PortSight SecureAccess 2.3 Training for developers and system administrators October 18 th , 2005
Agenda <ul><li>Introduction </li></ul><ul><li>Features in Detail </li></ul><ul><li>System Installation and Maintenance </l...
Introduction
What is SecureAccess? <ul><li>Microsoft .NET component for enterprise solution developers that allows them to secure and p...
 
Benefits (1) <ul><li>PortSight Secure Access doesn’t replace the .NET </li></ul><ul><li>Framework or Windows security, but...
Benefits (2) <ul><li>Supports both Forms and Windows authentication. </li></ul><ul><li>Enable Self-Service and Save on Sup...
Benefits (3) <ul><li>Unlimited Number of Users and Applications </li></ul><ul><li>Better Insight with Permission Matrix </...
What’s new in SE 2.3? <ul><li>Active Directory, Windows NT domain and ODBC integration </li></ul><ul><li>Enhanced support ...
Secure Access Editions <ul><li>Standard </li></ul><ul><li>Enterprise </li></ul><ul><ul><li>Includes import from external d...
Questions?
Features in Detail
User Management <ul><li>PortSight Secure Access includes a comfortable web-based user management interface.   </li></ul><u...
Membership in Groups and OUs <ul><li>A user can be member of any number of user groups, organizational units and roles.  <...
Management of Applications <ul><li>Applications represent your real application you wish to secure with Secure Access </li...
Role-Based security <ul><li>Each application can have several associated user roles defined – e.g. “Editor”, “Chief-Editor...
Resource-Based Security (Permission Matrix) <ul><li>Permission types represent rights you grant to users - e. g. &quot;cre...
Securing Web Content <ul><li>SA allows you to control access to the content of your Web site, such as media files, documen...
Auditing <ul><li>PortSight Secure Access allows you to log user actions in its auditing log.  </li></ul><ul><li>The log co...
Delegation <ul><li>Group admin (OU admin, App admin for roles and permissions) can delegate management of members of parti...
Storing User Preferences <ul><li>Store user preferences (e.g. theme, culture) in the database instead of cookies.  </li></...
Questions?
System Installation and Maintenance
System Requiremenets <ul><li>Deployment </li></ul><ul><ul><li>Windows 2000, XP or 2003 Server  </li></ul></ul><ul><ul><li>...
Installing and Setting up <ul><li>Run the installer on your Web server.  </li></ul><ul><li>Secure Access installation wiza...
System Backup and Recovery <ul><li>All system data are stored in the SQL Server database. </li></ul><ul><li>Use standard t...
Catalog Manager tool <ul><li>Use this tool for managing SA Catalogs: </li></ul><ul><ul><li>creating new catalog </li></ul>...
Creating a New User Catalog (1) <ul><li>Use Catalog Manager for creating new catalog or registering an existing catalog be...
Creating a New User Catalog (2) <ul><li>New Catalog Wizard will guide you through the entire process of creating new catal...
Import Users, Groups and OUs (1) <ul><li>This feature is only available in the Enterprise Edition. </li></ul><ul><li>Use C...
Import Users, Groups and OUs (2) <ul><li>Use Directory Port Wizard to: </li></ul><ul><ul><li>map source fields to the SA f...
Import Users, Groups and OUs (3) <ul><li>Mapping properties between source/target object: </li></ul><ul><li>The target fie...
Using Windows Authentication <ul><li>After you deploy the SA Web user interface it uses forms authentication by default. <...
Securing Secure Access <ul><li>Secure Access Catalog Manager stores the passwords you enter within encrypted XML file  cat...
Installating SA on a Web Farm <ul><li>PortSight Secure Access 2.3 was tested with Microsoft Application Center 2000 SP1 </...
Questions?
Securing Your Applications
Administration Web Interface <ul><li>Secure Access is delivered with Web-based administration console for managing objects...
Application Configuration Wizard <ul><li>Catalog Manager   includes a wizard that helps the developers to integrate Secure...
