Dino Esposito "Security is a matter of success"

•Als PPTX, PDF herunterladen•

0 gefällt mir•281 views

Authenticating users and checking their permissions to perform certain actions are the ABC of any software and real-life process. ASP.NET as a long record of successful applications yet the overall API it always offered is quite simple for the needs of today. These has brought to a variety of additional best practices that for the most part have been incorporated in ASP.NET Core. In this session we’ll first look at the basic facts of claims and core authentication and then move to authorization policies and authentication in the context of Web APIs. By attending the session you’ll figure out the differences between old and new ASP.NET authentication, old and new ASP.NET authorization and common steps to control access to a Web API.

Technologie

Security is a Matter of
Success
Dino Esposito
Digital Strategist, BaxEnergy

AUTHENTICATION
▰ Cookie-based authentication (without web.config)
▰ IPrincipal based on claims (not just username)
▰ Enable authentication middleware and use it
▻ Cookie name, login path, return-url, sliding expiration
▰ Multiple authentication schemes supported
▻ Cookie, bearer token, social networks
2

AUTHENTICATION: CLAIMS
▰ All claims stored in the authentication item
(cookie)
▰ Information not retrieved but possibly in the need
of updates if changed
▰ Username and role, plus everything else
▰ Different API for sign-in/sign-out
▰ LINQ-style API to read claims
3

AUTHORIZATION
▰ Role-based authorization
▻ Authorize attribute working as usual
▰ Policy-based authorization
▻ New in ASP.NET Core
4

ROLE-BASED AUTHORIZATION
▰ AllowAnonymous
▰ Authorize(Roles="...")
▰ Custom version EnsureRole(Enum1, Enum2)
▰ Additional ActiveAuthenticationScheme parameter
5

POLICY-BASED AUTHORIZATION
▰ Policy is a collection of requirements
▰ More flexible than just roles
▰ Register policies in startup
▰ Apply through Policy attribute of Authorize
6

var policy = new AuthorizationPolicyBuilder()
.AddAuthenticationScheme("Cookie", "Bearer")
.RequireAuthenticatedUser()
.RequireRole("Admin")
.RequireClaim("editor", "contents")
.RequireClaim("level", "Senior")
.Build();

$POLICY-BASED AUTHORIZATION 8 // IAuthorizationService injected in controller public async Task<IActionResult> Save(Article article) { var allowed = await _authorization.AuthorizeAsync(User, ...); if (!allowed) return new ForbiddenResult(); // Proceed }$

SECURING WEB API
▰ Authorize works as long as cookies are OK
▰ Basic authentication
▻ User credentials packed with request
▰ Token-based authentication
▻ Token associated with a given user
▰ Identity Management Server
9

PROGRAMMING ASP.NET CORE
▰ ASP.NET Core 3.0 released in H2
▻ Wait for 3.1 though 
▰ Visual Studio 2019 Update X
11
http://youbiquitous.net

Weitere ähnliche Inhalte

Mehr von Fwdays

The current architecture of Prom.ua is built on microservices and GraphQL API, but it was not always like that. In this talk, I'll tell you how far we've come and how we've made using graphs in a microservice architecture convenient and simple. I will talk about the problems we faced and how we overcame them, made our development process more accessible, deployments faster, and the remains of the monolith less loaded.

"Distributed graphs and microservices in Prom.ua", Maksym Kindritskyi

Fwdays

ETL stands for extract, transform, load. It's a process that combines data from different sources into a single repository for further processing, analysis, and utilization. This talk provides an example of how pandas can be used to solve ETL tasks as a stage in the evolution of the data intake component. This involves preliminary validation, filtering, and conversion of data according to a set of business rules and internal representation, with intermediate combination with other sources.

"Rethinking the existing data loading and processing process as an ETL exampl...

Fwdays

I’m confident that many IT professionals are currently facing the same situation I was in a few months ago. Mobilization, uncertainty. How can I be maximally beneficial to the country with my experience and continue professional development in such circumstances? Since the onset of the full-scale invasion, I've been actively volunteering and assisting the army. Mobilization became the next logical step. I want to share: My journey in IT, volunteering, and the beginning of my service in the Armed Forces Impressions from the first few months Which Soft Skills are helpful in this context I aim to dispel myths about the mobilization process and projects of the Armed Forces. Address your questions And yes, military personnel can travel abroad during their leave.

"How Ukrainian IT specialist can go on vacation abroad without crossing the T...

Fwdays

The leader must be strong all the time. The leader cannot afford to make mistakes, let alone fail in front of their team. Is that really true? Nick Gicinto, a cybersecurity leader with over 25 years of experience, who has worked for the CIA and has built security systems from scratch at Tesla and Uber, fully hiring teams for these projects, will talk about the importance of being vulnerable to build trust within a team.

"The Strength of Being Vulnerable: the experience from CIA, Tesla and Uber", ...

Fwdays

Sharing open feedback can be difficult because it equals much work on yourself. However, feedback needs attention and a special place in the corporate culture. It helps to grow dynamically, build a team of like-minded people and achieve powerful results. In the presentation, I will talk about: The ability to work with feedback as a soft, solid skill in developing technical specialists. A list of difficulties that prevent quality work with feedback. The 4A Framework is a tool for successful giving and receiving feedback. I will also help specialists learn the following: Form constructive feedback and understand how and when to give it. Work analytically with the received feedback. Feel free to share your thoughts and be heard.

"[QUICK TALK] Radical candor: how to achieve results faster thanks to a cultu...

