Looking to implement authentication/authorisation for ASP.NET app
Was looking into using Provider model MembershipProvider SQLServerMembershipProvider etc as makes good sense to me.
However I'm looking into the Enterprise Security Application block as well. My question is can/should the two be used in tandem?
Enterprise Security Application block provides you the facility to choose your Authorization Rule Provider and it can be configured to use the MembershipProvider. So yo your question, You can very well use ESAB in your application if you looking for layer agnostic authorization. Still you will need to use your preferred Authentication mechanism in ASP.NET (Forms/Windows)..
In other words: if you have sufficient time you can use ESAB. For a rapid development scene, go ahead with MembershipProvider and customize it to suit your needs. ESAB is more appropriate for enterprise level applications where you not only need authentication/authorisation but also caching.
Related
I would like to develop a client-server application and would like to know what the best frameworks are to ensure security.
So far I have got the following:
Microsoft.Net c# 4.5
WPF
Other than that I am unsure what else I should/could be using? I am not sure WPF is the right thing to be using, is there a RESTful framework I should use instead, or maybe entity framework?
Also is there any obvious frameworks which will be/should be using which I haven't mentioned?
I would like to use either Azure or AWS to host my servers etc, are there any specific frameworks for these which I will need?
Are there any security specific frameworks I should be using?
Thanks in advance.
Security is a huge subject but the first few basic things to consider are.
Use HTTPS
Implement security token for your service
Prevent cross site scripting
Prevent script injections
you may find a simple code sample here
In the production process of an internal-use ASP.NET/C# website, are there any advantages to starting with authentication/authorization/login FIRST, and building up from there? Or is it better to just build your site exactly how you want it, with unlimited restrictions and no logins or anything, and then do that at the end of production, before release? That's what I WANT to do --- just work on the functionality of the website, unrestricted, having one less thing to worry about. But I want to make sure that this approach doesn't cause problems later.
When it comes time to implement the ASP.NET authentication, it should just be a matter of running the script to generate the necessary tables and then using WSAT to manage the users and then provide restrictions to the already-existing content...should be...
You need to give your security consideration right up front. Even if you don't develop the final login screens and restrict access as you develop, IMO you should make sure that you can authenticate your users and limit access on at least one screen before going ahead with 'god mode' development. Include:
Authentication - Windows, Forms, etc.
Authorization / Access Control - will Role do or do you need Operation-level checking - e.g. AzMan
If you will be using SiteMap, you will need to look at security trimming to hide functionality to which the user doesn't have access (menus, breadcrumbs etc)
Auditing - e.g. changes to important data
Even though the site is for internal use, users can't be trusted, and you will need to ensure that you are safe from SQL Injection, XSS etc as well.
Definitely yes, that is the practical approach. You, said it, adding security creates no problem at all to an existing project.
Infact, when you come to securing the site there are a number of procedures before creating users. Also you shouldn't rely fully on WAT for user management it is better, I think, to have your own interface as you'll need it after deployment.
Your approach may sound faster but it have architectural drawbacks in following areas:
1- Missing security alignment with per page / per method level invocation.
2- Not clear Use case and work flow in terms of authentication / authorization.
3- Complete lack of security based testing while developing and adding up the new features gradually.
4- Lack of End-to-end dependency- What if security needs to be considered across layers, you will miss the whole vision on modular dependency and end-to-end testing.
Overall, if you do it 1st then you can just have one sample user/pwd/roles established and use that for all the secure areas of site, this will be sufficient to test and develop the application continuously.
Later when your application is ready; it's good to go with large number of user/pwd and associated roles to work with.
Hope this helps.
We are currently building architecture for thin-client bookkeeping application. It should follow two main requirements:
Application should have module design. Each module can have (and they actually do have) own Role system.
Later application should be adapted for running using different databases on different machines.
We think Asp.NET MVC 3 is appropriate platform for this task. For managing application data we chosen latest version of Entity Framework - its batch of Data Providers and Code First feature can save us much time.
The part we are tangled with is user/role management system. We should have some kind of Global Administration section for adding users and giving them access to modules (only global admins can add user to the system, no "guy from street" registration supported) and each module has its own administration section with its own admins and roles. We already have data model to store everything we need in appropriate way but have no idea how to access this data correctly from application.
Currently we see two possible ways to resolve this problem:
To write custom Membership and Role providers based on our DAL. Nobody from our team have done this before so we are not sure if this way worth the trouble. Membership provider cant offer as much flexibility as application needs so some crunches would be needed.
To dig through some obsolete books to find out how web sites administration system was organized before Membership providers where created.
Both this ways are not elegant and not obvious for us and its not an easy question which way to choose. Also we do believe that it can be other solution (of cause architecture can be affected). So, we would be glad to see any suggestion connected to this problem.
I'd personally recommend using the standard membership provider for creating and authenticating users in the first place, and then once you've verified that the user isn't just some "guy from the street," use your own custom architecture to verify that the authenticated user has access to the controller and action that they're trying to access.
