From the Desk of Brandon Haynes

I am pleased to make available a whitepaper detailing the high-level motivation and approach involved in the creation of the recently-released DotNetNuke Multi-Factor Authentication Provider, along with a discussion of the unique characteristics of a DotNetNuke installation that render the approaches of other vendors (e.g. RSA SecurID) incomplete or unsatisfactory. Additionally, each out-of-the-box factor is described in general detail in a format that is digestible by an audience of varying technical sophistication.

This paper is intended for all audiences who might have an interest in overall DotNetNuke installation security, and is designed to assist management in identifying an appropriate level of authentication-related risk.

• Download the Multi-Factor Authentication in DotNetNuke Whitepaper
• Learn more about the Multi-Factor Authentication Provider
• Learn more about the DotNetNuke Web Application Framework

I am pleased to announce a beta release of my Amazon S3 integration authorization and data providers.  It may be downloaded via CodePlex on its project homepage.  As is all of my DotNetNuke work, this project is fully open-source and available under a liberal BSD license.

The DotNetNuke web application framework offers multiple file persistence options out-of-the-box, including file-system storage (both unsecured and secured by ACL), along with ACL-secured database storage. When creating a link to a resource, the DotNetNuke UI provides a convenient list of these files, and also allows direct input of arbitrary URI.

However, there exists no ready method by which an administrator might link to a known set of files persisted external to the installation. While direct URI input might be used here, it requires knowledge of these data, and does not allow for enumeration and management of the external objects themselves.

This project attempts to bridge that gap by integrating resources persisted on the Amazon S3 into the DotNetNuke framework. Resources stored there are enumerable via the File Manager and selectable via the URL control. Throughout the core framework, these external resources are treated identically to database-secured resources, including observance of Amazon S3 ACL, automatic synchronization, and (reasonably friendly) 301 Redirects to the Amazon S3 when accessed via LinkClick.aspx.

This is effectuated via customization of two providers: authorization and data. The authorization provider integrates Amazon S3 ACLs for external resources, and the data provider allows enumeration of and details about the external resources themselves.

(more…)

As many are aware, I will be presenting a session at the upcoming Day of DotNetNuke conference in Orlando, Florida.  The session is entitled “The Cutting Edge: Advanced Authorization in DotNetNuke 5.1.”  The abstract for this session reads:

Among the many improvements present in DotNetNuke version 5.1, this latest release includes authorization as a first-class extension point.  This allows customization previously impossible without core modification.  Additionally, the permission model (and the internal use thereof) has been significantly streamlined and centralized, allowing for great flexibility across myriad use scenarios.

In this session, we explore the new permission provider in detail.  This includes a discussion of how (and why) authorization services were centralized and abstracted, the overall design and structure of the provider, and available points of access control.  Finally, we examine some concrete ways in which the provider might be extended to meet real-world policy requirements.

When presenting architectural or theoretical material, I always strive to include a demonstration of how the material might be applied to a real-world scenario.  In this case, I will be demonstrating how a custom authorization provider can be used to enable full DotNetNuke integration with cloud-based Amazon S3 webservices.  A screenshot of the file manager in an Amazon S3-enabled installation is displayed below.

This session should appeal to a wide audience; I cover enough theoretical background for individuals new to security theory, and delve deep enough into the 5.1 authorization architecture to satisfy those that have high familiarity with the platform.  If you are interested in learning more about the internals of the framework — and how 5.1 authorization might be utilized — be sure to stop by!

Epilogue: The presentation materials are now available here, and the Amazon S3 Integration providers may be found here.