Skip to main content

Posts

Understanding concepts - OpenId, OAuth and SAML

I was going through some of the forums related to security concepts and found one topic which is very much communal, and many people posted questions about their confusion on the terms related to Authorization, Authentication and Security protocols.  So, I thought to write something about these terms in layman, which is more towards the concept and less towards technical aspects.  Before we start, let's have a look at the question, which really lighten the spark in me - stackoverflow.com - What's the difference between OpenID and OAuth ? Hope you are with me to get started. Well, one of the major aims of any application is to make it secure and easy to use without imposing much work on the end user. Now, in order to fulfill  this aim, we have to look into a few of the major security aspects in terms of protocols, usage and scenarios. And that's why this article is. What is Authentication and Authorization? In simple terms, authentication is the process ...

Traditional file helper won't work in .Net core

Prior to .Net Core, we use to handle file by passing various sort of parameters, like -in memory bytes, FileStream or file path and that use to work perfectly.  But when it comes to .Net Core, passing a file path will not work exactly as ASP.Net MVC. In earlier versions, the path we supplied was considered as a physical path whereas in Core, same API is used to denote the virtual path. In other words, whatever path is provided will be appended with site URL.  Now how to give physical path in .Net Core?  No worries! Here comes the PhysicalFile helper for our rescue. To know more about it, here you go. Keep learning!

Confused with term Active Directory

Is On-premise Active Directory (Windows Active Directory) same as Azure Active Directory? In continuation to my previous blog post, this was one of another question asked to me.       Well, although these both are active directories but there are few differences though. Let’s have a look at those: Location - The most basic difference is, Windows AD is on-premise whereas Azure AD is cloud based. Initial moto – As Azure AD is a cloud based, some web service support is associated, unlike unadorned AD Protocols Used – Both the active directories use different protocols. As Azure AD uses SAML and oAuth whereas unadorned AD relies on NTLM and Kerberos for authentication and LDAP to query/modify Platform support – When it comes to provide support on other platforms apart from Windows, it is nightmare with Windows AD and requires more time and effort. But the same thing can be executed very smoothly with Azure AD as it just needs a registration with any on...

Windows Authentication & Forms-based Authentication

During my recent interaction with one of the development teams, I came across few queries. Hence, I decided to cover those general questions as part of my few upcoming blogs. The very first question I received is, when should one go for Windows authentication and when one should go for Form-based authentication? Now here one of the common response one can receive is – use Forms authentication whenever the user can supply username/password and go for Windows authentication whenever the user can use Windows Login System. No doubt, this response is correct. But there are few more points which can elaborate it. Let’ have a look at those: If user accounts are created in AD – go for Windows authentication using ActiveDirectoryMembershipProvider If user accounts are created in database, i.e. SQL Server – go for Forms-based authentication using respective membership providers, i.e. SqlMembershipProvider If user accounts are created in database whose direct member ship provi...

Bit on certificates

In continuation to my previous blog, here I'm writing something more on SSL. As we learnt that, one of the key components of SSL protocol is certificates. Certification is nothing but just a set of files which contains information like: Owner of the certificate Issuer of the certificate Validity of the certificate, etc.  Below is the sample certificate: Before moving ahead, let’s have a look at the primary elements of certificates:  Public Key:   This file with extension as .crt is installed on the server and is distributed freely to any client.  Private Key: This file with extension .key is installed on the server and kept secret and secure. The file of SSL certificate contains information for encrypting data, it does not expire or have any details regarding organization or domain name.  Signing Request:   This file with extension .csr is sent to certificate authority by an applic...

Is SSL and TLS same or different?

Yes, many people are using these terms interchangeably. But in today’s time, right term would be TLS. Well, understand what is this TLS and why do we really need it? Most of us are already aware that HTTP is a plain text protocol which doesn’t have its own transport security mechanisms. In other words, HTTP is a protocol which sends data to a server and gets a response without any built-in feature or mechanism to protect data packet against tampering. To protect our packet which is travelling through HTTP, some sort of secure tunneling is required and that secure tunneling is provided by a protocol called TLS a.k.a. SSL. Here HTTP and TLS comes together. Usually people associate SSL/TLS with encryption, but that is not the only feature SSL provides. There are few more features as: Server Authentication – It makes sure that communication with the right server is made Veracity Protection – It promotes integrity and makes sure that none in between is reading our dat...

Microsoft announced ASP.NET Core 2.2

In yesterday’s .Net conference, Microsoft announced ASP.NET Core 2.2 as part of .Net Core 2.2 Preview 2 SDK and Visual Studio 2017 15.9 Preview 2. List of new features looks very interesting. Let's have a gist of those: Template updates: This release includes Bootstrap 4 support in ASP.NET Core Web Project templates as well as in scaffold and is the default version for UI, which gives completely new look. Supports Angular 6 for SPA based templates. Web API related changes are the major improvements in this release and contributes towards much easier and much better  Web APIs. HTTP/2 support is added for Kestral. lIIS in-process hosting model is added for IIS for much better performance and reliability. Health checks framework is integrated now to monitor health of APIs and apps.Using this we can make sure that our apps and APIs are live and ready for traffic prone situations. New routing system Endpoint routing was brought in, which takes ...