Safe to authenticate with ASP.NET MVC 3 site from Windows application? - security

I have a basic ASP.NET MVC 3 site using Forms authentication, which will be internet-facing.
I also want to implement a Windows application, purely for intranet usage, which will allow users to maintain various aspects of the ASP.NET user database (it has additional tables and fields beyond the stock schema).
My initial thoughts are that I could do this by having various actions in my controller classes, into which I could pass a dedicated username/password and then within each action method validate those credentials using Membership.ValidateUser() .
I realise I could use mixed-mode authentication with Windows authentication for the intranet part but this seems to me like a lot of unnecessary faffing since the intranet users won't be using a browser to do this.
The Windows application will running on the corporate intranet and will be accessing those MVC 3 actions on the website via internal HTTP requests using this dedicated username/password in the query string.
Question: Is this safe enough?

Hi we have a similar situation, we chose to build the management interface into the web application and using ASP_NET Roles to give access to it.
Otherwise (not sure how it works) but in the properties of a Windows Forms project you have the option of using forms authentication, this could possibly be a better solution.

Related

Xamarin App secure web server login

I am quite new to the world of Xamarin and mobile development, but have been asked to create a simple cross-platform mobile app which is able to log into a secure web server, download some SQL data and then display it in the app.
What I am trying to understand is how to get the mobile app to request the data from my web server securly. I've seen and read a lot of information about requesting data from a web server using HttpWebRequest, but none of the examples describe how to secure this data. Also I see a lot of info about creating a REST API, but again I am not sure if thats the way I need to go?
Can anyone give me a really simple breakdown of the steps I will need to implement in order to achieve this? I feel like I'm drowning in a sea of web technologies and not sure which way to swim :)
I will be using IIS as the database and the Xamarin App will need to run on both iOS and Android.
Any help greatly appreciated!
Mike
It´s a bit confusing the way you want to implement this and the level of security you need. There are many techniques to secure your app and your server. Some are easy to implement and others not so easy.
What I understand is that your application will be hosted on IIS. There is no such thing as a IIS database. IIS is just an application server by Microsoft.
The most common technology hosted in IIS is Asp.NET and Microsoft SQL Server database. But others can be used, like php (installing some extensions) and mysql server. Anyway, using just php in IIS is a bad decision IMO, as there many other light weight and better servers to do that.
Xamarin has nothing to do with server security. Xamarin is just a client technology and the security must reside on your server application.
That said, there are many good practices you should follow to make clients more secure:
Never store user passwords or sensible data on a local store (device database, settings, file system, etc)
As others suggested, send your data to the server through https protocol (SSL must be configured on the server side)
If you must save critical data on the device, use an encryption
algorithm (there are tons of libraries to encrypt local SQL
databases, just google it)
In case you go for Asp.NET I suggest that you go ahead and integrate Asp.Net Identity. It´s the standard authentication/authorization system for ASP.Net and the built-in features will handle you user database as well as security issues you would hardly find out by yourself (ie: storing passwords "as is" in the database is a big security hole)
Afterwards, you will have to choose an authentication (login) system. There are multiple choices but the industry standard would be oAuth2. Use refresh tokens if you want to make oAuth2 more secure. oAuth is supported by Asp.Net identity and Xamarin. For Xamarin you can use an oAuth .NET client library or make simple http calls (HttpWebRequest) to request tokens, refresh tokens, etc.
About REST API: I think that´s the way to go, no matter what client or server stack you´re using. Again, Asp.NET has a WebApi that will enable REST on your application.
If all this sounds like too much, don´t worry. When you create an Asp.Net application in Visual Studio using a template, you will get a ready app with REST (WebApi) and authentication/authorization/security (Asp.Net Identity) by default.
It´s important that you implement oAuth correctly both in the server and the client side. Otherwise you could face some security problems

