Category Archives: Security

Lessons learned from building microservices – Part 1: Logging

This is a part in a series of posts discussing things learned while I worked with micro-services. The things I write here are not absolute truths and should be considered as the best solutions at the time I and my team used these methods. You might chose to do things differently and I recommend highly to find out for yourself the best practices and approaches that work for you and your project.

I also assume that you have a wide range of pre-existing knowledge on building microservices, API, programming languages, programming, cloud providers etc.

Notice: In the examples below I will omit “boilerplate” code to save space.

Base requirements for logging

Service instances

In a microservice architecture the most important thing is to be able to see what each microservice instance is doing. This means in the case of kubernetes each pod, or each container with docker etc.

So if you have a service named Customer and you have three instances of this service you would want to know what each service is doing when logging. So here is a check list of things to consider:

  • You need to know what each service instance is doing because each instance will process logic and each instance will have it’s own output based on what it is doing or requested to do
  • Each log entry should be able to identify which service instance was that performed the log entry by providing a unique service intance id
  • Each log entry should identify which application version the service instance is using
  • Each log entry should tell in which environment the service instane is operating in, example: development, test, qa, prod
  • If possible each log entry should tell where the service instance is like IP address or host-name


Next you need a way to push logs to a location, aggregate them, parse and index them perhaps, then analyze them and finally to be able to easily find logs, make graphs, alerts etc.

A common pattern or stack to use and the one I used was ElasticSeach, Logstash and Kibana. You can mix and match different service and solutions to get the same results.

Log types

Next I’ll cover the different logging types you might need and that will make your life easier.

General logging details

Before we cover the different types of logs which you might need first we need to have some common data witch each log entry. This data will help us in different way depending on the solution you are making. In my example here these data are related to an API backend but you might find them useful in some other types of solutions.

So consider adding these logging fields to other logs as metadata.

public class LogData

    private String requestId;
    private String userId;
    private String environmentId;
    private String appName;
    private String appVersion;
    private Instant createdAt;

requestId6f88dcd0-f628-44f1-850e-962a4ba086e3This is a value that should represent a request to your API. This request id should be applied to all log entries to be able to group all log entries from a request.
userId9ff4016d-d4e6-429f-bca8-6503b9d629e1Same as with the request id but a user id that represents a possible user that made the API request.
environmentIdDEV, TEST, PRODThis should tell a person looking at a log entry from which environment the log entry came for. This is important in cases where all log entries are pushed into one location and not separated physically.
appNameYour Cool APISame as with the environment id but concerns the app name.
appVersion2.1.7Same as with the environment id but concerns the app version.
createdAt02/08/2019 12:37:59This should represent when the log entry has been created. This will help very much in tracking the progress of the application logic in all environment in case of troubleshooting.

Access log

Access logs are a great way to keep track of your API requests and their response to a client. I won’t go deeper into them, there are plenty of detail descriptions available which I recommend going through, here is one:

Here is some sample code:

public class AccessLog {
    private String clientIP;
    private String userId;
    private String timestamp;
    private String method;
    private String requestURL;
    private String protocol;
    private int statusCode;
    private int payloadSize;
    private String borwserAgent;
    private String requestId;
clientIP127.0.0.1The IP address of the client that made the request to you API.
userIdaa10318a-a9b7-4452-9616-0856a206da75Preferably this should be the same user id that was used in the LogData class above
timestamp02/08/2019 12:37:59A date time format of your choice when the request occured.
methodGET, POST, PUT etc.HTTP Method of the request.
requestURLhttps://localhost:9000/api/customer/infoThe URL of the request
protocolHTTP/1.1The protocol used to communicate with the API request.
statusCode200, 201, 401, 500 etc.HTTP status code of the request response.
payloadSize2345The size of the payload returned to the client.
borwserAgentMozilla/4.08 [en] (Win98; I ;Nav)“The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.” –
requestIdThis should the the same request id used in the LogData class earlier.

