Friday, April 18, 2008

Authentication and Authorization in ASP .NET

Authentication and authorization are two tightly-coupled concepts to form the core of security for .NET applications.

Authentication is the process of determining and verifying the identity of users based on the users’ credentials. Authorization is the process of determining what level of access an authenticated identity should be granted to a given resource.

Whenever a user logs on to a system, he/she will be authenticated first before he/she is authorized.

Authentication
There are three types of authentication in ASP .NET:
1. Form authentication
2. Windows authentication
3. Passport authentication

Form Authentication
You can handle authentication using your own custom logic depends on code written in your .NET application. After a user is authenticated, the credentials will be stored in a cookie to handle subsequent processes.

Windows Authentication
Windows authentication is the default authentication mode in ASP .NET. By using this mode, a user is authenticated based on his/her Windows account. There are four types of Windows authentication methods:
1. Anonymous Authentication – IIS allows any user
2. Basic Authentication – windows username and password (credentials) has to be sent across the network in plain text format, which is insecure.
3. Digest Authentication – same as Basic Authentication but the credentials are encrypted.
4. Integrated Windows Authentication – Depend on Kerberos technology, with strong credential encryption.

Passport Authentication
Passport authentication uses Microsoft’s passport service to authenticate users in a .NET application. Passport uses an encrypted cookies mechanism to identify an authenticated user. If a user had signed in the passport when they browse to your application, he/she will be considered as authenticated by ASP .NET. Else they will be redirected to the passport login page.

Authorization
There are two types of authorization in ASP .NET:
1. URL authorization – specify authorization rules in web.config for different web URLs
2. File authorization - relying on the NTFS system for granting permission

Both authentication and authorization is specified in the web.config of the application.

Example in web.config

<configuration>
    <system.web>

        <authentication mode="[Windows/Forms/Passport/None]" >
        </authentication>

        <authorization>
            <allow users="July"/>
            <deny users="August"/>
            <deny users="?"/>
        </authorization>

    </system.web>
</configuration>

0 comments:

 

Get paid for your opinions! Click on the banner above to join Planet Pulse. Its totally free to sign up, and you can earn UNLIMITED. Find out more by visiting PLANET PULSE.
July Code Blog Copyright © 2010 Blogger Template Designed by Bie Blogger Template