Secure Access usage scenarios  (1) <ul><li>Authentication allows you to restrict access to your application only to authen...
Secure Access usage scenarios  (2) <ul><li>You may  u se Secure Access for </li></ul><ul><ul><li>Authentication  – verifyi...
Authentication <ul><li>You may explicitly verify the user’s indentity by checking the provided user credentials against th...
Authorization – Role based security <ul><li>Roles represent typical users – e.g. Administrator, Editor, Manager. You can d...
Authorization – Permissions <ul><li>Permission-based security offers a more flexible solution for controlling access. You ...
Auditing Trail <ul><li>An important feature of the application security is auditing of user activities. It can help you de...
Storing User Settings  <ul><li>Secure Access allows you to store any number of user settings, such as preferred culture, c...
How to use Secure Access for <ul><li>Securing Web Applications </li></ul><ul><li>Securing WinForm Applications </li></ul><...
Securing Web Applications   <ul><li>Extends the existing authentication mechanisms. </li></ul><ul><li>Secure Access is del...
Securing WinForm Applications   <ul><li>The connection string to the DB could be either stored in .config file or lately s...
Securing WinForm Applications <ul><li>Communication with ARWebService could be secured by the following WS-Security method...
Securing WinForm Applications <ul><li>ARWSWebService  automatically (without additional configuration) supports following ...
Securing WinForm Applications
Securing Web Services   <ul><li>Advantages of use  PortSight Secure Access API libraries to secure your own Web Services :...
Questions?
Thank you for your time!
Upcoming SlideShare
Loading in …5
×

Attachments\Products\PortSight Secure Access\Training.ppt

644 views
582 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
644
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Reuse Existing User Profiles ~ You can easily import your existing user catalogs, including those from Active Directory, Windows NTLM and your databases into PortSight Secure Access database (Enterprise Edition Only)
  • Forms Authentication - it&apos;s usually used in the Web environment. User must provide valid user name and password in the log on form to sign in. Windows authentication - it&apos;s usually used for intranet and extranet applications. User must successfully log on into Windows NT domain before accessing your application. You can then map user&apos;s Windows identity to the user account in the PortSight Secure Access user catalog. Enable Self-Service and Save on Support ~ Your user can register at your Web Site and update their profile themselves. They can change their passwords and receive forgotten password in e-mail. Privileged users can manager specified groups and permissions. Reduce Your Development Time ~ Using reusable classes and Web Controls, you can use the PortSight Secure Access system for any number of Web Sites without developing the security system again and again. You can re-use the libraries as well as user controls. Keep the Identities Manageable ~ With PortSight Secure Access you can get an easy-to-manage and easy-to-deploy identity User Management You Already Know ~ Your administrators will become familiar with the We-based management system very quickly since it’s similar to Microsoft Windows management. Organizational Units and Nested Groups ~ You can organize users into groups and hierarchical organizational units. The user groups can be nested which makes the access rights system more flexible to the requirements of your organization.
  • Unlimited Number of Users and Applications ~ The number of users and applications in the PortSight Secure Access database is restricted only by your system capacities. Better Insight with Permission Matrix ~ Each application can consist of several application parts and thus allows you to grant user permissions to use a particular feature. The admin or delegated user can use the permission matrix for setting the access rights. Each application can have its own set of user roles. Easier Management with Delegation ~ You can delegate privileged users to manage access rights, control members of particular group or create user accounts themselves. User Preferences without Cookies ~ Users can have any number of properties (such as preferred language, colors, …) saved in their profile on the server. User Activity Auditing ~ Logs user activities, such as data modification, logon&apos;s or access to classified information. Import from External Directories ~ Import existing accounts from Microsoft Active Directory, Windows domain or ODBC database.
