09 марта 2016г.
Abstract — In this article, basic security tasks in ASP.NET-applications: authentication, authorization, impersonation are described and analyzed. A method of application of aspect-oriented programming to solve the described tasks is proposed. Authentication, authorization and impersonation aspects are developed in Aspect.NET system.
Keywords — Aspect-Oriented Programming, Aspect.NET, Authentication, Authorization, Impersonation.
Introduction.
Aspect-Oriented Programming (AOP) [1] - The perspective approach to software engineering, intended for development of cross-cutting concerns – ideas, methods, functionalities and considerations in software development that cannot be implemented as one generalized procedure (e.g., a class hierarchy) and require for their implementation a number of tangled actions to be injected into different parts of an existing software code of a target application. In other words, a cross-cutting concern is a (new) functionality to be added to the target application whose implementation is dispersed on the application code. Thereby, AOP allows adding and modifying systematically new functionality, including also related to web programming. Detailed description of AOP is given in works [1 - 3].
Currently web programming plays an important role in sphere of software development. Day to day web applications quickly develop and gradually replace desktop applications. Development of web applications is an important tendency of evolution of computer technologies, operating systems, network architectures and application programs. Therefore, application of aspect-oriented programming in web programming is very important in the society of software development. It allows developers to reduce time, cost and complexity of development, to simplify the maintenance of web-based products and amending them, to create reliable and secure web applications.
In this article application of AOP for implementing basic security tasks in ASP.NET-applications on the base of Aspect.NET [4] system is considered. Aspect.NET system is an AOP toolset for .NET platform, developed at Java technology laboratory, faculty of mathematics and mechanics, Saint-Petersburg State University, led by Professor V.O. Safonov. Target of the article – describing and analyzing authentication, authorization and impersonation tasks in ASP.NET-applications; proposing a method of application of aspect-oriented programming to solve this tasks and developing authentication, authorization and impersionation aspects in Aspect.NET system.
Basic security tasks in asp.net-applications.
Web-application security is an important task of web-programming. ASP.NET-application security is based on three basic operations:
· Authentication – is a process of user identification for access to an application’s resource (part of site, page, and database). Authentication is based on verification of user information (e.g. username and password);
· Authorization – is a process of providing access to a user based on the authentication data;
· Impersonation – is a mechanism that provides permissions of the authenticated user to the server process ASP.NET. This mechanism only works in Windows-authentication.
ASP.NET provides convenient mechanisms for implementing these operations [5, 6]. When developing web applications it is often necessary to implement programmatically user authentication and authorization, or impersonation of a certain fragment of code in web applications with Windows-authentication. These actions may be repeated in different application modules.
Basic operations of ASP.NET security (authentication, authorization, impersonation) are realized by two approaches: configurable security and programmatic security. Configurable security is related to access to page’s URL of a website, i.e., the URL security is configured in web. config file of web application. In this case, action of authentication, authorization, and impersonation are performed per page. More details about configurable security are described in [5, 6].
Programmatic security is related to permissions check in application code. There are several options for programmatic security:
a. Explicit security check using IPrinciple interface (object User – object of class implementing interface System.Security.Principal.IPrincipal and is property of page object System.Web.UI.Page):
Authentication:
if (User.Identity.IsAuthenticated) {
...
}
Authorization (roles check):
if (User.Identity.IsAuthenticated
&& User.IsInRole("Admin")) {
...
}
b. Using PrincipalPermission class for security check: Authentication:
PrincipalPermission pp = new PrincipalPermission(null, null, true);
pp.Demand();
//equivalent with the check: if (User.Identity.IsAuthenticated)
//Do business action Authorization:
PrincipalPermission pp = new PrincipalPermission(null, "Admin", true);
pp.Demand();
//Do business action
c. Impersonating code with permissions of authenticated user:
WindowsIdentity windowsID = User.Identity as WindowsIdentity; if (windowsID != null) {
WindowsImpersonationContext wiContext = windowsID.Impersonate();
//Do something here with permission of authenticated user wiContext.Undo();
}
Depending on characteristics of particular web application either configurable security, either programmatic
security or both of these approaches are used.
Using aspect-oriented programming for implementing basic security tasks.
The above-listed analysis shows that traditional, based on the OOP, approaches can solve the basic security tasks in ASP.NET-applications: solution of each task is typically implemented in a separate module or a set of modules, if necessary, the developer calls these modules in needed execution points of the code. Problem arises when we need to use our modules in many execution points of the application, for example when we need check authentication repeatedly at different execution points of the application. In this case, the code size increases due to repetition and dispersal of the code of the task (or functionality) call (or implementation). It is also possible situation of developed web application modification to add new functionality (cross-cutting concerns), such as the tasks considered by us, for example, checking authorization or impersonating code with permissions of authenticated user. In this case, to implement new functionality we would have to change the application code by hand, implementing this functionality in modules and adding code to call these modules manually in the needed execution points of the application.