Message Queue Log

This is a sample log which you could use with events/message queues. Depending on what message queue you use and what kind of configurations, you would most likely have minimal information about the message pushed to a queue.

From a troubleshooting point of view and being able to track things I would recommend passing with the message additional metadata related to the message original situation.

Lets take as an example an API request. What I did was add an additional property field to my message which held a JSON version of the class below. Looking at the message below you can see that mostly it is the same fields as in the LogData class earlier with added metadata related to the message itself which can also be used to controler the message logic at the receiving end.

public class MessageQueueLog {
    private String sourceHostname;
    private String sourceAppName;
    private String sourceAppVersion;
    private String sourceEnvironmentId;
    private String sourceRequestId;
    private String sourceUserId;
    private String message;
    private String messageType;
sourceHostnameLook at the LogData example earlier.
sourceAppNameLook at the LogData example earlier.
sourceAppVersionLook at the LogData example earlier.
sourceEnvironmentIdLook at the LogData example earlier.
sourceRequestIdLook at the LogData example earlier.
sourceUserIdLook at the LogData example earlier.
messageJSON data JSON data representing a serialized object that hold important data to be used the the receiving end.
messageTypeUPDATE_USER, DELETE_USERA simple unique static ID for the message. This ID will tell the receiving end what it needs to do with the data in the message field.

Metrics log

With metrics logs the idea is to be able to track desired things in your application. A common thing that you might like to track would be how external request from your own code is performing. This will allow you set up alerts and troubleshoot problem with external sources, especially if combined with a access log you can see and a metrics log of how long you request totally took to finish.

So you could track the following metrics:

  • External source like database, API, service etc.
  • You request total processing time from start to end to return a response
  • Some important section of your code
public class MetricsLog {

    private String title;
    private String body;
    private String additional;
    private String url;
    private int statusCode;
    private Double payloadSize;
    private Long receivedResponseAtMillis = 0L;
    private Long sentRequestAtMillis = 0L;
    private MetricsLogTypes logType;
    private double elapsedTimeInSeconds = 0;
    private double elapsedTimeInMS = 0;
    private String category;
titleUser Database
bodyUpdate user
additionalSome additional data
urlhttp://localhost:9200/api/car/typesIf this is a API request to an external service you should log the request URL.
statusCode200, 401, 500 etc.The HTTP status code returned by the external source.
payloadSize234567The size of the returned data.
receivedResponseAtMillis1575364455When the response was received, this could be in UNIX epoch time.
sentRequestAtMillis1575363455When the request was received, this could be in UNIX epoch time.
logTypeAPI, DATABASE, CODE etc.This could be used to identify what kind of a metric this is.
elapsedTimeInSeconds1Calculate and write how long it took for the response to be received.
elapsedTimeInMS1000Calculate and write how long it took for the response to be received.
categoryCategory1/2/3 etc.This could be used to group different metrics together.

Security Logs

I would also consider creating a separate security log that would be logged and identified by the logging indexer to it’s own pattern or category etc.

This is to speed up troubleshooting related to security issues like when someone signs in, signs out, registers etc.

Aggregated log entry

This is an example where you would have a main log class that will contain our desired log entry data and details for a system.

Possible use cases is when streaming to Cloudwatch or to perhaps Elasticsearch.

public class CloudLog {
    private LocalDateTime timeStamp;
    private String logger;
    private Map<String, Object> metadata;
    private String message;
    private String level;
timeStampA timestamp when the log entry was created.
loggerThe logger entity name.
metadataA map full of key value pair, full of data which can be serialized into JSON for indexing.
messageThe main message to the log entry
levelSeverity level of the log entry, DEBUG, INFO, ERROR, etc.

Ethical Hacking: Terminology – Part 1

I’ve started a new course on ethical hacking to get a better understanding of the internet, software security, personal security etc.

I’ll post a series of posts where I will write down my notes on what I’ve learned.