The built-in membership provider takes care of a lot of nuances with regard to user authentication, password storage, and such. It uses best practices to avoid brute force attacks, rainbow table attacks, etc. It's tried and true.
But it sounds like your per-module permission structure may or may not fit the mold of the ASP.NET Role Providers. If they do, that's all well and good, and it'd be a good idea to implement a custom role provider. But if your needs are "outside the box," you'll probably be better off just manually checking rights at the point that's most appropriate for you (controller, action, request filter, etc.).
I would encourage you to use a custom membership provider. Why? Cause its the standard way and will save you tons of works. It's not as hard as I might see and there are tons of resources like this one.
To write custom Membership and Role providers based on our DAL.
Nobody from our team have done this before so we are not sure if this
way worth the trouble. Membership provider cant offer as much
flexibility as application needs so some crunches would be needed.
It is very much worth the trouble, if the default ones do not provide the functionality you need. If you already have a complex user system in your database, a custom membership provider is probably a good idea.
It will add valuable experience to your team, and you should be able to reuse much of the code in your next project. As #Randolf mentioned, there are loads of good resources for building a customer Membership provider, and I speak from some experience when I say that it is not really all that difficult. Everything is there, you just need to implement some methods.
Well, finally we decided write all from scratch and it was easier that it seemed to be
Add own IPrincipal implementation. Additional fields and completely different logic for IsInRole() method to avoid writing own attributes.
Assigning our IPrincipal in Global.ajax event to User.
It wasn`t hard at all. Now we have all the flexibility we wanted. No providers involved.
I have checked the following article on how to use the sqlMembershipProvider. My question, is this the way most of the asp.net applications authentication schemes implemented.
Is there any other method, any references will be quite helpful for me.
Edit1:
My intention is to know the other possible ways, I can authenticate a user against a standard database.
"Most" is unfortunately hard to quantify.
MSFT has made it easy to setup an ASP.NET application using SqlMembershipProvider for an out-of-the-box setup, making it super easy to get authentication against a SQL db working.
That said, I rolled my own, because I didn't need much of what the built-in stuff was doing.
The way I did it was to write my own membership provider class, and use the web.config to specify that my customprovider was the default membership provider.
For ASP, there are other ways of doing authentication, such as using NTLM (basically creating windows users for each web user, and using Windows built in authentication).
Short answer: If you can make use of SqlMembershipProvider, and it does all that you need, then I recommend using it.
I reckon #Alan (+1) makes good points.
On a simple level if the (trusted) framework you are using offers you a solution that needs configuring rather than coding and it covers your needs unless there is a compelling case against it then it is probably a good solution.
You wouldn't write a new textbox control in asp.net, or a new fadeOut method for jQuery - you would use the provided solution.
I've rolled-my-own in this area and used all kinds of plug-ins and third-parties over the years. But in the project I'm currently working on we needed user authentication on Tuesday of last week and with SqlMembershipProvider the security module was complete by Wednesday. That's good enough for me!
I'm working on a WCF service that will be communicating over net.tcp to n instances of a client app (that is being developed by another programmer in my office).
At the moment I am using net.tcp without any security as I felt setting this up at this stage wasn't necessary, at least not until we are closer to rolling out.
During the development of a WCF application, is there any harm in using a standard binding (net.tcp in my case) without security, then once the business logic has been completed, implement all the security requirements? Are there any things I need to be aware of that may not function after the implementation of security?
While your overall design should consider security from the very beginning, I don't think it's a good idea to couple your components to any particular security strategy. You may very well want to use some of your components in a non-secure manner or across a different protocol which offers different security options.
So my answer is yes and no. Yes you need to think about it from the beginning, but no you should not couple your components to your security needs.
That said, since you know that you'll be using net.tcp you should be aware that transport security is turned on by default for this binding.
For tons more information, see Juval Lowy's fantastic Programming WCF Services, chapter 10. Lowy, in his ServiceModelEx library (discussed at length in the book) provides a really nice framework that you can plug in after you've created your components. Even if it's not exactly what you're looking for you can customize it to suit your needs.
Security should be thought about from the start, and not added on at the end.
Develop a plan for your security, and implement it as you go, rather then at the end.
Reference: Microsoft .NET: Architecting Applications for the Enterprise
http://www.amazon.com/Microsoft®-NET-Architecting-Applications-PRO-Developer/dp/073562609X
You have two choices, bake it in from the beginning, or slap it on at the end. With security in general I would say it really does not work in the icing so you have to make a mess of your cake to get it in there.
However, the way I see your question is you already know you need to do something to solve a security issue, you just have not decided what to do. In that case I would agree with Terry that you should then design around an abstraction that allows you to plugin the eventual solution.
If I were you I would probably do a threat model and use it to consider the inputs and risks presented by your service. This will help you decide what you should do eventually and if your abstraction covers all bases.