  • Enterprise ~ The only difference between the Standard and the Enterprise edition is that the Enterprise Edition supports import from external data sources, such as Microsoft Active Directory, Microsoft Windows NT domains and ODBC databases. Community ~ Is intended to be used for smaller projects. It&apos;s limited to 100 users accounts stored in the database and it doesn&apos;t support organizational units and permissions There&apos;s no license fee and you can use it also for your commercial projects. If you decide to upgrade to one of the paid editions, you can just enter the new license key.
  • PortSight Secure Access Web Service (ARWebService) allows you to authenticate users and control their access in client (WinForms) applications. ARWebService Overview   Since ARWebService itself must be well-secured, it uses Microsoft Web Services Enhancements 1.0 SP1 add-on (see http:// msdn.microsoft.com/webservices ), especially the WS-Security specification that provides three main mechanisms protecting XML Web services: Security token propagation involves sending security credentials from a sender to a receiver, where the sender and receiver may be the client, the XML Web service, or an intermediary. Message integrity verifies that an intermediary has not altered the message. Message confidentiality helps keep portions of the message confidential using encryption.   In short, WS-Security provides a foundation for protecting XML Web services. WS-Security is flexible and designed to be used as the basis for securing XML Web services through the combination of a wide variety of security models, including public key infrastructure (PKI).   ARWebService is intended to be secured with X.509 certificates using digital signatures and asymmetric encryption. Digital signatures help to verify the trustworthy of the partner and of course verify that the message has not been altered since it was signed. Asymmetric encryption encodes the content of the SOAP message and thus protects it against tapping during its transmission.   Another alternative of securing the communication is using a symmetric encryption . It may be used together with X.509 certificates for strengthening the security or it can be used as a standalone security mechanism where X.509 certificates cannot be used for some reason. Using symmetric encryption only is not reliable enough, because it ciphers the transmitted data but it doesn&apos;t sign them. Such a message cannot be secured from altering during transmission and the message sender&apos;s identity cannot be verified either. Moreover it&apos;s difficult to safely store the shared symmetric key on the client. You can choose one of the following security mechanisms by configuring the ARWebService through its Web.config file: symmetric encryption X509 encryption X509 signature or you can choose not to use any of the security mechanisms. However, this option is not recommended.  
  • This topic is different to using ARWebService: ARWebService is a specific Web Service that provides Secure Access methods to your WinForms applications while this chapter explains how you can user PortSight Secure Access API libraries to secure your own Web Services.
  • Attachments\Products\PortSight Secure Access\Training.ppt

    1. 1. PortSight SecureAccess 2.3 Training for developers and system administrators October 18 th , 2005
    2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Features in Detail </li></ul><ul><li>System Installation and Maintenance </li></ul><ul><li>Securing Your Applications </li></ul>
    3. 3. Introduction
    4. 4. What is SecureAccess? <ul><li>Microsoft .NET component for enterprise solution developers that allows them to secure and personalize: </li></ul><ul><ul><li>ASP.NET applications and Web content </li></ul></ul><ul><ul><li>Web Services </li></ul></ul><ul><ul><li>WinForm applications </li></ul></ul><ul><li>You can easily check user names and passwords, control access rights and track user activities. </li></ul><ul><li>It can be integrated with legal user databases and with Active Directory. </li></ul>
    5. 6. Benefits (1) <ul><li>PortSight Secure Access doesn’t replace the .NET </li></ul><ul><li>Framework or Windows security, but it extends it </li></ul><ul><li>and makes its management and use easier. </li></ul><ul><li>Offers a comprehensive set of security mechanisms including user roles, permissions, auditing and delegation of administratio n. </li></ul><ul><li>Reuse Existing User Profiles </li></ul><ul><li>Start Immediately with Short Learning Curve </li></ul>