I’ll start today with some basic terminology:

Term Description
White Hat Hacker People that do hacking to help others, legal and ethical
Black Hat Hacker Unethical and unlegal activities
Grey Hat Hacker Between White and Black hat
Footprinting Information gathering on your target, on your task: like figuring out network related information, or software related details, or getting information from real world things or people. General information gathering in regard to your chosen target
DoS (Just you) Denial Of Service – On person performs a certain amount of request, more than the server can handle, to make the server crash. Servers can handle only a certain amount of requests and so the requests that does not fit into the request pool limit will be dropped out. If the service attack comes from one location/machine this is should not be possible.
DDoS (multiple people) Domain Denial Of Service – When you multiple computers/machines doing the service attack it will be harder for the software to know who to kick out.


The attack is not hard to do but the preparation is hard. You need to have multiple machines and to do this usually you have to infect other computers to create a bot farm of machines.

RAT Remote Administration Tools – For DDoS attacks needed a software that can be distributed upon other computers. This gives you control of a computer and allows you to hide your identity. The operations are not visible to a normal user. You can even hide them so that they do not show in normal operating system diagnostic tools.
FUD ( Anti-virus can not detect) Fully Undetectable – Also needed for DDoS attacks. Not labeled as malicious by anti-virus programs
Fishing Applying a bait and someone acts on it. Example: You get an email from someone and you click on it. Either it uploads something malicious or you do something that compromises your data, security.


Usually these are done so that the links look authentic but once you click on them you are redirected to some other server, which is not the one you would expect.


An easy way to spot these kind of addresses is to look at the address. If it is not from an HTTPS address then you are probably dealing with a false address. HTTPS addresses are much harder to fake.

SQL Injections Passing SQL Queries to HTTP requests. Allowing SQL command to run on a server to get or alter data that is not others wise intended to see or use.
VPN Virtual Private Network – Routing and encrypting traffic data between you and the VPN server/provider. A way of anonymizing yourself.


There is no real easy way to identify you unless the VPN Provider gives up your identity.

Proxy A less reliable way of staying anonymous. You could route your traffic between many proxies but the more proxies you have the harder it is to add new proxies to your traffic. This is mostly because of internet speed limitations, not enough available bandwidth. It will slow down you actions.


You can use free proxies and you can use paid proxies but paid ones leave a trace of whom you are.

Tor Open Source – Another way to hide your identity. Faster than proxies but slower than VPNs. Routes traffic through different routes, routers, places to hide your trace.


There is a very high chance of staying hidden (99.99%), there are tools, ways to find but highly unlikely.

VPS Virtual Private Server – a “security layer”, example: a virtual machine inside an actual machine that serves as a database server for you web server. This is done so that the database is not accessible from the outside directly.


In this way you can be specific who and from where can access that virtual machine.

Key Loggers Tools that are used to extract information from a machine, these needs to be deployed to a machine where the tool gathers key strokes and send that information to a location for analysis.


Key Loggers can extract existing information as well, you can modify the settings of a key logger (what, where, how to act), you can take screenshots, to use a camera on a device, microphone etc.

Terminal An interface to control your operating system. GUI tools are not as nearly as powerful as terminal tools.


Most hacking tools are designed for the terminal. Once you know how to do it in the terminal, you’ll know how to do it in the GUI.

Firewall A firewall is configured through iptable commands.


Linux firewall is open source and it has a HUDE amount of options. On Windows, by default you have some of these options but you will need to buy some package or application to get more options.

Root Kit rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Reverse-shells There are thousands of Reverse-shells. You have a program that infects another device that program opens up a reverse connection from that device back to you. Therefore, you can keep up controlling an external device.


Usually you need to break through a router first and reconfigure it to give you more access to a network and machines.

