2. Topics
Introduction
Why Security is important?
Different ways to secure our Application
What is Authentication and Authorization?
What are Providers in Asp.Net?
What is MembershipProvider in Asp.Net?
Overview of Asp.Net Membership System
How to configure MembershipProvider in Web.config file?
What is Role Management and Role Providers?
How to configure Role Providers in Asp.Net?
3. Introduction – Why Security is Important?
1. Security is one of the most important part of any Website or a
Web Application.
2. Hackers are waiting out there for us and use various ways to
exploit a website / web-application.
3. Hacker can attack in many ways.
Brute Force
Sniffers
Spoofing
Social Engineering
SQL Injection
4. Introduction - Different Ways to Secure our Application
Design your Application well.
Encrypting the Data while storing.
Input Validation.
Forcing Users for Strong Passwords.
Authentication and Authorization.
5. What is Authentication?
“Authentication” means to “Check someone’s genuineness”
In ASP.NET – Authentication means the same. It is a process where
you check a person’s credentials.
Example – Facebook, Yahoo, Gmail.
What is Authorization?
Providing access to resource based on User’s role.
Authentication always preceeds Authorization
6.
7. What is a Provider in Asp.Net?
ProviderBase Class is an “Abstract Class” which follows the “Provider Model”.
This class is very simple and contains very few methods which is inherited from
the “Object” Class. This class is a part of the “System.Configuration.Provider”
namespace
The ProviderBase Class implementation is a 2 step process.
First implemented by “Feature–specific Providers” (Membership / Role / Profile Providers)
Feature-specific Provider is implemented by “Implementation-specific Providers” (SqlMembership
Provider)
ProviderBase Class Implementation
ProviderBase Membership / Role SQLMembership
Class Provider Classes Provider Class
8. What is MembershipProvider in Asp.Net?
MembershipProvider is an Abstract class, which provides an abstraction over the data
source.
Membership Provider is configured in the Configuration file.
Can be bound to multiple data sources.
Asp.net provides 2 membership providers to store data :-
Microsoft SQL Server – (AspNetSqlMembershipProvider)
Windows Active Directory
Asp.Net provides us to configure our own Custom Membership Provider. (Oracle Data
Source, Other data source)
This class inherits from the abstract “ProviderBase” class and contains various methods and
properties to “Create, Delete, Update, Validate – Users”, “Get User information”, “Change
Password”
10. Overview of Membership System
Other Login
Controls :- Login Login View Login Status Controls
Membership Membership Class Membership User Class
API :-
Providers :- Membership Provider Provider Base Class
Membership
SQLMembership Provider Other Membership Provider
Providers :-
Data
Source :-
SQL
ORACLE
SERVER
12. Why do we need Membership System?
Membership System is configurable and easy to use.
Provides various classes, methods, properties to deal with users information easily.
Asp.Net provides built in Login Server Controls which encapsulates most of the
Membership functionality and helps write less code.
Can be integrated with Forms Authentication.
Provides a feature to store useful information like passwords, etc in hashed format within
the database.
No need to create tables and write stored procedures for maintaining the data.
14. What is Role Management and Role Providers?
Process of managing authorization of Users is called “Role Management”.
Helps to synch users into a group, by assigning them Roles.
A process to decide which page or any other resource can be accessed by which User.
API helps the user to know, what is the role of the User or who the User is?
Role Provider –
Yet another abstract class which inherits the “ProviderBase” class.
Provides various functions to “Create”, “Delete” roles. Check a specific role of a user.
Can create custom role providers based upon our application requirements.
15. Asp.Net provides 3 different Role Providers
SQLRoleProvider
WindowsTokenRoleProvider
AuthorizationStoreRoleProvider