Download - Security in MVC Core by Hugo Biarge
![Page 1: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/1.jpg)
24.01.2017.NET Core
![Page 2: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/2.jpg)
24.01.2017
Seguridad en MVC Core
![Page 4: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/4.jpg)
4
Agenda1.Escenarios de
autenticación. Middlewares.
2.Políticas de autorización
![Page 5: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/5.jpg)
#NETCore2017 5
Modelo de Middlewares
Fuente: Dominick Baier (@leastprivilege)
![Page 6: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/6.jpg)
#NETCore2017 6
Middlewares de autenticaciónCoordinación
AuthenticationManager• Coordina los diferentes middlewares de autenticación
configurados• Accesible a través de nuevo HttpContext
Atentos a AutomaticChallenge• Debe haber uno configurado, pero sólo uno!
![Page 7: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/7.jpg)
7
Demo características
![Page 8: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/8.jpg)
#NETCore2017 8
Middlewares habitualesCookies• El más habitual para aplicaciones web tradicionalesProveedores sociales• Twitter, Facebook, Microsoft Id, …OpenId.Connect• Autenticación + autorización delegadaJWT• Apis Http
![Page 9: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/9.jpg)
#NETCore2017 9
Cookies con usuarios localesProveedores sociales opcionales
Asp.Net Identity• Integrado en las plantillas• Separa funcionalidad de persistencia (fácilmente adaptable a
esquemas legacy)
Funcionalidades avanzadas• Confirmación de cuenta• Autenticación de doble factor• External providers (por ejemplo, proveedores sociales)
![Page 10: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/10.jpg)
10
Demo Asp.Net Identity
![Page 11: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/11.jpg)
#NETCore2017 11
Cookies con usuarios externos
Azure Active Directory• Combinación de varios middlewares• OpenId.Connect recomendado si el proveedor lo soporta• Cookies para persistir claims externos en cookie local
Todavía no tenemos soporte para WSFederation• Prevista para Asp.Net Core 2.0 (2T 2017)
![Page 12: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/12.jpg)
12
Demo OpenId.Connect
![Page 13: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/13.jpg)
#NETCore2017 13
Tokens para Apis HttpCon usuarios locales o externos
JWT Middleware• Necesitamos un proveedor de identidad (STS, IdP, OP)• Azure Active Directory para usuarios externos• Identity Server 4 para usuarios locales
Diferentes flujos según el tipo de aplicación
![Page 14: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/14.jpg)
#NETCore2017 14
Convivencia cookies y tokensEn el mismo proyecto web
ActiveAuthenticationSchemes• AutomaticAuthenticate debe ser false en todos los
middlewares// In Authorize attribute[Authorize(ActiveAuthenticationSchemes = "Bearer")]
// In Startup ConfigureServicesoptions.AddPolicy("WebApi", policy =>{ policy.AuthenticationSchemes.Add("Bearer"); policy.RequireAuthenticatedUser();});
![Page 15: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/15.jpg)
#NETCore2017 15
Autorización basada en políticasMecanismo de autorización por defecto
Permite clara separación de la lógica de autorización del negocio
// In Startup ConfigureServicesservices.AddAuthorization(options =>{ options.AddPolicy("RequireAdministration", policy => { policy.RequireRole("Administration"); policy.RequireClaim("Management"); policy.RequireClaim("OneOfMany", "a", "b"); });});
// Discouraged[Authorize(Roles = "Administrator")]
// Better[Authorize(Policy = "Administrator")]
// Best[Authorize(Policies.Sales)]
![Page 16: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/16.jpg)
#NETCore2017 16
Políticas como códigoDefinimos requerimientos • IAuthorizationRequirementQue son validados por uno o más handlers• AuthorizationHandler<IAuthorizationRequirement>
![Page 17: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/17.jpg)
#NETCore2017 17
Autorización imperativaEn controladores y/o vistas
IAuthorizationService• Puede ser inyectado en cualquier controlador (o servicio) o
incluso vistaspublic async Task<IActionResult> Index(){ if (await _authorizationService.AuthorizeAsync(User, Policies.Over21)) { // User is authorized here. } else { return new ChallengeResult(); }}
![Page 18: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/18.jpg)
#NETCore2017 18
Autorización basada en recursos
AuthorizationHandler<Requirement, Resource>• Añadir el estado de un determinado modelo a la lógica de
autorizaciónpublic class ProductAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Product>{ protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, Product resource) { // Logic to validate requirement }}
![Page 19: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/19.jpg)
19
Demo autorización
![Page 20: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/20.jpg)
@plainconcepts
¡GRACIAS!@hbiarge
![Page 21: Security in MVC Core by Hugo Biarge](https://reader036.vdocuments.us/reader036/viewer/2022062821/58a134af1a28abd34f8b5ea5/html5/thumbnails/21.jpg)
www.plainconcepts.com
MADRIDPaseo de la Castellana 163, 10º
28046 Madrid. EspañaT. (+34) 91 5346 836
BILBAONervión 3 , 6º
48001 Bilbao. EspañaT. (+34) 94 6008 168
BARCELONAAv. Josep Tarradellas 10, 6º 1ª
08029 Barcelona. EspañaT. (+34) 93 3607 114
SEVILLAAvenida de la innovación s/nEdificio Renta Sevilla, 3º A
41020 Sevilla. España
DUBAIDubai Internet City. Building 1
73030 Dubai. EAUT. (+971) 4 551 6653
LONDONImpact Hub Kings Cross24B York Way, N1 9AB
London. UK
SEATTLE1511, Third Ave
Seattle WA 98101. USAT. (+1) 206 708 1285