Azure AD Integration

This year I’ve been working a lot more with Azure. On of my tasks has been to integrate other application to each other using Azure AD. Here are some of my finding and good to know things in case someone else runs into them:

  • Create a new MVC Application in Visual Studio
  • When this is done, press the second mouse button on the project and go to “Add” > “Connected Services”. This will allow you to create an O365 connection.
  • Select Office 365 API Services.
  • In the new Window select or type in your domain.
  • Next, create new Azure AD application configuration or use an existing one by providing the GUID for the application.
    • Make sure you select the “Configure Single Sign-On using Azure AD” option
    • Make sure that your application is multi-tenant:
      • This works so that you register your app with you own Azure AD domain, then after that external Azure AD tenants and their users are registered through an “onboarding” process. The process will the user or admin user for privileges to use certain information from the AD or other resources. These are defined in the Azure AD application settings.
      • Notice you are using an application ID and key to connect to your own organization Azure AD then the users are only onboarding using the multi-tenant option in the Azure AD application configuration.
    • Next select what kind of privileges your application needs from the Azure AD and O365.
    • You need onboarding functionality from here:
    • In Global.asax.cs application_start function add the following: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
      • If this is missing, then you claim will not work properly.
    • If you are using a SQL Server database and Entity Framework remember to update you model from the database and remember primary key connections. If the Entity Framework update does not work then removing and adding the database tables should force an update. Also remember to clean and build your project if nothing else helps.
    • If you get this error: Error: {“error”:”invalid_grant”,”error_description”:”AADSTS70002: Error validating credentials. AADSTS70000: The provided access grant is invalid or malformed…..
    • Doing a redirect the proper way in an MVC apllication using the following piece of code in your contoller: return Redirect(returnUrl);
      • If you use the normal way in ASP .NET: Response.Redirect(returnUrl); you will run into trouble. The error message might look something like this:
        • Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery
        • You could set the AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start, but this will lower your security and not advisable.


C# .NET Getting Windows Directory File Permissions programmatically



I while back I needed to do a security trim on files in a Windows file system based on returned search results by SharePoint search. Since in SharePoint 2010 search indexing does not know how to take into consideration file system rights for searches there was a need to do a security trimming based on what privileges you have in Active Directory and what you are given to the file itself.

Since there where alot of moving parts and hard to find out which classes and function where needed to actually do this specific task I finally found a source that gave a great sample how to do this:

Unfortunately the source above does not exist anymore for whatever reason. So for those who might need similar functionality through code here is the sample code from the link above and what you need class wise.

In the code below what you need is to call the following static function to check for if the user has certain privileges:

FileSystemRights rights = FileSystemEffectiveRights.GetRights(username, filelocation);

Then call the following function to test against the given file system privileges and what you want to user to have in the file system.
bool canReadExecute = rights.HasRights(FileSystemRights.ReadAndExecute);


Classes and enumeration needed for this functionality(there are many moving parts here and you might have to work with Active Directory and File System to test this code):

FileSystemRights Enumeration

FileSystemAccessRule Class

AccessControlType Enumeration

AuthorizationRuleCollection Class

SecurityIdentifier Class

FileSystemAccessRule Class

FileInfo Class

PrincipalContext Class

UserPrincipal Class

PrincipalSearcher Class

WindowsIdentity Class


Sample code – :

public static class FileSystemRightsEx
public static bool HasRights(this FileSystemRights rights, FileSystemRights testRights)
return (rights & testRights) == testRights;

public static class FileSystemEffectiveRights

public static FileSystemRights GetRights(string userName, string path)
if (string.IsNullOrEmpty(userName))
throw new ArgumentException(“UserName not defined!”);

//if (!Directory.Exists(path) && !File.Exists(path))
// throw new ArgumentException(string.Format(“path: {0}”, path));

return GetEffectiveRights(userName, path);

private static FileSystemRights GetEffectiveRights(string userName, string path)
FileSystemAccessRule[] accessRules = GetAccessRulesArray(userName, path);
FileSystemRights denyRights = 0;
FileSystemRights allowRights = 0;

for (int index = 0, total = accessRules.Length; index < total; index++)
FileSystemAccessRule rule = accessRules[index];

if (rule.AccessControlType == AccessControlType.Deny)
denyRights |= rule.FileSystemRights;
allowRights |= rule.FileSystemRights;

return (allowRights | denyRights) ^ denyRights;

private static FileSystemAccessRule[] GetAccessRulesArray(string userName, string path)
// get all access rules for the path – this works for a directory path as well as a file path
AuthorizationRuleCollection authorizationRules = (new FileInfo(path)).GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));

