Tuesday, December 13, 2011

ASP.NET Web Application Security


ASP.NET, in conjunction with Microsoft Internet Information Services (IIS), can authenticate user credentials such as names and passwords using any of the following authentication methods:
  • Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
  • Forms authentication, in which you create a login page and manage authentication in your application.
  • Client Certificate authentication
ASP.NET controls access to site information by comparing authenticated credentials, or representations of them, to NTFS file system permissions or to an XML file that lists authorized users, authorized roles (groups), or authorized HTTP verbs.
This section contains topic that describe the specifics of ASP.NET security in details.

How ASP.NET Security Works
Securing Web sites is a critical, complex issue for Web developers. Protecting a site requires careful planning, and Web site administrators and programmers must have a clear understanding of the options for securing their site.
ASP.NET works in concert with the Microsoft .NET Framework and Microsoft Internet Information Services (IIS) to help provide Web application security. To help protect your ASP.NET application, you should perform the two fundamental functions described in the following table
SecurityFunction 
Description
Authentication
Helps to verify that the user is, in fact, who the user claims to be. The application obtains credentials (various forms of identification, such as name and password) from a user and validates those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity.
Authorization
Limits access rights by granting or denying specific permissions to an authenticated identity.
IIS can also grant or deny access based on a user's host name or IP address. Any further access authorization is performed by NTFS file access permission's URL authorization.
It is helpful to understand how all the various security subsystems interact. Since ASP.NET is built on the Microsoft .NET Framework, the ASP.NET application developer also has access to all the built-in security features of the .NET Framework, such as code access security and role-based user-access security. For details about the security capabilities of ASP.NET, see 

You can configure a Web service to require Secure Sockets Layer (SSL) to protect sensitive data sent between the client and the service. SSL provides:
  • Message integrity. This ensures that messages are not modified while in transit.
  • Message confidentiality. This ensures that messages remain private while in transit.
This How To describes how to configure a Web service to require SSL and how to call the Web service from an ASP.NET client application by using the HTTPS protocol.

Summary of Steps

This article includes the following steps:
  • Step 1. Install Server Certificates on the Web Server
  • Step 2. Create a Simple Web Service
  • Step 3. Configure the Web Service Virtual Directory to Require SSL
  • Step 4. Test the Web Service Using a Browser
  • Step 5. Install the Certificate Authority's Certificate on the Client Computer
  • Step 6. Develop a Web Application to Call the Serviced Component

Step 1. Install Server Certificates on the Web Server

For information about installing Web server certificates on a Web server, see

Step 2. Create a Simple Web Service

To create a simple Web service on the Web service host computer
  1. Start Visual Studio .NET and create a new C# ASP.NET Web Service application called SecureMath.
  2. Rename service1.asmx as math.asmx.
  3. Open math.asmx.cs and rename the Service1 class as math.
  4. Add the following Web method to the math class.
5.   [WebMethod]
6.  public long Add(long operand1, long operand2)
7.  
8.    return (operand1 + operand2);
9.  }
  1. To create the Web service, click Build Solution on the Build menu.

Step 3. Configure the Web Service Virtual Directory to Require SSL

Your Web service runs on Internet Information Services (IIS) and relies on IIS to provide SSL support.
This procedure assumes that you have a valid server certificate installed on your Web server. For more information about installing Web server certificates, see

To use IIS to configure your Web service's virtual directory for SSL
  1. On the Web service host computer, start IIS.
  2. Navigate to the SecureMath virtual directory.
  3. Right-click SecureMath, and then click Properties.
  4. Click the Directory Security tab.
  5. Under Secure communications, click Edit.
If Edit is unavailable, it is likely that a Web server certificate is not installed.
  1. Select the Require secure channel (SSL) check box.
  2. Click OK, and then OK again.
  3. In the Inheritance Overrides dialog box, click Select All, and then click OK to close the SecureMath properties dialog box.
This applies the new security settings to all subdirectories in the virtual directory root.

Step 4. Test the Web Service Using a Browser

This procedure ensures that the Web server certificate is valid and has been issued by a Certification Authority (CA) that is trusted by the client computer.
To call the Web service using SSL from Internet Explorer
  1. Start Internet Explorer on the client computer and browse (using HTTPS) to the Web service. For example:
2.  https://WebServer/securemath/math.asmx
The Web service test page should be displayed by the browser.
  1. If the Web service test page is displayed successfully, close Internet Explorer and go to Procedure 5, "Develop a Web Application to Call the Serviced Component."
  2. If the Security Alert dialog box, as illustrated in Figure 1, is displayed, click View Certificate to see the identity of the issuing CA for the Web server certificate. You must install the CA's certificate on the client computer. This is described in Procedure 4, "Install the Certificate Authority's Certificate on the Client Computer."
  3. Close Internet Explorer.