    6. 7. Benefits (2) <ul><li>Supports both Forms and Windows authentication. </li></ul><ul><li>Enable Self-Service and Save on Support </li></ul><ul><li>Reduce Your Development Time </li></ul><ul><li>Keep the Identities Manageable </li></ul><ul><li>User Management You Already Know </li></ul><ul><li>Organizational Units and Nested Groups </li></ul>
    7. 8. Benefits (3) <ul><li>Unlimited Number of Users and Applications </li></ul><ul><li>Better Insight with Permission Matrix </li></ul><ul><li>Easier Management with Delegation </li></ul><ul><li>User Preferences without Cookies </li></ul><ul><li>User Activity Auditing </li></ul><ul><li>Import from External Directories (AD, ODBC) </li></ul><ul><li>Functionality Exposed through Web Services </li></ul><ul><li>Multi-Tier Architecture for Better Scalability </li></ul>
    8. 9. What’s new in SE 2.3? <ul><li>Active Directory, Windows NT domain and ODBC integration </li></ul><ul><li>Enhanced support for securing Web Services </li></ul><ul><li>Authentication and authorization Web Service </li></ul><ul><li>The Application Configuration Wizard </li></ul><ul><li>Added support for Web Farm s . </li></ul><ul><li>Permission types can be inherited from application to application parts. </li></ul><ul><li>Extended the Developer's Guide </li></ul><ul><li>Fixed bugs </li></ul>
    9. 10. Secure Access Editions <ul><li>Standard </li></ul><ul><li>Enterprise </li></ul><ul><ul><li>Includes import from external data sources. </li></ul></ul><ul><li>Community </li></ul><ul><ul><li>For Free! </li></ul></ul><ul><ul><li>Intended to be used for smaller projects. </li></ul></ul><ul><ul><li>It's limited to 100 users accounts. </li></ul></ul><ul><ul><li>Doesn't support organizational units and permissions </li></ul></ul>
    10. 11. Questions?
    11. 12. Features in Detail
    12. 13. User Management <ul><li>PortSight Secure Access includes a comfortable web-based user management interface. </li></ul><ul><li>It allows you to manage user accounts, set users' properties, passwords and organize users into (nested) groups, OUs and roles. </li></ul><ul><li>Storing user information, including job position, contact and shipping address, etc. </li></ul><ul><li>Storing unlimited number of user preferences, such as preferred language, colors, layout, etc. </li></ul><ul><li>The concepts are very similar to those from Microsoft Windows. </li></ul>
    13. 14. Membership in Groups and OUs <ul><li>A user can be member of any number of user groups, organizational units and roles. </li></ul><ul><li>Groups, units and roles can be nested. </li></ul><ul><li>Organizational units are used to describe the hierarchical structure or your organization. </li></ul><ul><li>You can easily check user's membership in groups and units. </li></ul>
    14. 15. Management of Applications <ul><li>Applications represent your real application you wish to secure with Secure Access </li></ul><ul><li>You can use these &quot;virtual applications&quot; to specify roles and permissions for accessing them and then check these permissions from within your application code </li></ul><ul><li>Each application can be split into several application parts (modules) that allow you to define permissions with higher granularity </li></ul><ul><li>The list of your web applications is also stored in the PortSight Secure Access catalog. </li></ul>
    15. 16. Role-Based security <ul><li>Each application can have several associated user roles defined – e.g. “Editor”, “Chief-Editor”, “Designer” and “Administrator”. </li></ul><ul><li>You can assign users, groups or organizational units to a particular role. </li></ul><ul><li>You can later check in your application code if current user is in the specified role. </li></ul>
    16. 17. Resource-Based Security (Permission Matrix) <ul><li>Permission types represent rights you grant to users - e. g. &quot;create&quot;, &quot;approve&quot; or &quot;delete&quot;. </li></ul><ul><li>The permissions are defined on application or application part level </li></ul><ul><li>For example you may define application parts News , Articles and Links section for a Web Portal application and define permissions for each of them e.g. Read , Edit and Approve . </li></ul><ul><li>Now you simply grant these user permissions for particular application or its part in the Permission Matrix; permissions could be granted to any operator (users, user groups, organizational units or roles) </li></ul><ul><li>You can later check in your application code if current user has a requested permission granted. </li></ul>