// get the user’s sids
string[] sids = GetSecurityIdentifierArray(userName);

// get the access rules filtered by the user’s sids
return (from rule in authorizationRules.Cast<FileSystemAccessRule>()
where sids.Contains(rule.IdentityReference.Value)
select rule).ToArray();

private static string[] GetSecurityIdentifierArray(string userName)
// connect to the domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain);

// search for the domain user
UserPrincipal user = new UserPrincipal(pc) { SamAccountName = userName };
PrincipalSearcher searcher = new PrincipalSearcher { QueryFilter = user };
user = searcher.FindOne() as UserPrincipal;

if (user == null)
throw new ApplicationException(string.Format(“Invalid User Name: {0}”, userName));

// use WindowsIdentity to get the user’s groups
WindowsIdentity windowsIdentity = new WindowsIdentity(user.UserPrincipalName);
string[] sids = new string[windowsIdentity.Groups.Count + 1];

sids[0] = windowsIdentity.User.Value;

for (int index = 1, total = windowsIdentity.Groups.Count; index < total; index++)
sids[index] = windowsIdentity.Groups[index].Value;

return sids;

Good To Know: ASP .NET MVC Reference Guide


This is my collection of sources of the most “relevant” information on ASP .NET MVC. Hope this helps you if you need information on MVC and web development with Microsoft Tools.