Step 5. Install the Certificate Authority's Certificate on the Client Computer

This procedure installs the issuing CA's certificate on the client computer as a trusted root certificate authority. The client computer must trust the issuing CA in order to accept the server certificate without displaying the Security Alert dialog box.
If you use Microsoft Certificate Services as a CA within your Windows domain
Perform this procedure only if your Web server certificate was issued by a Microsoft Certificate Services CA. Otherwise, if you have the CA's .cer file, go to Step 8.
  1. Start Internet Explorer and browse to http:// hostname/certsrv, where hostname is the name of the computer where Microsoft Certificate Services that issued the server certificate is located.
  2. Click Retrieve the CA certificate or certificate revocation list, and then click Next.
  3. Click Install this CA certification path.
  4. In the Root Certificate Store dialog box, click Yes.
  5. Browse to Web service using HTTPS. For example:
6.  https://WebServer/securemath/math.asmx
The Web service test page should now be correctly displayed by the browser, without a Security Alert dialog box.
You have now installed the CA's certificate in your personal trusted root certificate store. To be able to call the Web service successfully from an ASP.NET page, you must add the CA's certificate to the computer's trusted root store.
  1. Repeat Steps 1 and 2, click Download CA certificate, and then save it to a file on your local computer.
  2. Now perform the remaining steps, if you have the CA's .cer certificate file.
  3. On the taskbar, click Start, and then click Run.
  4. Type mmc, and then click OK.
  5. On the Console menu, click Add/Remove Snap-in.
  6. Click Add.
  7. Select Certificates, and then click Add.
  8. Select Computer account, and then click Next.
  9. Select Local Computer: (the computer this console is running on), and then click Finish.
  10. Click Close, and then OK.
  11. Expand Certificates (Local Computer) in the left pane of the MMC snap-in.
  12. Expand Trusted Root Certification Authorities.
  13. Right-click Certificates, point to All Tasks, and then click Import.
  14. Click Next to move past the Welcome dialog box of the Certificate Import Wizard.
  15. Enter the path and filename of the CA's .cer file.
  16. Click Next.
  17. Select Place all certificates in the following store, and then click Browse.
  18. Select Show physical stores.
  19. Expand Trusted Root Certification Authorities within the list, and then select Local Computer.
  20. Click OK, click Next, and then click Finish.
  21. Click OK to close the confirmation message box.
  22. Refresh the view of the Certificates folder within the MMC snap-in and confirm that the CA's certificate is listed.
  23. Close the MMC snap-in.

Step 6. Develop a Web Application to Call the Web Service

This procedure creates a simple ASP.NET Web application. You will use this ASP.NET Web application as the client application to call the Web service.
To create a simple ASP.NET Web application
  1. On the Web service client computer, create a new C# ASP.NET Web application called SecureMathClient.
  2. Add a Web reference (by using HTTPS) to the Web service.
    1. Right-click the References node within Solution Explorer, and then click Add Web Reference.
    2. In the Add Web Reference dialog box, enter the URL of your Web service. Make sure you use an HTTPS URL.
Note   If you have already set a Web reference to a Web service without using HTTPS, you can manually edit the generated proxy class file and change the line of code that sets the Url property from an HTTP URL to an HTTPS URL.
    1. Click Add Reference.
  1. Open WebForm1.aspx.cs and add the following using statement beneath the existing using statements.
4.  using SecureMathClient.WebReference1;
  1. View WebForm1.aspx in Designer mode and create a form like the one illustrated in Figure 2 using the following IDs:
o    operand1
o    operand2
o    result
o    add
Figure 2. WebForm1.aspx form
                        Double-click the Add button to create a button-click event hander.
                        Add the following code to the event handler.
             private void add_Click(object sender, System.EventArgs e)
             {
               math mathService = new math();
               int addResult = (int) mathService.Add( Int32.Parse(operand1.Text), 
                                                   Int32.Parse(operand2.Text));
               result.Text = addResult.ToString();
             }
                        On the Build menu, click Build Solution.
                        Run the application. Enter two numbers to add, and then click the Add button.
                         The Web application will call the Web service using SSL.