    17. 18. Securing Web Content <ul><li>SA allows you to control access to the content of your Web site, such as media files, documents, files for download and others. </li></ul><ul><li>It allows you to check user’s name, membership or permissions and decide if the user is allowed to open the document. </li></ul><ul><li>You can specify the content using wild cards, such as “/images/*.jpg”. </li></ul>
    18. 19. Auditing <ul><li>PortSight Secure Access allows you to log user actions in its auditing log. </li></ul><ul><li>The log contains information about user who made the action and the accessed resource, which gives you a good overview of possible attacks, attempts to access restricted zones as well as changes made to your data. </li></ul><ul><li>You can also store your custom information about event, such as information about data being accessed or changed. </li></ul>
    19. 20. Delegation <ul><li>Group admin (OU admin, App admin for roles and permissions) can delegate management of members of particular group, role or OU, as well as management of permissions for particular applications to other users. </li></ul><ul><li>These privileged users can then view the objects they are responsible for and modify their members (or permissions in case of application parts and applications). </li></ul><ul><li>They are not allowed to modify their properties, create new ones or delete existing ones. </li></ul>
    20. 21. Storing User Preferences <ul><li>Store user preferences (e.g. theme, culture) in the database instead of cookies. </li></ul><ul><li>You can define any number of preferences. </li></ul><ul><li>Each object, such as user, group, OU, application, application part, role or directory port can have an unlimited number of properties defined in their settings sections. </li></ul><ul><li>If you need to define a new or modify an existing property, expand the Custom Properties item in the main menu. </li></ul><ul><li>Access to custom properties is generally slower than to custom fields. </li></ul>
    21. 22. Questions?
    22. 23. System Installation and Maintenance
    23. 24. System Requiremenets <ul><li>Deployment </li></ul><ul><ul><li>Windows 2000, XP or 2003 Server </li></ul></ul><ul><ul><li>.NET Framework 1.0 or 1.1 </li></ul></ul><ul><ul><li>IIS 5.0+ </li></ul></ul><ul><ul><li>SQL Server 2000 or MSDE configured for &quot;Mixed Mode Security” </li></ul></ul><ul><ul><li>MDAC 2.6+ </li></ul></ul><ul><ul><li>Internet Explorer 6.0+ </li></ul></ul><ul><li>Development </li></ul><ul><ul><li>Microsoft Visual Studio .NET 2002 or 2003 </li></ul></ul>
    24. 25. Installing and Setting up <ul><li>Run the installer on your Web server. </li></ul><ul><li>Secure Access installation wizard will guide you through the installation process. </li></ul><ul><li>After installing Secure Access it is necessary to create a new PortSight Secure Access catalog (user database) and deploy the administration interface. </li></ul>
    25. 26. System Backup and Recovery <ul><li>All system data are stored in the SQL Server database. </li></ul><ul><li>Use standard tools to regularly backup your Secure Access database. </li></ul><ul><li>Backup the settings of the administration application user interface: </li></ul><ul><ul><li>C:InetpubwwwrootSecureAccessWeb.config </li></ul></ul><ul><ul><li>C:Program FilesPortSight Secure Access2.3Catalog ManagerCatalogs.xml </li></ul></ul><ul><ul><li>C:inetpubwwwrootSecureAccessPhotos </li></ul></ul><ul><ul><li>The paths may be different. </li></ul></ul>
    26. 27. Catalog Manager tool <ul><li>Use this tool for managing SA Catalogs: </li></ul><ul><ul><li>creating new catalog </li></ul></ul><ul><ul><li>registering an existing catalog </li></ul></ul><ul><ul><li>unregistering a catalog </li></ul></ul><ul><ul><li>modifying catalog properties </li></ul></ul><ul><ul><li>opening Web-based user interface of the catalog using IE </li></ul></ul><ul><ul><li>configuring your ASP.NET application to integrate with SA </li></ul></ul><ul><ul><li>import users, groups and OU from various data sources (e.g. Active Directory, ODBC, …) </li></ul></ul>
    27. 28. Creating a New User Catalog (1) <ul><li>Use Catalog Manager for creating new catalog or registering an existing catalog before you start using Secure Access. </li></ul><ul><li>Secure Access catalog consists of database and of Web-based administrative user interface. </li></ul><ul><li>One instance of Web-based administrative user interface can manage only one catalog (database). </li></ul>