Design the application architecture – Application Layers, Azure, State Management, Caching, WebSocket, HTTPModules
ASP.NET MVC 4 Content Map
.NET On-Premises/Cloud Hybrid Application Using Service Bus Relay
A Beginner’s Guide to HTTP Cache Headers
ASP.NET MVC Views Overview
ASP.NET Routing
ASP.NET State Management Overview
Beginners guide to HTML5 Application Cache API
Caching in .NET Framework Applications
Controllers and Action Methods in ASP.NET MVC Applications
Differences Between ASMX and WCF Services
Distributed Cache
Donut Caching and Donut Hole Caching with Asp.Net MVC 4
Donut Caching with ASP.NET MVC 4
Entity Framework
Extending ASP.NET Processing with HTTP Modules
Getting Started with ASP.NET Web API 2
Global.asax File
HOW TO: Write a Simple Web Service by Using Visual C# .NET
HTML5 Web Storage
HTTP Handlers and HTTP Modules Overview
IHttpModule Interface
Improving Performance with Output Caching (C#)
INFO: ASP.NET Configuration Overview
Introducing “Razor” – a new view engine for ASP.NET
Introducing WebSocket HTML5
Introducing Windows Azure
Introducing Windows Azure AppFabric Applications
Introduction to HTTP Modules
Learn About ASP.NET Web API
patterns & practices: Data Access Guidance
Run Startup Tasks in Windows Azure
The WebSocket API
Two Ways of Passing HTML5 Web Storage Data to ASP.NET
Use AppCmd.exe to Configure IIS at Startup
Using an Asynchronous Controller in ASP.NET MVC
WCF Web HTTP Programming Model
Windows Azure Execution Models
Windows Azure Jump Start (03): Windows Azure Lifecycle, Part 1
Windows Azure Jump Start (04): Windows Azure Lifecycle, Part 2
Design the user experience – User Interface Design and Implementation
About Font Embedding
AjaxExtensions.BeginForm Method
ASP.NET MVC 4 Content Map
Compatibility tables for support of HTML5, CSS3, SVG and more in desktop and mobile browsers.
CSS Media Types
CSS Reference
DisplayModeProvider Class
EditorExtensions.EditorFor Method
How To Test ModelState.IsValid In ASP.NET MVC
How to: Implement Remote Validation in ASP.NET MVC
How to: Validate Model Data Using DataAnnotations Attributes
HTML DOM innerHTML Property
Html.BeginForm() vs Ajax.BeginForm() in MVC3
HTML5 New Input Types
HtmlHelper Class
JavaScript prototype Property
JavaScript Tutorial
jQuery Documentation
jQuery Mobile
jQuery Mobile Framework
jQuery UI
JsonRequestBehavior Enumeration
JsonResult Class
Kendo UI Mobile
LinkExtensions.ActionLink Method
ModelStateDictionary.IsValid Property
Partial View in ASP.NET MVC 4
Rendering a Form in ASP.NET MVC Using HTML Helpers
Sencha Touch
Simplifying HTML generation in code using Razor templates
Styles.Render Method
System.Web.Mvc.Ajax Namespace
System.Web.Mvc.Html Namespace
Understanding JavaScript Prototypes.
Using the viewport meta tag to control layout on mobile browsers
ValidationExtensions.ValidationMessageFor Method
ValidationMessageFor HTML Helper in MVC3 Razor
Vendor-specific Properties
Views and UI Rendering in ASP.NET MVC Applications
Develop User Experience – Search Engine Optimization, Globalization and Localization, Routes, Application Behaviour, Network Optimization
13 ASP.NET MVC extensibility points you have to know
Action Filtering in ASP.NET MVC Applications
ActionResult Class
ActionResult.ExecuteResult Method
An Introduction to ASP.NET MVC Extensibility
ASP.NET Globalization and Localization
ASP.NET MVC – Basic overview of different view engines
ASP.NET MVC Custom Model Binder
ASP.NET MVC Model Binding and Data Annotation
ASP.NET MVC Routing Overview (C#)
ASP.NET Routing
Attribute Usage Guidelines
BindAttribute Class
Bundling and Minification
Configuring HTTP Compression in IIS 7
CultureInfo Class
Custom Controller Factory in ASP.NET MVC
FilterAttribute Class
HandleErrorAttribute Class
How to: Set the Culture and UI Culture for ASP.NET Web Page Globalization
HTML 5: The Markup Language (ARIA Edition)
Mage.exe (Manifest Generation and Editing Tool)
Microsoft Ajax Content Delivery Network
MVC 4 Part 4 – Bundles and Optimisation
MvcRouteHandler and MvcHandler in ASP.NET MVC Framework
ResourceManager Class
Search Engine Optimization Toolkit
Subscriber Locale Codes
The Features and Foibles of ASP.NET MVC Model Binding
Thread.CurrentUICulture Property
Using CDN for Windows Azure
Using Value Providers in ASP.NET 4.5
Walkthrough: Organizing an ASP.NET MVC Application using Areas
WebPart.AuthorizationFilter Property
What’s the Difference Between a Value Provider and Model Binder?
ViewResultBase Class
VirtualPathProviderViewEngine Class
Troubleshoot and debug web applications – Runtime issues, Exception handling, Testing, Debuging
