Rolebased security
Download as PPT, PDF0 likes793 views
The document discusses implementing role-based security in .NET applications. It describes creating a web application with a login page, configuring forms authentication, generating authentication tickets for authenticated users, constructing GenericPrincipal and FormsIdentity objects, and testing the role-based functionality. Key steps include using the GenericPrincipal class to provide role-based authorization checking, attaching the principal object to the HTTP context to relate it to the current request, and confirming the principal object contains the correct identity and role information on subsequent pages.
![GenericPrincipal & FormsIdentity objects
protected void Application_AuthenticateRequest(Object sender,EventArgs e)
{
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(null == authCookie)
{
return; // There is no authentication cookie.
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
return; // Log exception details (omitted for simplicity)
}
if(authTicket == null)
{
return;// Cookie failed to decrypt.
}
// Ticket contains pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity( authTicket ); // Create an Identity object
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
Context.User = principal; // Attach the principal object to the current HttpContext object
}](https://image.slidesharecdn.com/rolebasedsecurity-140219005756-phpapp02/85/Rolebased-security-12-320.jpg)
Rolebased security
- 1. Role based Security in .NET By Sudhanshu kumar
- 2. Role based Security in .NET Use Forms authentication to obtain and validate user credentials. Create Forms Authentication Ticket objects based on name and roles retrieved from the data store. Use Generic Principle class that provides the Rolebased authorization checking functionality. ASP.NET requires it to be stored in the HttpContext.User to relate it current application Http request. Use these objects to make authorization decisions.
- 3. Role based Security in .NET .NET Framework provides support for the implementation of role based security which consists of Authentication (Identity) and Authorization(Rights). The .NET provides access to the user through an identity and authorization access by principal object. Identities corresponds to users and their properties.Identity classes belong to System.Security.Principal Namespace. Roles are String of role names added to a Principal to associate the current user with his assigned roles. Principal object is a collection of information about identity and roles that the current user is associated with. The System.Security.Principal Namespace contains two classes GenericPrincipal and WindowsPrincipal that are used to determine the properties of a principal object. .NET uses the Principal object to gain information about the identity and roles of a user.
- 4. Role base Security in .NET Create a Web Application with a Logon Page. Configure the Web Application for Forms Authentication. Generate a Authentication Ticket for Authenticated Users. Construct Generic Principal and Forms Identity Objects. Use these objects to implement Role base security.
- 5. Creating web application with Login Page Create a new ASP.NET Web Application called RoleBasedSecurity. Rename WebForm1.aspx to Logon.aspx. Add controls to Logon.aspx to create a logon form. Set the “Text Mode” property of the password Text Box control to Password. In Solution Explorer, right-click “RoleBasedSecurity” and click Add a Web Form. Enter Default.aspx as the new form's name. Set it as a start up page.
- 6. Creating a web application with Login Page
- 7. Application’s Web.Config file <authentication mode="Forms"> <forms loginUrl="logon.aspx" name="authCookie" timeout="60" path="/"> </forms> </authentication> -----------------------------------------------<authorization> <deny users="?" /> <allow users="*" /> </authorization>
- 8. Generate Authentication Ticket for Authenticated Users The authentication ticket is a type of cookie used by the ASP.NET “Forms Authentication Module” (System.Web.Security) namespace. Add “using System.Web.Security” namespace to the login.aspx webform1 class. Add the following private method to the login.aspx’s WebForm1 class called IsAuthenticated and GetRoles. These methods will be used in authenticating the user and getting his identity and roles.
- 9. Generate Authentication Ticket for Authenticated Users private bool IsAuthenticated( string username, string password ) { // This code would typically validate the user name and password // combination against SQL or some other database and return true // or false based on the credentials found in the database. return true; } private string GetRoles( string username, string password ) { // GetRoles method get the role list from database, and returns //A pipe delimited string containing roles. This format is //Convenient for storing roles in authentication ticket return "Senior Manager|Manager|Employee"; }
- 10. Generating Authentication Ticket for Users private void btnLogon_Click(object sender, System.EventArgs e) { bool isAuthenticated = IsAuthenticated( txtUserName.Text,txtPassword.Text ); if (isAuthenticated = = true ) { string roles = GetRoles( txtUserName.Text, txtPassword.Text ); // Create the authentication ticket FormsAuthenticationTicketauthTicket= newFormsAuthenticationTicket( 1,txtUserName.Text,DateTime.Now,DateTime.Now.AddMinutes(60),false,roles ); // Encrypt the ticket. string encryptedTicket = FormsAuthentication.Encrypt(authTicket); // Create a cookie and add the encrypted ticket to the cookie as data. HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); // Add the cookie to the outgoing cookies collection returned to the user’s browser Response.Cookies.Add(authCookie); // Redirect the user to the originally requested page Response.Redirect( FormsAuthentication.GetRedirectUrl(txtUserName.Text,false) } }
- 11. Creating GenericPrincipal & FormsIdentity objects Implement Application AuthenticateRequest event handler in Global.asax file. Add the following using statements to the top of the Global.asax file: using System.Web.Security; using System.Security.Principal; Create GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket.
- 12. GenericPrincipal & FormsIdentity objects protected void Application_AuthenticateRequest(Object sender,EventArgs e) { // Extract the forms authentication cookie string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if(null == authCookie) { return; // There is no authentication cookie. } FormsAuthenticationTicket authTicket = null; try { authTicket = FormsAuthentication.Decrypt(authCookie.Value); } catch(Exception ex) { return; // Log exception details (omitted for simplicity) } if(authTicket == null) { return;// Cookie failed to decrypt. } // Ticket contains pipe delimited string of role names. string[] roles = authTicket.UserData.Split(new char[]{'|'}); FormsIdentity id = new FormsIdentity( authTicket ); // Create an Identity object // This principal will flow throughout the request. GenericPrincipal principal = new GenericPrincipal(id, roles); Context.User = principal; // Attach the principal object to the current HttpContext object }
- 13. Testing the application Add code to Default.aspx file to display information from the Principal object attached to the current HttpContext object. Confirm that the object has been correctly constructed and assigned to the current Web request. Tests the role-based functionality supported by the Generic Principle class. Add following using statement beneath the existing using statements. using System.Security.Principal;
- 14. Testing the application (Coding Default.aspx) private void Page_Load(object sender, System.EventArgs e) { IPrincipal p = HttpContext.Current.User; Response.Write( "Authenticated Identity is: " + p.Identity.Name ); Response.Write( "<p>" ); if ( p.IsInRole("Senior Manager") ) Response.Write( "User is in Senior Manager role<p>" ); else Response.Write( "User is not in Senior Manager role<p>" ); if ( p.IsInRole("Manager") ) Response.Write( "User is in Manager role<p>" ); else Response.Write( "User is not in Manager role<p>" ); if ( p.IsInRole("Employee") ) Response.Write( "User is in Employee role<p>" ); else Response.Write( "User is not in Employee role<p>" ); if ( p.IsInRole("Sales") ) Response.Write( "User is in Sales role<p>" ); else Response.Write( "User is not in Sales role<p>" ); }