Security Model in ASP.NET 2.0
There are two new things introduced in dot net framework as security model:
1.Authentication
2.Authorization.
What is authentication?
Authentication determines whether the particular user is allowed to access the application.
What is authorization?
Authorization determines whether the authenticated user is allowed to access particular application resource.
Authentication determines a user’s identity, whereas authorization defines what the user might access.
ASP.NET supports four types of authentication:
1. Windows authentication
2. Form authentication
3. Passport authentication
4. Anonymous authentication
Windows Authentication:
When to use windows authentication:
If your application is targeted for use inside an organization, and users accessing the application have existing user accounts within the local user database of the Web server or Active Directory, you should authenticate users with Windows authentication
In this case, whenever an user access the application, the browser prompts the user for credentials , you don’t have to create any login page.
How to setup windows authentication:
To configure IIS to require all users to authenticate on computers running Microsoft Windows Server 2003, follow these steps:
1. In the Administrative Tools program group, open the IIS Manager.
2. In the IIS Manager console, click to expand your server name, to expand Web Sites, and then to expand the Web site.
3. Right-click the site or folder name you are configuring authentication for and select Properties.
4. Click the Directory Security tab. In the Authentication And Access Control group, click the Edit button.
5. Clear the Enable Anonymous Access check box, which is selected by default.
6. Select the Integrated Windows Authentication check box, as shown in Figure 11-7. Optionally, select Digest Windows Authentication For Windows Domain Servers to enable authentication across proxy servers.
I have mentioned windows server 2003 since windows authentication uses active directory domain and AD domain is only available in windows server 2003.
To configure an ASP.NET application for Windows Authentication, edit the <authentication> section of the Web.config file.
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The <authorization> section simply requires all users to be successfully authenticated. Specifying <deny users="?" /> within <authorization> requires users to be authenticated, whereas specifying <allow users="*" /> within <authorization> bypasses authentication entirely. The "?" symbol represents unauthenticated users, while the "*" symbol represents all users, both authenticated and unauthenticated.
Form Authentication:
Web applications developed for external sites commonly use form-based authentication instead. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.
Once authenticated via forms authentication, ASP.NET generates a cookie to serve as an authentication token. The browser presents this cookie with all future requests to the Web site, allowing the ASP.NET application to validate requests. This cookie can, optionally, be encrypted by a private key located on the Web server, enabling the Web server to detect an attacker who attempts to present a cookie that the Web server did not generate.
To configure forms authentication, you have to create an authentication page that uses an HTML form to prompt the user for credentials.
A simple Web.config file requiring Forms authentication is shown here:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginURL="LoginForm.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authentication>
</system.web>
</configuration>
Passport Authentication:
You can also authenticate users using a service from Microsoft called Passport. Passport is a centralized directory of user information that Web sites can use, in exchange for a fee, to authenticate users. Users can choose to allow the Web site access to personal information stored on Passport, such as the users’ addresses, ages, and interests. Storing information about users worldwide within the Passport service relieves end users from maintaining separate user names and passwords on different sites. Further, it saves the user time by eliminating the need to provide personal information to multiple Web sites.
Anonymous Access:
You can explicitly disable authentication for your application if you know that it will be used only by anonymous users. However, in most cases where your application does not require authentication, you should simply not provide an authentication configuration setting in the Web.config file and allow the system administrator to configure authentication with IIS.
This example shows a simple Web.config file that allows only anonymous access to an ASP.NET application:
<configuration>
<system.web>
<authentication mode="None" />
</system.web>
</configuration>
SUMMARY
The most popular authentication type in asp.net web application development is form authentication because you can create your own login page and can use Role and Membership classes of dot net framework.
|
| Author: Bindu Bujji 23 Sep 2008 | Member Level: Gold Points : 0 |
Very useful for me.
Thanks for the post.
|