I'm working on the web app which will be hosted on the client's server.
There are various restrictions/security measures in place and I'm concerned that these can be "hacked" because the client will have a direct access to the ASP.Net user database through the SSMS.
I can think of few ways to stop the user from doing this, but I'm interested to find out whether there are any specific standards that I should follow?
If the client has direct administrative access to the database, there's not much you can do. If these are the client's login details - why is this then a problem?
Related
Apologies in advance for sounding naive but I am new to this and stuck since days to no good.
I have set up LDAP on apache web server using below link and it is working good.
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
I am able to login to the application using a valid account in the directory. Now I want to create a non-ldap user (common user for API access) that can be allowed access through the web server? Is it possible? How?
I would strongly advise to create API accounts in your Active Directory. (in the company I work for, we use that and call them service accounts)
Centralizing access is the best practice, if you start mixing authentication methods in your application/website it can quickly become a nightmare of spaghetti code to maintain.
Centralizing access also improves security by allowing you to manage access in a single place.
If you do not want to go this way, you have the possibility to create a secondary authentication method through local users that would be stored in a database.
If you go this way, please do not store passwords in a non-encrypted way. Look for the following functions: password_hash and password_verify. When using SQL to transact with your database, make sure you do not end up with SQL injection, it can be disastrous to have SQL Injection in your login script.
I am quite new to the world of Xamarin and mobile development, but have been asked to create a simple cross-platform mobile app which is able to log into a secure web server, download some SQL data and then display it in the app.
What I am trying to understand is how to get the mobile app to request the data from my web server securly. I've seen and read a lot of information about requesting data from a web server using HttpWebRequest, but none of the examples describe how to secure this data. Also I see a lot of info about creating a REST API, but again I am not sure if thats the way I need to go?
Can anyone give me a really simple breakdown of the steps I will need to implement in order to achieve this? I feel like I'm drowning in a sea of web technologies and not sure which way to swim :)
I will be using IIS as the database and the Xamarin App will need to run on both iOS and Android.
Any help greatly appreciated!
Mike
It´s a bit confusing the way you want to implement this and the level of security you need. There are many techniques to secure your app and your server. Some are easy to implement and others not so easy.
What I understand is that your application will be hosted on IIS. There is no such thing as a IIS database. IIS is just an application server by Microsoft.
The most common technology hosted in IIS is Asp.NET and Microsoft SQL Server database. But others can be used, like php (installing some extensions) and mysql server. Anyway, using just php in IIS is a bad decision IMO, as there many other light weight and better servers to do that.
Xamarin has nothing to do with server security. Xamarin is just a client technology and the security must reside on your server application.
That said, there are many good practices you should follow to make clients more secure:
Never store user passwords or sensible data on a local store (device database, settings, file system, etc)
As others suggested, send your data to the server through https protocol (SSL must be configured on the server side)
If you must save critical data on the device, use an encryption
algorithm (there are tons of libraries to encrypt local SQL
databases, just google it)
In case you go for Asp.NET I suggest that you go ahead and integrate Asp.Net Identity. It´s the standard authentication/authorization system for ASP.Net and the built-in features will handle you user database as well as security issues you would hardly find out by yourself (ie: storing passwords "as is" in the database is a big security hole)
Afterwards, you will have to choose an authentication (login) system. There are multiple choices but the industry standard would be oAuth2. Use refresh tokens if you want to make oAuth2 more secure. oAuth is supported by Asp.Net identity and Xamarin. For Xamarin you can use an oAuth .NET client library or make simple http calls (HttpWebRequest) to request tokens, refresh tokens, etc.
About REST API: I think that´s the way to go, no matter what client or server stack you´re using. Again, Asp.NET has a WebApi that will enable REST on your application.
If all this sounds like too much, don´t worry. When you create an Asp.Net application in Visual Studio using a template, you will get a ready app with REST (WebApi) and authentication/authorization/security (Asp.Net Identity) by default.
It´s important that you implement oAuth correctly both in the server and the client side. Otherwise you could face some security problems
I tried to do some research on this matter but couldn't really find anything. So, I was just wondering if anyone ever did something like this or if it would even make sense to do it that way:
Lets say, you have a secondary NAB for users who don't have a notes ID but need access to your web-enabled Notes / XPages applications.
Now, a non-notes web application wants to allow the same set of users access to their application.
Could this application use the Domino Web Login, so, user can log in into the non-notes web application?
How would a redirect work after a successful / failed log in attempt?
Would you use JSON / WebServices for that, or how would you implement it?
I know it is a rather general question, but I was just wondering.
Any response would be highly appreciated.
Thank you.
Daniel
If the other server can use LDAP for authentication, then you can configure Domino's LDAP task and set up Domino's Directory Assistance to expose your secondary address book to LDAP, and configure the other server to use the Domino LDAP as it's authentication source.
Note that this is not a single sign-on solution, so separate login will still be required for the non-Domino application. It does get you a single authentication source, though.
So I've read numerous articles on a password system for a web app, and they all seem very confusing. Some say you need to hash your PW's AND establish an https secure connection, others say you just need to hash AND salt your PW's.
I just know, after this has been done millions of times, there's PROBABLY some sort of library out there that can do a bunch of things for me for a password inputted on a client side, and give me something to save securely in my SQL Server 2008 database.
Do I need to worry about all the https secure connection stuff? Can I just make sure I hash the PW correctly? To hash it, do I need any external libraries or can I create a secure user/pw system entirely in .NET?
I've never done this before so any articles, tips, links would be very helpful. Thanks.
If you don't want to roll your own you can always use ASP.Net Membership
ASP.NET membership gives you a built-in way to validate and store user credentials. ASP.NET membership therefore helps you manage user authentication in your Web sites. You can use ASP.NET membership with ASP.NET forms authentication by using with the ASP.NET login controls to create a complete system for authenticating users.
ASP.NET membership supports facilities for:
Creating new users and passwords.
Storing membership information (user names, passwords, and supporting data) in Microsoft SQL Server, Active Directory, or an alternative data store.
Authenticating users who visit your site. You can authenticate users programmatically, or you can use the ASP.NET login controls to create a complete authentication system that requires little or no code.
Managing passwords, which includes creating, changing, and resetting them . Depending on membership options you choose, the membership system can also provide an automated password-reset system that takes a user-supplied question and response.
Exposing a unique identification for authenticated users that you can use in your own applications and that also integrates with the ASP.NET personalization and role-management (authorization) systems.
Specifying a custom membership provider, which allows you to substitute your own code to manage membership and maintain membership data in a custom data store
Configuring an ASP.NET Application to Use Membership
There's also a project on github called Membership Starter Kit for MVC
The default MVC3 Internet Application template (file-new project) has this setup for you already, simply add [Authorize()] to the controllers/methods you want to protect. Don't roll something new, use what's there for you. In addition, please use SSL as someone can easily steal a session by sniffing traffic and simply using your cookie. It's that easy.
Our production web servers ARE NOT part of the domain, but we'd like people to be able to log in automatically since they are logged into the domain on their PC.
Is there anyway to get the browser (IE7+) to send the appropriate information to the server (IIS6) so I can retrieve the ServerVariables["AUTH_USER"] or ServerVariables["LOGON_USER"]?
I presume the answer is no since if I set the security for windows auth to "on" and anonymous access to "off", then the server wouldn't know what do do with any user information for a domain which it has no knowledge of. I just want to know for sure before I give the SSO team a "not possible" answer.
I have implemented IWA for one of my projects and I am afraid the answer is NO, you can't use it when the server is in other domain.
IIS won't be able to communicate to the server through IWA in this case.