Additional Resources


To create a Web application with a logon page
  1. Start Microsoft Visual Studio® .NET and create a new C# ASP.NET Web Application named FormsAuthAD.
  2. Use Solution Explorer to rename WebForm1.aspx as Logon.aspx.
  3. Add a new assembly reference to System.DirectoryServices.dll. This provides access to the System.DirectoryServices namespace that contains managed types to help with Active Directory querying and manipulation.
  4. Add the controls listed in Table 1 to Logon.aspx to create a simple logon form.
Table 1. Logon.aspx controls
Control Type
Text
ID
Label
Domain Name:
-
Label
User Name:
-
Label
Password
-
Text Box
-
txtDomainName
Text Box
-
txtUserName
Text Box
-
txtPassword
Button
Log On
btnLogon
Label

lblError
  1. Set the TextMode property of txtPassword to Password.
  2. In Solution Explorer, right-click FormsAuthAd, point to Add, and then click Add Web Form.
  3. In the Name field, type default.aspx, and then click Open.
  4. In Solution Explorer, right-click default.aspx, and then click Set As Start Page.
  5. Double-click default.aspx to display the page load event handler.
  6. Add the following code to the event handler to display the identity name associated with the current Web request.
11.Response.Write( HttpContext.Current.User.Identity.Name );

Step 2. Configure the Web Application for Forms Authentication

This procedure edits the application's Web.config file to configure the application for Forms authentication.
To configure the Web application for forms authentication
  1. Use Solution Explorer to open Web.config.
  2. Locate the <authentication> element and change the mode attribute to Forms.
  3. Add the following <forms> element as a child of the authentication element and set the loginUrl, name, timeout, and path attributes as shown in the following.
4.  <authentication mode="Forms">
5.    <forms loginUrl="logon.aspx" name="adAuthCookie" timeout="60"
6.      path="/">
7.    </forms>
8.  </authentication>
  1. Add the following <authorization> element beneath the <authentication> element. This will allow only authenticated users to access the application. The previously establish loginUrl attribute of the <authentication> element will redirect unauthenticated requests to the logon.aspx page.
10.<authorization> 
11.  <deny users="?" />
12.  <allow users="*" />
13.</authorization>
  1. Save Web.config.
  2. Start the IIS Microsoft Management Console (MMC) snap-in.
  3. Right-click the application's virtual directory, and then click Properties.
  4. Click the Directory Security tab, and then click the Edit button in the Anonymous access and authentication control group.
  5. Select the Anonymous access check box and clear the Allow IIS to control password check box.
  6. Because the default anonymous account IUSR_MACHINE does not have permission to access Active Directory, create a new least privileged account and enter the account details in the Authentication Methods dialog box.
  7. Click OK, and then click OK again to close the Properties dialog box.
  8. Return to Visual Studio .NET and add an <identity> element beneath the <authorization> element in Web.config and set the impersonate attribute to true. This causes ASP.NET to impersonate the anonymous account specified earlier.
22.<identity impersonate="true" />
As a result of this configuration, all requests to the application will run under the security context of the configured anonymous account. The user will provide credentials through the Web form to authenticate against Active Directory, but the account used to access Active Directory will be the configured anonymous account.

Step 3. Develop LDAP Authentication Code to Look Up the User in Active Directory

This procedure adds a new helper class to the Web application to encapsulate the LDAP code. The class will initially provide an IsAuthenticated method to validate a supplied domain, user name, and password against an Active Directory user object.
To develop LDAP authentication code to look up the user in Active Directory
  1. Add a new C# class file called LdapAuthentication.cs.
  2. Add a reference to the System.DirectoryServices.dll assembly.
  3. Add the following using statements to the top of LdapAuthentication.cs.
4.  using System.Text;
5.  using System.Collections;
6.  using System.DirectoryServices;
  1. Rename the existing namespace as FormsAuthAD.
  2. Add two private strings to the LdapAuthentication class; one to hold the LDAP path to Active Directory and the other to hold a filter attribute used for searching Active Directory.
9.  private string _path;
10.private string _filterAttribute;
  1. Add a public constructor that can be used to initialize the Active Directory path.
12.public LdapAuthentication(string path)
13.{
14.  _path = path;
15.}
  1. Add the following IsAuthenticated method that accepts a domain name, user name and password as parameters and returns bool to indicate whether or not the user with a matching password exists within Active Directory. The method initially attempts to bind to Active Directory using the supplied credentials. If this is successful, the method uses the DirectorySearcher managed class to search for the specified user object. If located, the _path member is updated to point to the user object and the _filterAttribute member is updated with the common name attribute of the user object.

Step 4. Develop LDAP Group Retrieval Code to Look Up the User's Group Membership

This procedure extends the LdapAuthentication class to provide a GetGroups method, which will retrieve the list of groups that the current user is a member of. The GetGroups method will return the group list as a pipe separated string, as in the following.
"Group1|Group2|Group3|"
To develop LDAP group retrieval code to look up the user's group membership
  1. Add the following implementation of the GetGroups method to the LdapAuthentication class.