    28. 29. Creating a New User Catalog (2) <ul><li>New Catalog Wizard will guide you through the entire process of creating new catalog. </li></ul><ul><li>During this process it is necessary to specify </li></ul><ul><ul><li>SQL Server where the catalog will be stored </li></ul></ul><ul><ul><li>database name </li></ul></ul><ul><ul><li>specify if you want to deploy the user interface </li></ul></ul><ul><ul><li>specify catalog ID that will uniquely identify this instance of SA catalog among other catalogs </li></ul></ul><ul><li>It's highly recommended that you change the default administrator's password immediately after creating the new catalog. </li></ul>
    29. 30. Import Users, Groups and OUs (1) <ul><li>This feature is only available in the Enterprise Edition. </li></ul><ul><li>Use Catalog Manager for managing the import. </li></ul><ul><li>You can import users, groups and OUs from various data sources: LDAP, Windows domain and ODBC-enabled databases. </li></ul><ul><li>You can also combine information from several data sources into one SA catalog. </li></ul><ul><li>The Directory Port Wizard will guide you through the entire process of setting up the import parameters. </li></ul>
    30. 31. Import Users, Groups and OUs (2) <ul><li>Use Directory Port Wizard to: </li></ul><ul><ul><li>map source fields to the SA fields </li></ul></ul><ul><ul><li>choose objects to be imported or filter out objects not to be imported </li></ul></ul><ul><ul><li>specify whether the objects should be imported including their membership </li></ul></ul><ul><ul><li>specify whether the import should be started manually or periodically </li></ul></ul><ul><li>You can use support for ODBC data sources to import objects from any application. You only need to prepare the input data to be in certain format. </li></ul>
    31. 32. Import Users, Groups and OUs (3) <ul><li>Mapping properties between source/target object: </li></ul><ul><li>The target field you map to AR_ObjectGUID must be used only by one directory port. </li></ul><ul><li>The target fields may only be of string type. </li></ul><ul><li>The provider doesn't consider if the imported account is disabled or not in this version. </li></ul><ul><li>There are the following default source fields: </li></ul><ul><ul><li>AR_ObjectGUID - a unique identifier </li></ul></ul><ul><ul><li>AR_Login - loginname of the imported user </li></ul></ul><ul><ul><li>AR_ObjectAlias - a unique property </li></ul></ul><ul><ul><li>AR_ObjectName – an object name (full name) </li></ul></ul>
    32. 33. Using Windows Authentication <ul><li>After you deploy the SA Web user interface it uses forms authentication by default. </li></ul><ul><li>When switched to Windows authentication, it compares the NT login name of the current user with the SA user name, e.g. CZPetrPi </li></ul><ul><li>In the Web.config replace the whole authentication section with following text: <authentication mode=&quot;Windows&quot; /> </li></ul><ul><li>Launch IIS console and for the SA Web user interface disable Anonymous access, Digest authentication, Basic authentication and enable Integrated Windows authentication. </li></ul>
    33. 34. Securing Secure Access <ul><li>Secure Access Catalog Manager stores the passwords you enter within encrypted XML file catalogs.xml that contains information about registered catalogs. Since encryption mechanism is not very strong you should allow only administrators to access this file. </li></ul><ul><li>SA Catalog Manager distributes the passwords (database connection string) into Web.config files in a non-encrypted form, which is a common way most developers are used to. Thus, you should allow only administrators and developers to access this file. </li></ul>
    34. 35. Installating SA on a Web Farm <ul><li>PortSight Secure Access 2.3 was tested with Microsoft Application Center 2000 SP1 </li></ul><ul><ul><li>Set up the Microsoft Application Center. </li></ul></ul><ul><ul><li>Install Secure Access user interface on the cluster in the Web Farm using the Catalog Manager. </li></ul></ul><ul><ul><li>You must use either StateServer or SQLServer session mode, not InProc session mode. See ASP.NET documentation for more details. </li></ul></ul><ul><ul><li>Make sure that the web.config (or machine.config ) file of the Secure Access user interface or of your application contains the same machine key on all computers in the Web farm. </li></ul></ul>
    35. 36. Questions?
