background preloader

Security

Facebook Twitter

Implement custom Claim based Authorization in ASP.NET MVC Web Application - Shahed Khan. Introduction Claim-based authorization is a new model of authorization introduced in Windows Communication Foundation. This model addresses more scenarios than the popular role based security model (IIdentity, IPrincipal). This is useful when an application requires complex and fine grained control on expressing access control decisions.

Role based security model may not be powerful or flexible enough and is often too coarse when we reach complex scenarios - where custom roles are often necessary to represent different combinations of permissions or rights. For example – if you wanted to build a simple patient list page and wanted to have access control on CRUD operations based on roles you will end up creating several roles to support different combinations of access rights i.e. Some of the terms and concepts that we need to get familiar with when we talk about claim based authorization - are: Claim, ClaimSet and IAuthorizationPolicy. FictitiousHospital.com Fig 1 : FictitiousHospital.com.

Implement custom Claim based Authorization in ASP.NET MVC Web Application. To download the source code please click here Introduction Claim-based authorization is a new model of authorization introduced in Windows Communication Foundation. This model addresses more scenarios than the popular role based security model (IIdentity, IPrincipal). This is useful when an application requires complex and fine grained control on expressing access control decisions.

Some of the terms and concepts that we need to get familiar with when we talk about claim based authorization - are: Claim, ClaimSet and IAuthorizationPolicy. Claim : A claim is a piece of information that describes an individual right or action applicable to a particular resource. ClaimSet: A claim set is an enumeration of claims with a common issuer. IAuthorizationPolicy: Authorization policyis an extensiblility point which allows new claim sets to be added to the context representing the web service or application. FictitiousHospital.com Fig 1 : FictitiousHospital.com Authentication Fig 2: web.config 1. 2. 3. Don’t Do Role-Based Authorization Checks; Do Activity-Based Checks. I’ve built a few dozen security mechanisms in my career. Unfortunately, I kept getting it wrong, hence the need to keep building them. Over the years, though, I learned a number of different ways that a security system can be built. One of my favorite ways to build authorization systems is through the use of role-based security.

The idea is fairly simple: you assign users to roles and roles have permissions. That way you have a nice abstraction that people can be assigned to, as a role, so that you don’t have to assign the same 5, 10, or 500 permissions to every user in your system. It’s a great way to handle authorization when your system has more than a handful of permissions and users. Stop Using Roles For Authorization Checks When it comes time to check authorization rules, we often see the role being checked.

For example, look at the MSDN documentation for ASP.NET MVC’s AuthorizeAttribute. What’s Wrong With Role-Based Authorization Checks? Documentation Requirements Growth And Change. Using Claims-based Authorization in MVC and Web API | www.leastprivilege.com. .NET 4.5 ships with a claims-based authorization infrastructure around the ClaimsAuthorizationManager class. I have written about that before, and I am still a fan of that approach (not necessary of the non-existent tooling). Claims-based authorization encourages you to have a clean separation of business and authorization code – and that’s much better than sprinkling role checks all over your code base.

The problem is, that the corresponding API is not very approachable, especially in the face of “modern” application development like MVC or Web API. The main problem here is that the classes that ship with .NET 4.5 to invoke authorization are based on a code access security permission (ClaimsPrincipalPermission) and calling the CheckAccess method will throw a SecurityException instead of returning a boolean.

This approach typically gets in your way, e.g. You can either use them as a global authorization filter, e.g. public static void RegisterGlobalFilters(GlobalFilterCollection filters) ASP.Net MVC 3 Custom Membership Provider with Repository Injection | Dan Harman. In most serious ASP.NET MVC, or even legacy ASP.Net web sites, you are unlikely to want to use the default membership provider of ASP.Net. Its dependency on SQLServer and unhealthy predilection for littering databases with hundreds tables, just to support features you don’t care about, make it distinctly unattractive.

What we really want is to integrate our web site’s security with the project’s schema and bind directly to a table or repository encapsulating the users model for the site. The way to do this is through the implementation of a custom MembershipProvider. This may seem a little daunting, but in practise is fairly simple. In fact, all we need do is override a pair of methods, on a couple of abstract classes, and all authentication and role checking will be routed to our code.

Just being authorised means the user has been authenticated i.e. logged in. So, firstly authentication. First lets start with an example membership provider. It really us as simple as that! Making your ASP.NET Web API’s secure | John V. Petersen. Note: Code for this example is on Google Docs. SecureWebAPISecureWebAPITest Recently, I’ve been exploring the new ASP.NET Web API.

So far, I’ve been impressed with how easy it is to build RESTful web interfaces. In the examples I’ve published, none have been secure. In research this topic, looking what others have done this far, I came away with a lot of approaches that in my opinion, where too complicated and quite frankly, a pain to setup. For many applications, OpenID or oAuth can work fine. Of all the things that can be done to make your API, more secure, requiring it to run over HTTPS is the easiest thing to implement. Here is the custom action filter Nothing very complicated going on here. As the previous figure illustrates, when we attempt to navigate to the Web API with HTTP, as opposed to HTTPS, a response with status code 400 results – along with a friendly message in the response body that describes the error. Tokens based on Public/Private Keys IP Filtering Enjoy!!