I spoke at the New England Microsoft Developers (NEMD) user group last night and gave a talk about security in ASP.NET Core. (A lot of this content is also covered in my new Pluralsight class on ASP.NET Core architecture.)
Implementing Security in ASP.NET Core: Claims, Patterns, and Policies
There are two sides to security: Authentication and Authorization. Authentication is logging in to an application and establishing who you are. Authorization is figuring out what the user can do and making ensuring that they can’t do things that they aren’t supposed to.
I don’t know about you but sometimes it feels like everyone focuses on authentication and forgets about the authorization stuff.
In this session, we’ll focus on implementing Authorization in ASP.NET Core MVC and WebAPI. We’ll talk about claims-based security in ASP.NET Core, writing custom ASP.NET Core Middleware, authorizing using ASP.NET Policies, Authentication Requirements, and Authentication Handlers. Along the way, we’ll talk about how to use the Strategy Pattern to encapsulate authorization decisions in your app so that your security code stays clean and maintainable.
Here are some of the topics that are covered in the slides and sample code for this talk:
- Authentication vs Authorization
- Role-based Security
- Claims-based Security
- ClaimsIdentity
- ClaimsPrincipal
- [Authorize] attribute
- Ensure that user is logged in using [Authorize()]
- Authorize based on role membership using [Authorize(Role = “{role name}”)]
- Authorize based on security policy [Authorize(Policy = “{policy name}”)]
- ASP.NET Security Policies, Authorization Handlers, and Authorization Requirements
- EditPresidentRequirement.cs
- EditPresidentHandler.cs
- Configuring ASP.NET Security Policies via Startup.cs
- AddAuthorization()
- AddPolicy()
- AddSingleton<IAuthorizationHandler, EditPresidentHandler>()
- ASP.NET Identity for ASP.NET Core
- https://github.com/aspnet/AspNetCore/tree/master/src/Identity
- Configure via Startup.cs
- Services.AddIdentity<IdentityUser,IdentityRole>()
- Configuring security options
- AddRoleManager()
- AddDefaultUI()
- AddDefaultTokenProviders()
- AddEntityFrameworkStores()
- ASP.NET Middleware
- Using Middleware to modify claims and add custom claims
- PopulateSubscriptionClaimsMiddleware.cs
- MiddlewareExtensionMethods.cs
- Using Strategy Pattern to Organize Security Logic & Authorization Decisions
- Strategy Pattern
- IUserAuthorizationStrategy.cs
- DefaultUserAuthorizationStrategy.cs
- IUserClaimsPrincipalProvider.cs
- HttpContextUserClaimsPrincipalProvider.cs
Once again, here are the links to download the content.
Enjoy!
-Ben
Leave a Reply