Implementing Authorization and authentication in ASP.net
Security is an important aspect while designing internet applications. It provides the robustness and reliability by checking the access to the system resources and thus restricts the usage to only limited group who has been authorized. Authentication process involves validation of the users identity by getting the user credentials and validate the identity with values stored internally.
Authorization determines the level of access to the system resources to the authenticated user based on the profile of the User, which would have already been configured. For example, usually an Administrator level of User will have authorization configured so that he has access rights to access all the system resources. Authorization will always follow Authentication and both are essential for a secured application.
Authentication in ASP.Net
ASP.net offers three types of Authentication which are as below:
type can be set in the web.config file in the section as below:
Windows authentication is basically managed by IIS. There are four types of Windows authentication which are anonymous, basic, digest and Windows Integrated. All these options are configured in IIS.
By selecting anonymous option, there will be not be any authentication performed by the IIS and hence anyone can be allowed to access the application. Using basic authentication, windows user name and password are used to authenticate for which the information is sent over the network which makes it insecure. If digest authentication is selected, password is encoded before sent across the network.
This option necessitates client machines to be using Internet Explorer (IE) 5.0 or above and windows account to be stored in Active directory. Windows Integrated option uses Kerberos (Challenge/response) protocol to authenticate the user. This method provides secret-key cryptography technique and hence ensures the information transmitted is highly secure. For this, client browser needs to be IE 3.0 or above.
Passport authentication method uses the Passport Authentication service provided by Microsoft for authenticating users. By using this method, applications can be relieved of the authentication routine that needs to be implemented in the main application. Passport identifies an authenticated user by checking for the encrypted cookie in the client system. In case of failure at this level, they will be redirected to passport servers for authentication. To implement this, the Passport Development SDK (Software Development Kit) is required.
Forms authentication is a type of custom authentication where the User can design his own customized logic for logging into the system. This method is based on cookie which gets placed by the first successful request by the client. This will be used to track the User about his state of access to the server. For every request made by the client for a web page, ASP.net checks for the existence of this special cookie in the client system. If it exists, it implies that client is authenticated. Otherwise, it does not process the request and redirects the User to an error page.
Authorization in ASP.net
a process within IIS and executes in the security context of a restricted
User account which has limited access to both local and shared resources.
To enable it to have additional rights, impersonation is used. Impersonation
provides the facility to execute the request from the client using its
identity or use a specific account as configured in web.config file. To
disable impersonation, set the file as below:
Authorization without impersonation
Without impersonation, ASP.net will execute with its own privileges. Usually, this account (ASPNET) in which the ASP.net runtime executes would be a low-privileged account since this is the default account and is applicable to all the sites in the server. Enabling it to a high-privileged account is a high risk since ASP.net process run by any client can access system resources and can cause harm to them. Machine.config is the file where the privilege of ASPNET account can be configured.
Authorization with impersonation
There are two options with impersonation enabled.
Using identity of the client logging to the system
access is allowed in IIS, ASP.net uses its own configured account which
the IIS itself uses.
Using identity of a pre-defined user
By setting the web.config file with details of the User name and password of the User whose credentials need to be used for executing the application, ASP.net process can execute in the identity of that User. The main drawback of this method is the security risk that anyone can access the file containing the password in text form.
Design considerations for implementing Authentication and Authorization in Distributed applications
is the first level of access for any request coming from a client. In
case there is a need to reject request from some pre-defined IP addresses,
options can be set in IIS for achieving it.
| All about Conceptual Analysis on .NET Remoting | Building desktop applications in .Net | Building Distributed Applications Efficiently Using .Net Remoting | C# (C Sharp) Unified Type System: Reference Types | C# (C Sharp) Unified Type System: Value Types | Data access in .Net | Delegates Vs Interfaces in C# (C Sharp) | How is Integration between Java and .NET Achieved | How is Versioning Achieved in C# (C Sharp) | Implementing Authorization and authentication in ASP.net | Implementing design patterns in .Net | List of Query Keywords in C# (C Sharp) |