Step 5. Authenticate the User and Create a Forms Authentication Ticket

This procedure implements the btnLogon_Click event handler to authenticate users. For authenticated users, you will then create a Forms authentication ticket that contains the user's group list. You will then redirect the user to the original page that they requested (before being redirected to the logon page).
To authenticate the user and create a forms authentication ticket
  1. Return to the Logon.aspx form and double-click the Log On button to create an empty btnLogon_Click event handler.
  2. At the top of the file add the following using statement beneath the existing using statements. This provides access to the FormsAuthentication methods.
3.  using System.Web.Security;
  1. Add code to create a new instance of the LdapAuthentication class initialized to point to your LDAP Active Directory, as shown in the following code. Remember to change the path to point to your Active Directory server.
5.  // Path to you LDAP directory server.
6.  // Contact your network administrator to obtain a valid path.
7.  string adPath = 
8.    "LDAP://yourCompanyName.com/DC=yourCompanyName,DC=com"; 
9.  LdapAuthentication adAuth = new LdapAuthentication(adPath);
  1. Add the code that follows to perform the following steps:
    1. Authenticate the caller against Active Directory.
    2. Retrieve the list of groups that the user is a member of.
    3. Create a FormsAuthenticationTicket that contains the group list.
    4. Encrypt the ticket.
    5. Create a new cookie that contains the encrypted ticket.
    6. Add the cookie to the list of cookies returned to the user's browser.

Step 6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object

This procedure implements the Application_AuthenticateRequest event handler within global.asax and creates a GenericPrincipal object for the currently authenticated user. This will contain the list of groups that the user is a member of, retrieved from the FormsAuthenticationTicket contained in the authentication cookie. Finally, you will associate the GenericPrincipal object with the current HttpContext object that is created for each Web request.
To implement an authentication request handler to construct a GenericPrincipal object
  1. Use Solution Explorer to open global.asax.cs.
  2. Add the following using statements to the top of the file.
3.  using System.Web.Security;
4.  using System.Security.Principal;
  1. Locate the Application_AuthenticateRequest event handler and add the following code to obtain the cookie that contains the encrypted FormsAuthenticationTicket, from the cookie collection passed with the request.
6.  // Extract the forms authentication cookie
7.  string cookieName = FormsAuthentication.FormsCookieName;
8.  HttpCookie authCookie = Context.Request.Cookies[cookieName];
9.   
10.if(null == authCookie)
11.{
12.  // There is no authentication cookie.
13.  return;
14.} 
  1. Add the following code to extract and decrypt the FormsAuthenticationTicket from the cookie.
16.FormsAuthenticationTicket authTicket = null;
17.try
18.{
19.  authTicket = FormsAuthentication.Decrypt(authCookie.Value);
20.}
21.catch(Exception ex)
22.{
23.  // Log exception details (omitted for simplicity)
24.  return;
25.}
26. 
27.if (null == authTicket)
28.{
29.  // Cookie failed to decrypt.
30.  return; 
31.}
  1. Add the following code to parse out the pipe separate list of group names attached to the ticket when the user was originally authenticated.
33.// When the ticket was created, the UserData property was assigned a
34.// pipe delimited string of group names.
35.String[] groups = authTicket.UserData.Split(new char[]{'|'});
  1. Add the following code to create a GenericIdentity object with the user name obtained from the ticket name and a GenericPrincipal object that contains this identity together with the user's group list.
37.// Create an Identity object
38.GenericIdentity id = new GenericIdentity(authTicket.Name,
39.                                         "LdapAuthentication");
40. 
41.// This principal will flow throughout the request.
42.GenericPrincipal principal = new GenericPrincipal(id, groups);
43.// Attach the new principal object to the current HttpContext object
44.Context.User = principal;

Step 7. Test the Application

This procedure uses the Web application to request the default.aspx page. You will be redirected to the logon page for authentication. Upon successful authentication, your browser will be redirected to the originally requested default.aspx page. This will extract and display the list of groups that the authenticated user belongs to from the GenericPrincipal object that has been associated with the current request by the authentication process.
To test the application
  1. On the Build menu, click Build Solution.
  2. In Solution Explorer, right-click default.aspx, and then click View in Browser.
  3. Enter a valid domain name, user name, and password and then click Log On.
  4. If you are successfully authenticated, you should be redirected back to default.aspx. The code on this page should display the user name of the authenticated user.
To see the list of groups the authenticated user is a member of, add the following code at the end of the Application_AuthenticateRequest event handler in the global.aspx.cs file.
Response.Write("Groups: " + authTicket.UserData + "<br>");
 
http://msdn.microsoft.com/en-us/library/ff649227.aspx
 



No comments: