DDD Melbourne 2014 security in ASP.Net Web API 2
Download as PPTX, PDF1 like1,288 views
The document outlines the use of HTTP over TLS, covering server and client authentication, SSL certificates, and the creation of self-signed certificates. It also discusses the OWIN implementation for hosting applications, including middleware for various features like authentication and CORS. Additionally, it explains authorization flows, such as resource owner password credentials, and the importance of secure communication methods between clients and servers.
![makecert -iv DevRoot.pvk -ic DevRoot.cer -n "CN=site.local" -pe -sv %1.pvk -sky exchange
site.local.cer -eku 1.3.6.1.5.5.7.3.1
• -iv <pvkFile> Issuer's PVK file
• -ic <file> Issuer's certificate file
• -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
• -pe Mark generated private key as exportable
• -sv <pvkFile> Subject's PVK file; To be created if not present
• -sky <keytype> Subject key type
• -eku <oid[<,oid>]> Comma separated enhanced key usage OIDs](https://image.slidesharecdn.com/dddmelbourne2014securityinasp-140803072648-phpapp01/85/DDD-Melbourne-2014-security-in-ASP-Net-Web-API-2-7-320.jpg)
![Same Origin Policy in Browsers
• AJAX requests to a different host, port or protocol
will fails
• CORS is a W3C standard that allows cross origin
http requests
• The request itself succeeds but the browser
returns an error
• Supported in modern browsers only, IE 10+
CORS support in Web API
• Install-Package
Microsoft.AspNet.WebApi.Cors
• WebApiConfig.cs –
config.EnableCors();
• Controller.cs –
[EnableCors("origin", "headers", "verbs")]
public class MyController : ApiController
{
}
Request Header
Origin: http://cors.local/
Response Header
Access-Control-Allow-Origin: *](https://image.slidesharecdn.com/dddmelbourne2014securityinasp-140803072648-phpapp01/85/DDD-Melbourne-2014-security-in-ASP-Net-Web-API-2-24-320.jpg)
DDD Melbourne 2014 security in ASP.Net Web API 2
- 3. HTTPS = HTTP over TLS • Server Authentication • Integrity protection • Encryption • Client Authentication Server Root Cert Computer – Trusted Root Certification Authorities Server SSL Cert Computer – Personal (Must have a private key. Usually a .pfx file) Client Private Cert Current User – Personal (Must have a private key. Usually a .pfx file) X.509 Certificates • ITU-T Standard for PKI • Standard formats for certificates • Installed in Windows Certificate Store Client Public Cert Computer – Trusted People (Only public key required. Usually a .cer file)
- 4. Bind SSL certificate to port / host name • IIS • netsh.exe • httpconfig.exe • CN should match DNS name Connect Send Certificate Generate session key and encrypt with public key http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
- 5. Status: 401 (Unauthorised) WWW-Authenticate: Scheme realm=“app" GET /URL/Resource Authorization: scheme <credential> Authorisation: basic dXNlcjpwYXNzd29yZA==
- 6. makecert -r -n "CN=DevRoot" -pe -sv DevRoot.pvk -cy authority DevRoot.cer • -r Create a self signed certificate • -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews) • -pe Mark generated private key as exportable • -sv <pvkFile> Subject's PVK file; To be created if not present • -cy <certType> Certificate types Package the certificate and the private key pvk2pfx.exe -pvk DevRoot.pvk -spc DevRoot.cer -pfx DevRoot.pfx
- 7. makecert -iv DevRoot.pvk -ic DevRoot.cer -n "CN=site.local" -pe -sv %1.pvk -sky exchange site.local.cer -eku 1.3.6.1.5.5.7.3.1 • -iv <pvkFile> Issuer's PVK file • -ic <file> Issuer's certificate file • -n <X509name> Certificate subject X500 name (eg: CN=Fred Dews) • -pe Mark generated private key as exportable • -sv <pvkFile> Subject's PVK file; To be created if not present • -sky <keytype> Subject key type • -eku <oid[<,oid>]> Comma separated enhanced key usage OIDs
- 8. Environment Dictionary Stores all of the state necessary for processing an HTTP request and response, as well as any relevant server state. IDictionary<string, object> "owin.RequestMethod" : A string containing the HTTP request method of the request (e.g., "GET", "POST"). Application Delegate (AppFunc) This is a function signature which serves as the primary interface between all components in an OWIN application. Func<IDictionary<string, object>, Task>; • Your appApplication •Web API •SignalR •Nancy •ServiceStack Middleware • Microsoft.Owin.Host.SystemWeb • Microsoft.Owin.Host.HttpListener • Helios Server •IIS/ASP.Net •OwinHost.exe •Self Host •IIS Host
