I am using MVC and Nhibernate in my application. How can i improve security of my application using proper authentication and authorization?
Right now i am using asp.net mvc authentication.
The question is frankly too open. "Proper" authentication and authorization depends on what your application is doing and the data it accepts, stores and outputs. For example twitter's authentication strategy is very different to that of your bank's on-line banking service.
There's also more to it than authentication and authorization, there's XSS, CSRF, Cryptography, Information Leaks and more. Start with the OWASP Top 10 and go from there. However this will not show you the code, because you can't be generic about this, it always needs tailored to the application being secured.
I would suggest you to scan your site for vulnerabilities using some of these great solutions.
Personally, i find this extremely useful.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I am currently looking into splitting up a .Net Core project and I am not sure on which technologies to employ.
Lets say that I wanted to create a website where authenticated users could look op book titles:
I would like the project structured like this:
.Net Core web application using MVC (All UI in here)
.Net Core Wep api for authentication users (Authenticating users against database here)
.Net Core wep api for Book titles (return titles if user is validated)
Application flow would be the following:
User goes to UI web page and is met by login-screen. User enters username/password and then UI will send a login request to the Authentication-API. Authentication API should return some sort of data that the UI can store in the users session to verify that the user is validated for the next period of time.
When the user want's to get the book titles, the WEB UI should send the existing authentication data to Book Titles API. The book title api should then verify that the user is still authenticated and return the book titles if so.
My question is, what is "best practice" in regards to this setup. I have read a lot of different things about JWT tokens/JWE, Cookies and so forth, and I am having a bit of trouble finding my way in it.
Could my Authentication API use Identity framework, and could that information be passed around to other API's or should I use cookie authentication and how would do that?
In the project future I would like to be able to create an App that should also be able to access the Authentication and Book title API's not worrying about the .Core UI project.
Is there anyone out there who can point me in the correct direction here or have some good recent articles/references I could look into.
Best regards
I understand your thoughts around designing the solution. The things you have mentioned above looks appropriate and do not see any issues. But I would like to recommend few things when it comes to selecting the right authentication framework
If you are thinking to integrate your application with some IDP like google or okta etc then you need to define the protocol you will be using. One of most popular is OIDC.
Look for some of standard flows for you application. If you are having client-server architecture, you can opt for either implicit flow (less recommended due to security issues ) or authorization code flow
.Net has very nice support on using OIDC for application.
When using the OIDC, you are eligible for session store, access_toke which is Shot TTL token and can be used between application to communicate with each other.Know more about it here
The complete authentication process with right flow and integrated application will be taken care by IDP, you just need right configuration, library/framework support to do it.
Using OIDC also give you benefit to not fall into any OWASP issues.
On top of that you just need to deal with authorization logic which is very common and application specific
One of IDP you can try for free and on cloud is Okta
Another option if you are using your own authentication framework,
You can implement you own identity server framework
Check this articles Using .net core with identity server. You can host you identity server or expose API of same using your application.
Git hug link for IdentityServer4
You can find a ready made solution with sample projects using this solution on below git repository:
IdentityServer4 Implementation with ASP.NET Core
You can find there an auth server which authenticates the username/password and gives back token. That token is used to access an MVC app as well as a secure API.
I wanted to know how can I implement the SSO authentication between multiple applications using the SAML in ASP.NET Core?
Is this a safe and secure way to do it?
If you know the information, better free method or how to implement it, write it down.
Thanks in advance.
I don't think free method exists. Unless you want to implement solution from scratch by yourself, which seems to be a lot of work to do.
So, if it's an option you could use some commercial solutions. I have experience working with ComponentSpace.Saml2. Configuration is pretty straightforward - you need to fill and store a bunch of configuration items such as identity providers' params, certificates data, login and logout endpoints. Then controller needs to be built, containing methods for initiating saml request and processing response from identity provider. That's just infratructure level - of course you'll need to implement authentication service to manage SAML response and to decide how it integrates into your app's architecture.
Well, as you can see, the answer is general, so is the question.
Hope this helps. At least to choose right path to go.
Have done a lot of search and reading over the WEB but could not come to any conclusion yet.
We are planning to develop a list of API's (planning to use ASP.NET WEB API). One of the business goals is to package the API and selling/licensing the Packages/API to end users.
Some thoughts that came to consideration:
Using Authorisation Filters to do check against database, if the user requesting the API has access to it or not. Not very sure of the implementation details yet even on this approach.
Are there any better suggestions or ideas or any open source libraries that we can go with?
What are the possible recommendation or best practices to achieve this.
Thanks in advance.
Please take a look at the following links. Hopefully, they help.
Web API creating API keys
How to secure an ASP.NET Web API
Is there a single sign-on solution with completely RESTful API installable on my server? I have looked at OpenAM, which have some of the API available through HTTP/JSON, but not all (and seems too heavy, but if it had all the API, I'd not care).
Do you know of solution for authorization, authentication and identity management that can be used for single sign-on and has all (maybe without setting admin password and such critical issues) its API available though HTTP(S)/JSON?
I have no need for Java API etc., HTTP(S)+CLI for setup is only thing I look for. That is, I doin;t realkly care what the solution is implemented in (no need for Java EE etc.) as far as it does its job and it is secure.
Have you seen Mozilla's new Persona solution built on BrowserID? It does a lot, but it's hard to know if it's sufficient for you without more details about how integrated you need the authorization to be.
You might want to look at Stormpath. They're the largest identify management service (for developers) -- and they are all REST + JSON API backed.
I have been challenged with the task of coming up with an authentication/authorization strategy for a pretty big WCF API. My task is to implement security on this API from clients who might be a website, a mobile app, or an internal/network admin user (which is pretty much the goal of any solid API).
I have looked into Windows Identity Foundation and federated security, but it relies on WS-* and my clients might be using REST or a non-SOAP protocol. So, my question:
Is there a security strategy (per method call, preferably using attributes) for WCF that does not rely on SOAP or involve reams of configuration files?
I realize there's probably no catch-all solution. I'm really looking for ideas or suggestions. This turns out to be a really tricky challenge.
Basic Authentication and HTTPS is a straightforward and "secure enough" solution for most API authentication requirements.
When you say "per method call", I'm getting the impression that are talking about authorization. For that you are probably going to have to roll something yourself. The upcoming Microsoft Web Api framework has some good extension points that will make this type of functionality much easier to implement. It shouldn't be too long before someone implements a reusable module for this framework that you can just plug in.