AppDomain.FirstChanceException Event
Assert Class
Beginners Guide to Performance Profiling
Code Contracts
Code Contracts
Code Contracts for .NET
Collect Logging Data by Using Windows Azure Diagnostics
Configuring Performance Sessions for Profiling Tools
Configuring Windows Azure Diagnostics
Controller.OnException Method
Create and Use Performance Counters in a Windows Azure Application
customErrors Element (ASP.NET Settings Schema)
Debugging a Cloud Service in Visual Studio
Debugging Cloud Services
HandleErrorAttribute Class
How To Put Your Toe Into ASP.NET MVC Integration Testing
How to: Break When an Exception is Thrown
How to: Handle Application-Level Errors
How to: Receive First-Chance Exception Notifications
Integration Testing Your ASP.NET MVC Application
Invariants and Inheritance in Code Contracts
Isolating Code Under Test with Microsoft Fakes
Logging Error Details with ASP.NET Health Monitoring (C#)
MVC: Error Page implementation
Performance and Diagnostics Hub in Visual Studio 2013
Performance Profiler in Visual Studio 2012
Quick Start: Test Driven Development with Test Explorer
Record and run a web performance test
Remote Debugging a Window Azure Web Site with Visual Studio 2013
System.Diagnostics.Contracts Namespace
TraceListener Class
Tracing in ASP.NET MVC Razor Views
Understanding Web Tests
Unit Testing in ASP.NET MVC Applications
Use the Windows Azure Diagnostics Configuration File
Walkthrough: Using TDD with ASP.NET MVC
What is a First Chance Exception?
Windows Performance Monitor
Working with Web Tests
Design And Implement Security – Authentication, Authorization, Data Integrity, Hacks and Security, Communication
A Beginner’s Tutorial on Custom Forms Authentication in ASP.NET MVC Application
A Custom SqlRoleProvider for “Authenticated Users”
Anti-Cross Site Scripting Library
Apple Secure Coding Guide
ASP.NET Impersonation
ASP.NET MVC Authentication – Global Authentication and Allow Anonymous
Asp.Net MVC With the ValidateAntiForgeryToken For Cross Site Request Forgeries
ASP.NET Web Application Security
Authenticating Users with Windows Authentication (C#)
AuthorizeAttribute Class
Basic Security Practices for Web Applications
Client Certificates vs. Server Certificates – What’s the Difference?
Configure ASP.NET Impersonation Authentication (IIS 7)
Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on (C#)
CryptoStream Class
Custom Authentication and Authorization in ASP.NET MVC
Custom Authentication with MVC 3.0
Custom Membership Providers
Custom Membership Providers – Task Manager
Custom Role Providers
DpapiProtectedConfigurationProvider Class
FormsIdentity Class
How to Authenticate Web Users with Windows Azure Active Directory Access Control
How to configure Custom Membership and Role Provider using ASP.NET MVC4
How to Create an Intranet Site Using ASP.NET MVC
How to: Create a WindowsPrincipal Object
How to: Create GenericPrincipal and GenericIdentity Objects
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA
How To: Use Membership in ASP.NET 2.0
HtmlHelper.AntiForgeryToken Method
HttpEncoder Class
Microsoft Web Protection Library
OAuthWebSecurity.Login Method
OAuthWebSecurity.VerifyAuthentication Method
patterns & practices Improving Web Services Security – Now Released
Programming WCF Security
Provider Model Design Pattern and Specification, Part 1
RequireHttpsAttribute Class
Role-Based Authorization (C#)
RSACryptoServiceProvider Class
RsaProtectedConfigurationProvider Class
SAML 2.0 tokens and WIF – bridging the divide
Securing Your ASP.NET Applications
Security Practices: ASP.NET Security Practices at a Glance
Seed Users and Roles with MVC 4, SimpleMembershipProvider, SimpleRoleProvider, Entity Framework 5 CodeFirst, and Custom User Properties
SqlMembershipProvider Class
SqlRoleProvider Class
System.Security.Cryptography Namespace
System.Threading.Thread.CurrentPrincipal vs. System.Web.HttpContext.Current.User or why FormsAuthentication can be subtle
Thread.CurrentPrincipal Property
Understanding and Using Simple Membership Provider in ASP.NET MVC 4.0
Understanding the Forms Authentication Ticket and Cookie
Understanding Windows Identity Foundation (WIF) 4.5
Using IIS Authentication with ASP.NET Impersonation
Using OAuth Providers with MVC 4
Walkthrough: Using Forms Authentication in ASP.NET MVC
WCF Security Fundamentals
WCF Using Windows Authentication and SqlRoleProvider over basicHttp
WebSecurity Class
Windows Communication Foundation Security
WindowsIdentity Class
WS-Trust 1.3 OASIS Standard