Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dino Esposito "Security is a matter of success"

97 views

Published on

Authenticating users and checking their permissions to perform certain actions are the ABC of any software and real-life process. ASP.NET as a long record of successful applications yet the overall API it always offered is quite simple for the needs of today. These has brought to a variety of additional best practices that for the most part have been incorporated in ASP.NET Core. In this session we’ll first look at the basic facts of claims and core authentication and then move to authorization policies and authentication in the context of Web APIs. By attending the session you’ll figure out the differences between old and new ASP.NET authentication, old and new ASP.NET authorization and common steps to control access to a Web API.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Dino Esposito "Security is a matter of success"

  1. 1. Security is a Matter of Success Dino Esposito Digital Strategist, BaxEnergy
  2. 2. AUTHENTICATION ▰ Cookie-based authentication (without web.config) ▰ IPrincipal based on claims (not just username) ▰ Enable authentication middleware and use it ▻ Cookie name, login path, return-url, sliding expiration ▰ Multiple authentication schemes supported ▻ Cookie, bearer token, social networks 2
  3. 3. AUTHENTICATION: CLAIMS ▰ All claims stored in the authentication item (cookie) ▰ Information not retrieved but possibly in the need of updates if changed ▰ Username and role, plus everything else ▰ Different API for sign-in/sign-out ▰ LINQ-style API to read claims 3
  4. 4. AUTHORIZATION ▰ Role-based authorization ▻ Authorize attribute working as usual ▰ Policy-based authorization ▻ New in ASP.NET Core 4
  5. 5. ROLE-BASED AUTHORIZATION ▰ AllowAnonymous ▰ Authorize(Roles="...") ▰ Custom version EnsureRole(Enum1, Enum2) ▰ Additional ActiveAuthenticationScheme parameter 5
  6. 6. POLICY-BASED AUTHORIZATION ▰ Policy is a collection of requirements ▰ More flexible than just roles ▰ Register policies in startup ▰ Apply through Policy attribute of Authorize 6
  7. 7. var policy = new AuthorizationPolicyBuilder() .AddAuthenticationScheme("Cookie", "Bearer") .RequireAuthenticatedUser() .RequireRole("Admin") .RequireClaim("editor", "contents") .RequireClaim("level", "Senior") .Build();
  8. 8. POLICY-BASED AUTHORIZATION 8 // IAuthorizationService injected in controller public async Task<IActionResult> Save(Article article) { var allowed = await _authorization.AuthorizeAsync(User, ...); if (!allowed) return new ForbiddenResult(); // Proceed }
  9. 9. SECURING WEB API ▰ Authorize works as long as cookies are OK ▰ Basic authentication ▻ User credentials packed with request ▰ Token-based authentication ▻ Token associated with a given user ▰ Identity Management Server 9
  10. 10. MURPHY LAW OF API DESIGNERS
  11. 11. PROGRAMMING ASP.NET CORE ▰ ASP.NET Core 3.0 released in H2 ▻ Wait for 3.1 though  ▰ Visual Studio 2019 Update X 11 http://youbiquitous.net

×