I’ve finally wrapped up updating the SmartCardAuthenticationModule. The link to the download is at the end of this post.A complete write-up of the previous version can be located here: http://securitythroughabsurdity.com/2007/04/implementing-smartcard-authentication.html
Changes / Improvements * Added support for ASP.NET Membership which means support for Profiles and Roles as well.
* Removed all custom database requirements from the Module. If custom DB access is needed this can be implemented in a Global event.
* Removed SmartCardPrincipal class. Smart Cards only help establish identity and don’t provide any roles membership information so I opted to remove the class and instead just wrap the identity into a GenericPrincipal. If the ASP.NET Role provider is being used, the Role module will automatically wrap the SmartCardIdentity in a RolePrincipal. Implementer's can also add custom event code in the Global to use any Principal of their choice.
* Added ASP.NET Health Monitoring events for auditing Success and Failed logins, as well as when Membership accounts are created.
* Added support for custom error pages on a 401 Unauthorized.
* Added the following Smart Card Authentication Module events:
o Authenticate
o FailedMembershipAuthentication
o MembershipValidating
o MembershipUserCreated
o MembershipUserCreating OOTB BehaviorThe out of the box behavior for the Smart Card Authentication module is as follows: 1. With ASP.NET Membership – The first time a user visits the web site, the Smart Card Authentication Module will automatically create a Membership account in a disabled state. The new MembershipUser will not have access until the account is enabled through the Membership Admin. For users who visit the site have a Membership account. the Module will call the Membership.Validate() method and will only allow them access if their Smart Card is the same as it was when they enrolled and the account is enabled.
2. With ASP.NET Membership and ASP.NET Roles – The RolePrincipal will contain the SmartCardIdentity. IsInRole() checks will work as expected and the SmartCardIdentity will also be available.
3.
Without ASP.NET Membership/RoleProvider enabled – the SmartCardAuthenticationModule will authenticate the user and attach a GenericPrincipal with NO ROLES to the HttpContext.User. To provide custom roles (when not using the ASP.NET RoleProvider), subscribe to the SmartCardAuthentication_Authenticate event in Global.asax and attach an IPrincipal containing the roles appropriate for authorization. InstallationConfigure the Web project to have a reference to the SmartCardAuthenticationModule. This can be accomplished in one of two ways:. 1. Add a reference to the SmartCardAuthentication.dll to the web application project
2. To have Smart Card Authentication Module source available in the solution, add the SmartCardAuthentication Project to the Solution containing your web project and then add a project reference to the SmartCardAuthenticationModule. In IIS, install a SSL/TLS Certificate and for Client Certificates, make sure to check either Accept or Require for the Web Site or Application. For production environments,
Read more: [ security through absurdity ]
Changes / Improvements * Added support for ASP.NET Membership which means support for Profiles and Roles as well.
* Removed all custom database requirements from the Module. If custom DB access is needed this can be implemented in a Global event.
* Removed SmartCardPrincipal class. Smart Cards only help establish identity and don’t provide any roles membership information so I opted to remove the class and instead just wrap the identity into a GenericPrincipal. If the ASP.NET Role provider is being used, the Role module will automatically wrap the SmartCardIdentity in a RolePrincipal. Implementer's can also add custom event code in the Global to use any Principal of their choice.
* Added ASP.NET Health Monitoring events for auditing Success and Failed logins, as well as when Membership accounts are created.
* Added support for custom error pages on a 401 Unauthorized.
* Added the following Smart Card Authentication Module events:
o Authenticate
o FailedMembershipAuthentication
o MembershipValidating
o MembershipUserCreated
o MembershipUserCreating OOTB BehaviorThe out of the box behavior for the Smart Card Authentication module is as follows: 1. With ASP.NET Membership – The first time a user visits the web site, the Smart Card Authentication Module will automatically create a Membership account in a disabled state. The new MembershipUser will not have access until the account is enabled through the Membership Admin. For users who visit the site have a Membership account. the Module will call the Membership.Validate() method and will only allow them access if their Smart Card is the same as it was when they enrolled and the account is enabled.
2. With ASP.NET Membership and ASP.NET Roles – The RolePrincipal will contain the SmartCardIdentity. IsInRole() checks will work as expected and the SmartCardIdentity will also be available.
3.
Without ASP.NET Membership/RoleProvider enabled – the SmartCardAuthenticationModule will authenticate the user and attach a GenericPrincipal with NO ROLES to the HttpContext.User. To provide custom roles (when not using the ASP.NET RoleProvider), subscribe to the SmartCardAuthentication_Authenticate event in Global.asax and attach an IPrincipal containing the roles appropriate for authorization. InstallationConfigure the Web project to have a reference to the SmartCardAuthenticationModule. This can be accomplished in one of two ways:. 1. Add a reference to the SmartCardAuthentication.dll to the web application project
2. To have Smart Card Authentication Module source available in the solution, add the SmartCardAuthentication Project to the Solution containing your web project and then add a project reference to the SmartCardAuthenticationModule. In IIS, install a SSL/TLS Certificate and for Client Certificates, make sure to check either Accept or Require for the Web Site or Application. For production environments,
Read more: [ security through absurdity ]
0 comments:
Post a Comment