Authentication is the process of determining and verifying the identity of users based on the users’ credentials. Authorization is the process of determining what level of access an authenticated identity should be granted to a given resource.
Whenever a user logs on to a system, he/she will be authenticated first before he/she is authorized.
Authentication
There are three types of authentication in ASP .NET:
1. Form authentication
2. Windows authentication
3. Passport authentication
Form Authentication
You can handle authentication using your own custom logic depends on code written in your .NET application. After a user is authenticated, the credentials will be stored in a cookie to handle subsequent processes.
Windows Authentication
Windows authentication is the default authentication mode in ASP .NET. By using this mode, a user is authenticated based on his/her Windows account. There are four types of Windows authentication methods:
1. Anonymous Authentication – IIS allows any user
2. Basic Authentication – windows username and password (credentials) has to be sent across the network in plain text format, which is insecure.
3. Digest Authentication – same as Basic Authentication but the credentials are encrypted.
4. Integrated Windows Authentication – Depend on Kerberos technology, with strong credential encryption.
Passport Authentication
Passport authentication uses Microsoft’s passport service to authenticate users in a .NET application. Passport uses an encrypted cookies mechanism to identify an authenticated user. If a user had signed in the passport when they browse to your application, he/she will be considered as authenticated by ASP .NET. Else they will be redirected to the passport login page.
Authorization
There are two types of authorization in ASP .NET:
1. URL authorization – specify authorization rules in web.config for different web URLs
2. File authorization - relying on the NTFS system for granting permission
Both authentication and authorization is specified in the web.config of the application.
Example in web.config
<configuration>
<system.web>
<authentication mode="[Windows/Forms/Passport/None]" >
</authentication>
<authorization>
<allow users="July"/>
<deny users="August"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
0 comments:
Post a Comment