Fwdays

Will discuss: Current communication challenges, including mishaps and toxic versus productive interactions. Ever wondered about PDP? It’s likely because its relevance to career planning, even outside your current company, hasn’t been fully spotlighted. Exploring how PDP functions within career planning, applicable even if you’re eyeing an exit. “Who do I aspire to become?” Summarizing key points with a reference to a practical form you can download to use.

"[QUICK TALK] PDP Plan, the only one door to raise your salary and boost care...

Fwdays

This talk will reveal four destructive communication patterns that can undermine team spirit, reduce productivity and cause conflict, and offer effective strategies for neutralizing them. Let's start with exciting storytelling about a fictional team of developers working on Scrum. You will learn about situations that their team member noticed during team meetings. Next, we will analyze "The Gottman Four Horsemen" model, which describes the four "horsemen of the apocalypse" of work relationships: criticism, defensiveness, contempt, and stonewalling. For each of these patterns, specific "antidotes" will be offered that allow you to build healthier and more productive relationships in the team. Finally, we'll look at why this topic is critical to team productivity, drawing on Google's "Project Aristotle" research. Special attention will be paid to the concept of psychological safety, which is a key factor in the success of high-performance teams. This talk will not only provide valuable insights and tools for improving communication and management in Tech teams, but will also help each member better understand their own contribution to the overall success of the team.

"4 horsemen of the apocalypse of working relationships (+ antidotes to them)"...

Fwdays

We are all living in exceptionally turbulent times. Ukrainians are facing numerous crises and challenges, ranging from war to lay-offs. Work provides us with a sense of stability, which many of us deeply value and strive to maintain. However, there are times when we may not realize that our workload becomes overwhelming or that the stress we experience in our jobs becomes highly toxic. This often leads to burnout. During our discussion, we will cover: - The factors that contribute to burnout; - How to identify it; - Short-term strategies for addressing it; - Long-term approaches to finding fulfillment and satisfaction in our work; I will also share my personal experiences and insights, as well as those of my colleagues in the IT field. - Burnout - Stress

"Reconnecting with Purpose: Rediscovering Job Interest after Burnout", Anast...

Fwdays

As you grow in experience as a tech specialist and close the needs of Maslow's hierarchy, you realize that you can help beginners in your specialization. But how to do it effectively? Where to look for future mentees? How to avoid mistakes that demotivate both sides? And, in general, how can you benefit from investing your time in the success of a mentee? I'll discuss this based on my 1.5 years of experience mentoring beginners. It will be useful for professionals with at least six months of experience in IT and a willingness to share their knowledge with the community.

"Mentoring 101: How to effectively invest experience in the success of others...

Fwdays

"Mission (im) possible: How to get an offer in 2024?", Oleksandra Myronova

Fwdays

Historically, Ukrainians are not good at presenting themselves (read: selling) because they are not self-confident. But we were never taught to be confident or to understand our strengths, moreover to pitch ourselves well in 3 minutes at an interview. Therefore, my task is to teach you in a few minutes how to: Create your personal pitch correctly (sales points, structure) Understand, depending on the type of company, what managers want to hear about you at the interview Be able to package irrelevant or no experience Understand your strengths Create an example of a personal pitch No, there will be no information here on how to get more $ at the interview, but it's not sure 😂

"Why have we learned how to package products, but not how to 'package ourselv...

Fwdays

Imposter syndrome is a psychological phenomenon that most of us suffer from to one degree or another. I'm no exception and have faced this for most of my IT career, which has been around 10 years. I did not immediately understand that the impostor syndrome is one of the biggest blockers for my personal and career development. When I understood it, I gradually started, with small and large steps, fighting with a syndrome in all available ways. In my talk, I will share my story and how it helped me grow from an ordinary developer to a team leader and, eventually, the leader of the entire department.

"How to tame the dragon, or leadership with imposter syndrome", Oleksandr Zin...

Fwdays

Understanding people is a fundamental tool for effective communication and leadership. The DISC personality type model offers a simple, easy-to-understand, and extremely practical approach to understanding oneself and one's teammates. The report will provide a practical approach to determining temperaments, highlighting their strengths as well as vulnerable traits. Understanding these principles will contribute to building strong teams and fostering strong customer relationships.

"Leadership, Soft Skills, and Personality Types for IT teams", Sergiy Tytenko

Fwdays

"How Ukrainian IT specialist can go on vacation abroad without crossing the T...

Fwdays

"Mastering cross-cultural communication", Anna Gandrabura

Fwdays

"Incremental rollouts and rollbacks with business metrics control at every st...

Fwdays

AI - should we embrace a fresh approach or continue with the traditional one? AI products and solutions have gained immense significance in enabling businesses to stay competitive. However, deploying and operating AI products within an organization's perimeter bring new challenges in terms of data security and reliability. To mitigate risks such as data leakage, finops, ethical alignment, and processes to ensure reliability it is crucial to adopt new approaches. In this context, let's explore the emerging challenges and SRE practices specifically tailored for AI.

"AIRe - AI Reliability Engineering", Denys Vasyliev

Fwdays

I would like to share a little story with you about how we started testing our Helm charts, why we did it, and were the outcomes. Our journey went from no testing to snapshot testing with Terratest and then from Terratest to more granular approach towards the validation of the configuration. I would like to show our journey to you as well as the tools we met in the process and the lessons we learned.

"Testing of Helm Charts or There and Back Again", Yura Rochniak

Fwdays

"How to mentor (future) devops engineers", Vsevolod Polyakov

Fwdays

"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap

Fwdays

Mehr von Fwdays (20)