- 9. Microsoft’s OWIN Implementation http://katanaproject.codeplex.com/ Hosts and Servers Implementation IIS Self-Hosting OwinHost.exe Convenience Classes OwinContext OwinRequest OwinResponse AppBuilderUseExtensions Middleware for Common Features Authentication CORS
- 11. Web API Web API Web API (+ OWIN Adapter) Self Host Web Host OWIN WCF ASP.Net ASP.Net (+ OWIN Bridge) Service / Exe IIS IIS Hosting v1 Hosting v2 Web API (+ OWIN Adapter) OWIN Process/Host (+ OWIN Bridge) No System.Web dependency
- 12. Host Web API 2 OWIN MessageHandler (global/per-route) Authentication Filter Authorization Filter Host/Framework independent concerns, E.g. authentication Web API cross-cutting concerns, E.g. CORS authorization Host OWIN Server Middleware 1 Middleware 2 ApplicationClient
- 14. Windows Authentication • AD Integrated • Client and Server are on a domain • The User is a domain account <system.web> <authentication mode="Windows" /> </system.web> public static IAppBuilder UseWindowsAuthentication(this IAppBuilder app){ object value; if (app.Properties.TryGetValue("System.Net.HttpListener", out value)){ var listener = value as HttpListener; if (listener != null){ listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication; } } return app; }
- 15. Users Clients Do I trust this app ? How can I securely communicate ? API Who is the user ? Who is the client ? What are they authorised to do ?
- 17. Authorisation Server access token Scopes: read, write, delete Alice (Resource Owner) App (Client) Web API (Resource Server) http://tools.ietf.org/html/rfc6749
- 19. Resource Owner Password Credential Flow • User gives its credentials to the client. • The client access the auth server on behalf of the user with the credentials • Client can optionally authenticate with the auth server using Basic authentication scheme. • Auth server returns an access token – typically with a short expiry time
- 20. Resource Owner Password Credential Flow • The client then access the Resource Server using the access token
- 21. Native / Browser based clients • Credential input is not in the client but in the auth server • No client authentication, client secret not embedded in a public device • Client opens a web view to auth server • Auth server will show a login page and a consent screen • Auth server redirects to the callback URL (# fragment) • Client extracts the access token and expiry • Client uses the access token to access the resource server
- 22. Server based clients Clients can securely store client secret and client can authenticate with auth server • Client opens a web view to auth server • Auth server will show a login page and a consent screen • Auth server only sends a authorisation code and access token is not leaked • Client now directly posts to the auth server, authenticates itself and sends the authorisation code • The auth server responds with the access token. The access token is never leaked to the browser. • Access token maybe long lived.
- 23. • So far auth server and resource server are in same trusted subsystem • Allow users to login using Facebook and then using the Facebook identity to access the backend services • Facebook only does authorisation for their own backend not your backend
- 24. Same Origin Policy in Browsers • AJAX requests to a different host, port or protocol will fails • CORS is a W3C standard that allows cross origin http requests • The request itself succeeds but the browser returns an error • Supported in modern browsers only, IE 10+ CORS support in Web API • Install-Package Microsoft.AspNet.WebApi.Cors • WebApiConfig.cs – config.EnableCors(); • Controller.cs – [EnableCors("origin", "headers", "verbs")] public class MyController : ApiController { } Request Header Origin: http://cors.local/ Response Header Access-Control-Allow-Origin: *
- 25. Alternative to OAuth for machine to machine scenario • Authentication scheme using HMAC digest of request and response header • Server and Client shares a secret key for the hash • The key is never is not part of the headers • Client hashes the header with secret key • Server hashes the header with same key and compares the has • Useful when SSL cannot be used Request Header Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", mac="werxhqb98rpaxn39848xrunpaw3489r uxnpa98w4rxn" Response Header Server-Authorization: Hawk mac="YWojrFVgIjgd+RiPacnDwRcL8VtvcMEz ahVfOpoLxoA=", hash="yAF3A3y3uzLvNT2m/nVwsifn1+joCqu 0uNWZS8RSv6Y="
- 26. With thanks to our sponsors
- 27. THANK YOU !