Authentication for mobile web applications

I am new to mobile web programming - having spent a lot of time designing back end Windows services and some IOS native programming recently.
We are in the process of designing a new app for usage by our end clients. We need it to be light weight, responsive and also work on all mobile devices - IOS, Android and Win 8. After much research we have narrowed down to using HTML 5 based JS framework - namely either Chocolate Chip UI or Phone JS. Server side code is PHP.
I have a question about the best practices for authentication when it comes to mobile Web applications and sites
We could present the login form with user details and post to server/authenticate and write to an authentication cookie and then redirect to an HTML 5 page from which point on all data GET and POST is using REST Calls.
Or not post to server but authenticate using a service and store an authenticated token or cookie and check when requesting/posting data.
But are the above methods still relevant - since i have never had to deal with UI authentication before - what are the best methodologies when designing mobile web apps specially with regards to authentication?
Im my JAVA EE projects, I'm using a JDBC Realm for storing users, passwords and roles and JAVA EE build-in Container Managed Security for securing my webpages bases on the roles. If a user is not authenticated a Form will be shown where he or she has to enter the security information. The web pages get data access by services with CRUD functionality.
For Android, Java FX, WPF and so on I'm using a Restful Interface wrapping the Java specific service to support different programming languages combined with OAuth2 (http://oauth.net/2/). A few benefits of OAuth2 are that no user name and password must be stored on the client side, the obtained token can be refreshed and you could seperate parts of your services by using scopes (read-only, full, only calender access,...) befined by yourself. The tokens must be stored in a database and mapped to the user principal it belongs to if a REST service will be accessed. Your users can be also allowed to register own third-party applications using specific scopes of the REST interface.
Herr is an example implementation: https://github.com/OpenConextApps/apis/blob/master/README.md and here some information about JAVA EE security: http://docs.oracle.com/javaee/7/tutorial/doc/security-webtier.htm#BNCAS

User/PW System for an MVC 3 app

So I've read numerous articles on a password system for a web app, and they all seem very confusing. Some say you need to hash your PW's AND establish an https secure connection, others say you just need to hash AND salt your PW's.
I just know, after this has been done millions of times, there's PROBABLY some sort of library out there that can do a bunch of things for me for a password inputted on a client side, and give me something to save securely in my SQL Server 2008 database.
Do I need to worry about all the https secure connection stuff? Can I just make sure I hash the PW correctly? To hash it, do I need any external libraries or can I create a secure user/pw system entirely in .NET?
I've never done this before so any articles, tips, links would be very helpful. Thanks.
If you don't want to roll your own you can always use ASP.Net Membership
ASP.NET membership gives you a built-in way to validate and store user credentials. ASP.NET membership therefore helps you manage user authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users.
ASP.NET membership supports facilities for:
Creating new users and passwords.
Storing membership information (user names, passwords, and supporting data) in Microsoft SQL Server, Active Directory, or an alternative data store.
Authenticating users who visit your site. You can authenticate users programmatically, or you can use the ASP.NET login controls to create a complete authentication system that requires little or no code.
Managing passwords, which includes creating, changing, and resetting them . Depending on membership options you choose, the membership system can also provide an automated password-reset system that takes a user-supplied question and response.
Exposing a unique identification for authenticated users that you can use in your own applications and that also integrates with the ASP.NET personalization and role-management (authorization) systems.
Specifying a custom membership provider, which allows you to substitute your own code to manage membership and maintain membership data in a custom data store
Configuring an ASP.NET Application to Use Membership
There's also a project on github called Membership Starter Kit for MVC
The default MVC3 Internet Application template (file-new project) has this setup for you already, simply add [Authorize()] to the controllers/methods you want to protect. Don't roll something new, use what's there for you. In addition, please use SSL as someone can easily steal a session by sniffing traffic and simply using your cookie. It's that easy.

Using sharepoint to pass credentials to other sites

being completely new to the Sharepoint scene, I was wondering what basic solutions are to the problem I'm facing.
I have 2 different webapplications, which are both accessed by my clients by different logins.
I want to simplify things and let them just log in on a Sharepoint application, so they have 2 links on their portal to the webapplications, without having to login again, preferably without changing the existing webapplications.
Is this possible using the Secure Store Service in Sharepoint 2010? Or are there better options?
What kind of authentication mechanism you use on your sites? Maybe you should consider using Windows Integrated Authentication and not handle the whole authentication issue at all?
If you are using forms authentication, you can point sharepoint at the same authentication database as your other applications.

How can I protect ASP.NET sites behind a Windows password and forms authentication?

I'm developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting the site. Since I don't want to expose the site to the entire internet, I need to password protect it while still allowing forms authentication to be in use.
Mixing of Windows and forms authentication doesn't work. Is there a standard way of doing this? I would have to think this is a common scenario. The article on MSDN doesn't seem to apply to my situation: http://msdn.microsoft.com/en-us/library/ms972958.aspx
Update: The first two answers suggest adding in standard IIS basic/digest authentication. As far as I know, this is not compatible with forms authentication because the user's identity will be set to the Windows account, not the identity used through forms authentication. I need the two to be completely independent. Any thoughts?
You could protect it in IIS, give those details to the external parties, and leave the forms auth as it is.
Disable anonomous access to force the users to login via a windows account before accessing the site.
I knew a guy who did this using Apache and a reverse proxy.
http://www.apachetutor.org/admin/reverseproxies
Well unfortunately what you're trying to do is not possible in IIS7 (integrated mode), but there is a workaround. I suggest you to read this article written by Mike Volodarsky a former program manager for IIS7 at Microsoft. Article addresses your problem and there is even a sample code you could use.

Resources