Security

ASP.NET Core security topicsMicrosoftLearn

Authentication vs. Authorization

Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The Authorization refers to the process that determines what a user is allowed to do.

Authentication	Authorization
Authentication is the process of determining a user's identity.	Authorization is the process of determining whether a user has access to a resource.
	role-based authorization policy-based authorization claims-based authorization

CORS

Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

Is not a security feature, CORS relaxes security. An API is not safer by allowing CORS.

There are three ways to enable CORS:

• In middleware using a named policy or default policy.

var  MyAllowSpecificOrigins = "_myAllowSpecificOrigins";

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options => {                
    options.AddPolicy(name: MyAllowSpecificOrigins, policy => { // named policy
            policy.WithOrigins("http://example.com", "http://www.contoso.com")
                    .AllowAnyHeader()
                    .AllowAnyMethod();
    }); 
     
    options.AddDefaultPolicy(policy => {        // default policy
            policy.WithOrigins("http://example.com", "http://www.contoso.com");
    });  
});

// services.AddResponseCaching();
builder.Services.AddControllers();

var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();

app.UseCors(MyAllowSpecificOrigins);        // using named policy

app.UseAuthorization();

app.MapControllers();

app.Run();

• Using endpoint routing.

var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options => {
    options.AddPolicy(name: MyAllowSpecificOrigins, policy => {
        policy.WithOrigins("http://example.com", "http://www.contoso.com");
    });
});

builder.Services.AddControllers();
builder.Services.AddRazorPages();

var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();

app.UseCors();

app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapGet("/echo",
        context => context.Response.WriteAsync("echo"))
        .RequireCors(MyAllowSpecificOrigins);

    endpoints.MapControllers()
             .RequireCors(MyAllowSpecificOrigins);

    endpoints.MapGet("/echo2",
        context => context.Response.WriteAsync("echo2"));

    endpoints.MapRazorPages();
});

app.Run();

• With the [EnableCors] attribute.

[Route("api/[controller]")]
[ApiController]
public class WidgetController : ControllerBase
{
    // GET api/values
    [EnableCors("AnotherPolicy")]
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        return new string[] { "green widget", "red widget" };
    }
}

Using the [EnableCors] attribute with a named policy provides the finest control in limiting endpoints that support CORS.

When using multiple roles in one attribute, the user must be a member of only one of those roles to access the resource. With multiple attributes, the user must be a member of all roles.

When you implement IValidateObject, which language feature processes over the individual properties being validated?

• C# Generator/Yield pattern