    36. 37. Securing Your Applications
    37. 38. Administration Web Interface <ul><li>Secure Access is delivered with Web-based administration console for managing objects and permissions, i.e. users, groups, OUs and secured applications. </li></ul><ul><li>This console is shipped with full-source code , so thanks to this could be easily customized and integrated , and its parts reused in target application s . </li></ul>
    38. 39. Application Configuration Wizard <ul><li>Catalog Manager includes a wizard that helps the developers to integrate Secure Access with their WebForm solutions </li></ul><ul><ul><li>Supports both C# and VB.NET projects </li></ul></ul><ul><ul><li>Windows and Forms authentication </li></ul></ul><ul><ul><li>Modifies the following files for you: </li></ul></ul><ul><ul><ul><li>IIS Settings </li></ul></ul></ul><ul><ul><ul><li>Global.asax </li></ul></ul></ul><ul><ul><ul><li>Web.config </li></ul></ul></ul><ul><ul><ul><li>Project file </li></ul></ul></ul><ul><ul><ul><li>Adds Secure Access User Controls to the project </li></ul></ul></ul>
    39. 40. Secure Access usage scenarios (1) <ul><li>Authentication allows you to restrict access to your application only to authenticated users. The users have to provide their login name and password. PortSight Secure Access provides two ways of authentication: </li></ul><ul><ul><li>Forms authentication - user must enter login name and password </li></ul></ul><ul><ul><li>Windows authentication - user must be logged in a domain </li></ul></ul><ul><li>You can also protect only particular part of your application. </li></ul>
    40. 41. Secure Access usage scenarios (2) <ul><li>You may u se Secure Access for </li></ul><ul><ul><li>Authentication – verifying user’s identity, usually by providing user name and password </li></ul></ul><ul><ul><li>Authorization – checking user’s roles and access rights </li></ul></ul><ul><ul><li>Auditing - storing user actions in its auditing log </li></ul></ul><ul><ul><li>Storing user settings – store any number settings, such as preferred culture, colors, default values within the user’s or group’s profile </li></ul></ul>
    41. 42. Authentication <ul><li>You may explicitly verify the user’s indentity by checking the provided user credentials against the Secure Access database. </li></ul><ul><li>[VB.NET] </li></ul><ul><li>authenticationResult = _ </li></ul><ul><li>arCN.Authenticate(&quot;JohnF&quot;,_ &quot;p&ss2vord&quot;) </li></ul>
    42. 43. Authorization – Role based security <ul><li>Roles represent typical users – e.g. Administrator, Editor, Manager. You can define any number of roles for your application and assign users to these roles. Then you can simply check in your code if current user is allowed to use your application . </li></ul><ul><li>[VB.NET] </li></ul><ul><li>If ARHelper.IsInRole(&quot;JohnD&quot;, _ _ </li></ul><ul><li>&quot;Reports.Manager&quot;) Then ... </li></ul>
    43. 44. Authorization – Permissions <ul><li>Permission-based security offers a more flexible solution for controlling access. You can define any number of permission types, such as Read, Modify, Delete or Approve. Then you can grant default permissions to roles. When business logic changes later, you can easily modify the permission matrix without recompiling the application . </li></ul><ul><li>[VB.NET] </li></ul><ul><li>If ARHelper.IsAuthorized(&quot;JohnD&quot;, _ </li></ul><ul><li>&quot;Reports. Viewer&quot;, &quot;Read&quot;) Then ... </li></ul>
    44. 45. Auditing Trail <ul><li>An important feature of the application security is auditing of user activities. It can help you detect attacks and attempts at unauthorized access to secret data and also keep track of data modifications. S ome laws may even require the auditing trail. </li></ul><ul><li>[VB.NET] </li></ul><ul><li>ARHelper.Log(&quot;JohnD&quot;, &quot;User changed amount to USD 5.90„ , _ &quot;WorkReports.TravelExpenses&quot;) </li></ul>
