each request. What ASP.NET does is that it fires global application event to handles these events by the use of HTTP modules to perform these authentication and authorization jobs.
Let’s see below what all these IHTTPModules classes are and how they act as gatekeeper.
What are levels of Security in ASP.NET: Level of security in implemented by few security mechanisms, discussed below;
1) Authentication: Identifying user’s identity and ensuring authenticity of this identity. There are 4 ways of implementing authentication ,discussed below;
a) Windows Authentication:
The FormsAuthenticationModule uses forms authentication, which allows you to design your own login pages, write your own authentication logic, but rely on ASP.NET to track user and role information using an encrypted cookie. The FormsAuthenticationModule is active when the element is set as follows:
b) Forms Authentication:
The WindowsAuthenticationModule works in conjunction with IIS to perform Windows authentication. This module is active when the element in the web.config file is set as follows:
c) Passport Authentication
PassportAuthenticationModule is active when the element in the web.config file is set as follows:
When using Passport, users are authenticated using the information in Microsoft’s Passport database (the same technology that powers the free Hotmail e-mail system). The advantage of Passport is that you can use existing user credentials (such as an e-mail address and password), without forcing users to go through a separate registration process.
d) Custom authentication:
What is Impersonation: It is the process of executing code in the context of another user identity. By default all ASP.NET code is executed using a fixe machine specific account which ASPNET on IIS for IIS5.x which is window XP and Network Service on IIS.60 and 7.0 which is Window Server 2003 and Window 7.
We can use Impersonation under two circumstances;
a) To give each web application different set of permissions: while using IIS5.x , default setting mentioned in machine.config wil be applicable for all web application , but there are scenario when we want to give different web application different set of permissions, we can use impersonation to designate different window account for reach application. For example, web application for user A do not access directories or database from a web application of user B.
a) To use existing windows user permissions: lets’ take an scenario where we want to access retrieve file from other directory which already have some user of group specific permissions , so to access them we can use impersonation to assume the identity of current user. That way, Windows will perform the authorization for you, checking permissions as soon as you attempt to access a file.
How ASP.NET works in absence of any Authentication:
ASP.NET uses same underline HTTP pipeline model to represent user and role information. Any user who loges into application is granted two object principal and identity object based on credential provided at the time of login. Let us understand their purpose and their role.
Principal Object Identity Object
Represent the current security context of user. It combines user’s identity with other information like Role, Priviledge etc and therefore allow to perform Roles based Authorization. Represent successfully authenticated user and therefore provides user information such as user name.
Interface: IPrincipal Interface IIdentity Interface
provides information about the current user The IIdentity interface defines the basic information needed to represent the current user
Property: 1. Identity: provides information about the current user 1. AuthenticationType: returns the type of authentication used as string, i.e. form, window
2.IsAuthenticated: Returns a boolean value which tell whether user has been authenticated or(true) is anonymous(false)
3.Name: return the name of current user as string
Example: if (HttpContext.Current.User.Identity.IsAuthenticated)
lblUserName.Text = HttpContext.Current.User.Identity.Name +
” is logged in”;
Methods: 1. IsInRole(): to test whether current user is member of a role say admin.
Example: if (HttpContext.Current.User.IsInRole(“Admin”))
It is the process of determining the rights and restrictions assigned to an authenticated user. After the user has been authenticated, user’s specific information like name and security context is automatically available to ASP.NET, which later we access this information by use of HttpContext,Current.User object. Using this we can implement authorization in our web application. ASP.NET has two ways to impermanent authorization
a) URLAuthorization: this authorization module works based on the content of configuration in the web.config files or different directory of web application. Purpose is to restrict user’s access to file and even directories based on user’s name or the roles assigned.
This module works with Windows authentication only—but without impersonation. So when used with window authentication, ASP.NET automatically uses it to authorize users against files accessed by Asp.Net.
We can also implement authorization by writing custom code we can refer to the HttpContext.Current.User object and make decisions based on role membership or the user’s name directly.
Above picture is summation of how an authentication and authorization stage takes place.
1. Request is send to browser and user’s identity is unknown so user is presented by a login page.
2. User provides the login credentials. This is authentication stage.
3. Authenticated used role and information is checked in allowed list, and granted access if user is present in the list.
4. User who gets access denied are shown login page again.
3) Confidentiality: It mean to ensure that data cannot be viewed by unauthorized users while being transmitted over a network or stored in a data store such as a database. Therefore, you have to encrypt the channel between the client’s browser and the web server and also encrypt data stored at the backend or in the form of cookie.
4) Integrity: It mean about ensuring that nobody can change the data while it is transmitted over a network or stored in a data store. Both are based on encryption. Digital signatures provide you with a way to mitigate this type of threat.
What is encryption, and at what stage it can be used: encryption can be used in at any stage in combination with authentication, authorization or impersonation or individually i.e. it is all together different concept that these.
It is process of scrambling / encrypting user data so that it is not readable by other user.
It can used in two most popular context
1) To protect data communicated over internet: while doing credit card transaction, here you can use SSL certificates to implement digital signatures for encryption.
2) To protect information saved in database: here we can use ASP.NET encryption classes to manually encrypt data before they are stored.
Hope you enjoyed reading