Security in .NET P R E S E N T E R : M R . D O A N Q U A N G M I N H Agenda  Authentication and Authorization  How to check Authentication and Authorization  Membership Service  How to manage users in your application. Role Management Service  Role Management Service  How to manage role of user.  Profile Service  How to manage the addition information of user. Authentication and Authorization  Authentication  Is the act of determining the identity of the requesting entity is known.  By checking credentials of user, such as a name/password pair.  Three types of authentication:  Windows authentication  Passport authentication  and forms authentication  Authorization  Is the act of determining whether that identity can access a given resource.  Two types of authorization services:  Checks against ACLs or permissions on a resource to determine whether the authenticated user account can access the resources  URL authorization, which authorizes an identity for pieces of the Web space Authentication  Windows authentication  Map incoming requests to user accounts on your Web server.  Use the operating system's built-in security mechanisms in order to protect files and any other resources.  Passport authentication  Passport authentication  Is a Web service that front-ends a massive database of user names and passwords maintained by Microsoft.  Return to application an authentication ticket if determines the credentials are valid.  Form authentication  Use for Internet sites designed to serve the general population. Authorization  ACL authorization  Is based on file system permissions: NTFS uses ACLs to protect file system resources.  ACL authorization is typically used in scenarios where Windows authentication is used. Windows authentication is used.  URL authorization  Use configuration directives in Web.config files.  Often used with forms authentication. [...]...The MembershipUser Class Represents individual users registered in the membership data store Includes numerous properties for getting and setting user info Includes methods for retrieving, changing, and resetting passwords Returned by Membership methods such as GetUser and CreateUser Key MembershipUser Properties Name Description Comment Storage for user-defined data CreationDate Date user was added... Schema Controls Login Roles API LoginStatus LoginView Other Login Controls Roles Role Providers AccessRoleProvider SqlRoleProvider Other Role Providers Roles Data Access SQL Server Other Data Stores The Role Class Gateway to the Role Management API Provides static Methods for key role management tasks Creating and deleting roles Adding users to roles Removing users from roles … Includes read-only static... Define Profile in Web.Config Profile is Property of Page Referring to an instance of dynamically compiled HttpProfile class Derived from HttpProfileBase Accessing another user’s profile Profile.propertyname refers to current user Use Profile.GetProfile (username) to access profiles for other users Accessing Profile from External Components “Profile” property is only valid in classes generated by ASP.NET... Includes read-only static Properties for acquiring data about provider settings Key Roles Methods Name Description AddUserToRole Adds a user to a role CreateRole Creates a new role DeleteRole Deletes an existing role GetRolesForUser Gets a collection of roles to which a user belongs GetUsersInRole Gets a collection of users belonging to a specified role IsUserInRole Indicates whether a user belongs to a specified... LastLoginDate Date user last logged in successfully LastPasswordChangedDate Date user's password was last changed UserId Unique user ID generated by membership provider UserName User's registered user name Role Management Service Role-based security out of the box Declarative access via Web Site Admin Tool Programmatic access via Roles class Roles Class contains static methods for Creating roles, Adding... can be enabled Step 1: Enable anonymous identification Step 2: Specify which profile properties are available to anonymous users Data keyed by user anonymous IDs Reference www.asp.net www.msdn.com Some others resource on Internet . performing key membership tasks  Creating and deleting users  Retrieving information about users  Generating random passwords  Generating random passwords  Validating logins  Also includes. properties for getting and setting user info Includes methods for retrieving, changing, and  Includes methods for retrieving, changing, and resetting passwords  Returned by Membership methods. tasks  Creating and deleting roles Adding users to roles  Adding users to roles  Removing users from roles  …  Includes read-only static Properties for acquiring data about provider settings Key