    45. 46. Storing User Settings <ul><li>Secure Access allows you to store any number of user settings, such as preferred culture, colors, default values etc. in the Secure Access database. </li></ul><ul><li>[VB.NET] </li></ul><ul><li>arcn.GetUserByLogin(User.Identity.Name)._ SetPropertyValue(_ </li></ul><ul><li>&quot;preferred_color&quot;,_ </li></ul><ul><li>“ darkBlue ”) </li></ul>
    46. 47. How to use Secure Access for <ul><li>Securing Web Applications </li></ul><ul><li>Securing WinForm Applications </li></ul><ul><li>Securing Web Services </li></ul>It's important to understand that PortSight Secure Access is a component targeting developers, not a security application intended for immediate use by end users.
    47. 48. Securing Web Applications <ul><li>Extends the existing authentication mechanisms. </li></ul><ul><li>Secure Access is delivered with ASP.NET user controls (available with full source code) </li></ul>
    48. 49. Securing WinForm Applications <ul><li>The connection string to the DB could be either stored in .config file or lately set from within the code, if you need to hide it from the users </li></ul><ul><li>Client applications can improve overall security by connecting to the Secure Access via Web Services ARWSWebService. Secure Access is delivered with WinForm controls that simplifies this integration: </li></ul><ul><ul><li>ARWSLogonCtrl –for checking provided login name and password </li></ul></ul><ul><ul><li>ARWSSetPasswordCtrl –f or changing passwords </li></ul></ul>
    49. 50. Securing WinForm Applications <ul><li>Communication with ARWebService could be secured by the following WS-Security methods and their combinations: </li></ul><ul><ul><li>X.509 encryption - Asymmetric encryption encodes the content of the SOAP message and thus protects it against tapping during its transmission. </li></ul></ul><ul><ul><li>X.509 signature - Digital signatures help to verify the trustworthy of the partner and of course verify that the message has not been altered since it was signed </li></ul></ul><ul><ul><li>Symmetric encryption - It may be used together with X.509 certificates for strengthening the security or it can be used as a standalone security mechanism where X.509 certificates cannot be used for some reason </li></ul></ul>
    50. 51. Securing WinForm Applications <ul><li>ARWSWebService automatically (without additional configuration) supports following security scenarios: </li></ul><ul><ul><li>If the symmetric encryption is required or if the client optionally encrypted the request using shared symmetric key, than the response will be symmetrically encrypted as well. </li></ul></ul><ul><ul><li>If the client signed the request using his private key, than the response will be asymmetrically encrypted using appropriate client’s public key found in the signature. </li></ul></ul><ul><ul><li>If the X509 signing is required or if the client optionally signed the request, than the response will be signed using server’s private key. </li></ul></ul>
    51. 52. Securing WinForm Applications
    52. 53. Securing Web Services <ul><li>Advantages of use PortSight Secure Access API libraries to secure your own Web Services : </li></ul><ul><ul><li>S tores all user information, passwords and settings in one database </li></ul></ul><ul><ul><li>R estrict s access to your Web Service to authenticated and authorized users with high granularity of access rights </li></ul></ul><ul><ul><li>L og s access to your Web Service and use the auditing log for billing Web Service usage </li></ul></ul><ul><ul><li>Secure Access provides you with support for symmetric encryption or X.509 certificates to encrypt the communication between the client and your web service </li></ul></ul>
    53. 54. Questions?
    54. 55. Thank you for your time!

    ×