Proceeding from the above preconditions, we suggest an idea to use AOP for solving the mentioned tasks when developing ASP.NET-applications. With the help of AOP, each task (or functionality) is implemented in an aspect as a set of actions, then weaving conditions are determined for weaving these actions into needed execution points, after that weaver of Aspect.NET system is invoked. Aspect actions will be automatically added by the weaver into joint points (i.e. into the needed execution points) defined by the weaving conditions of the aspect. Thus changes of the target web application are performed at MSIL code level.
For practical confirmation of the described idea, it was decided to develop aspects supporting the above-listed tasks, using Aspect.NET system, whose advantages compared with other tools of AOP implementation for .NET are described in [2].
Aspects have been developed: web authentication aspect, web authorization aspect and impersonation aspect.
These aspects have been developed in Microsoft Visual Studio 2008 with usage of Aspect.NET.
Suppose that our application has some business logic implemented in a class named BusinessLogic. This class has some business logic actions (methods) which are available only to authenticated users or users group (DoSomething, DoSomethingWithAdminRole) and action (method) which must be impersonated. For example:
public class BusinessLogic
{
virtual public void DoSomething() { }
virtual public void DoSomethingWithAdminRole(string a0, int a1) { } virtual public void DoImpersonationTask() { }
}
Let’s create a security aspect named WebSecurityAspect. We’ll add to the aspect following authentication, authorization and impersonation actions.
Authentication action:
[AspectAction("%instead %call BusinessLogic.*")] public static void AuthenticationAction()
{
IPrincipal User = HttpContext.Current.User; if (User.Identity.IsAuthenticated)
{
MethodInfo method = (MethodInfo)TargetMemberInfo; method.Invoke(TargetObject, null);
}
else {
//Throw exception or do other action
}
}
Weaving condition ―%instead %call BusinessLogic.*‖ means that aspect action
AuthenticationAction() will be called instead of calling any methods of the class BusinessLogic. In this action we check whether the user is authenticated using property IPrinciple.Identity.IsAuthenticated. If the user is authenticated, it is allowed to perform action of the target object, i.e. calling target method of the object of class BusinessLogic using reflection. If not, either an exception is thrown or another action is performed.
Authorization action:
[AspectAction("%instead %call *.DoSomethingWithAdminRole(..) &&
%args(..)")]
public static void AuthorizationAction(string a0, int a1)
{
IPrincipal User = HttpContext.Current.User;
if (User.Identity.IsAuthenticated && User.IsInRole("Administrator"))
{
MethodInfo method = (MethodInfo)TargetMemberInfo; method.Invoke(TargetObject, new object[] { a0, a1 });
}
else {
//Throw exception or do other action
}
}
Impersonation action:
[AspectAction("%instead %call *Imperson*")] public static void ImpersonationAction()
{
WindowsIdentity windowsID = HttpContext.Current.User.Identity as WindowsIdentity;
if (windowsID != null)
{
WindowsImpersonationContext wiContext = windowsID.Impersonate();
MethodInfo method = (MethodInfo)TargetMemberInfo; method.Invoke(TargetObject, null); wiContext.Undo();
}
else {
//Throw an exception or do another task
}
}
Weaving condition ―%instead %call *Imperson*‖ means that aspect action ImpersonationAction() will be called instead of calling any method which satisfies the regular expression *Imperson* (i.e. method’s name contains ―Imperson‖). In this action we check if the authentication mode is Windows Authentication then impersonate our method, otherwise we can throw an exception or perform another task.
With our aspects, in the code of the target Web application developer need only call methods of business logic without security checks.
Conclusion.
In this article, a method of application of aspect-oriented programming for authentication, authorization and impersonation tasks in ASP.NET-applications are proposed. Basic security aspects are developed in Aspect.NET system: web authentication aspect, web authorization aspect, impersonation aspect. With help of developed aspects, the code size, the probability of software errors, time and code of development are reduced.
List of references
1. Aspect-oriented software development web site: http://aosd.net
2. Safonov V.O. Using aspect-oriented programming for trustworthy software development. – Wiley Interscience. John Wiley & Sons, 2008.
3. Safonov V.O. Practical guide to aspect-oriented programming system Aspect.NET. – Computer tools in education, 2008, № 2.
4. Aspect.NET project web site: http://www.aspectdotnet.org
5. Matthew MacDonald, Mario Szpuszta. Pro ASP.NET 3.5 in C# 2008. Apress. 2008. ISNB 1-59059-893-8.
6. Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication: http://msdn.microsoft.com/en-us/library/aa302388.aspx
