Web application security for ASP .NET
Web applications should be very secured. In this article we shall discuss about the security options available in ASP .NET. Security of a web application maintained using Authentication and Authorization function. Authorization checks for the user credentials like user name and passwords and the later one decides whether grant or deny access to specified resources for authenticated users.
Authorization:
Authorization used to determine identities access permission to a resource. To provide authorization, in the authorization section specify the users or roles attributes in allow or deny elements. It is also applies to its subdirectories, and this can be overridden in subdirectories. allow and deny elements has users, roles and verbs attributes. In the users and roles any one of the attribute should be present.
example:
<authorization>
<allow verbs="GET" users="*" roles="users"/>
<allow verbs="HEAD" users="?"/>
<deny verbs="POST" roles="Admin"/>
</authorization>Authentication:
Authentication process done by getting user credentials like user name and password and validating those credentials. After validation the user is checked for the authorization to the resources. Authentication has four modes like window, forms, passport and none for no authentication.
Windows authentication is done by IIs authentication mechanisms. It incudes anonymous authentication, Basic Authentication, Digest authentication and Integrated authentication. Windows is the default value for authentication element's mode attribute.
example:
<system.web>
<authentication mode="Windows"/>
</system.web>
Forms authentication mode authenticates the user name and password of user in a login form. Unauthenticated users are redirected to a login page else the system establishes the connection for subsequent requests.
example:
<authentication mode="Forms">
<forms name="auth" loginUrl="Login.aspx">
<credentials passwordFormat="MD5">
<user name="user_name1"
password="password1"/>
<user name="user_name2"
password="password2"/>
</credentials>
</forms>
</authentication>
The credentials element has a mandatory attribute called passwordFormat. It can have three values Clear, MD5, SHA1. If you use clear as passwordFormat then Passwords are stored in clear text. Else if you use MD5 then Passwords are stored using the Message Digest 5 (MD5) algorithm. This gives better performance than SHA1. And with SHA1 Passwords are stored using the secure hash algorithm 1(SHA1).Impersonation:
Impersonation is used when the applications rely on Microsoft Internet Information Services (IIS) for authentication. By default ASP.NET impersonation is disabled. If enabled then the application identity should have read/write access to the files in application directories and subdirectories.
Use identity element to implement impersonation on the application. It has a attribute imporsonate, to enable the value must be true and it is mandatory. And also you can add the user name and password as optional attributes.
example:
<configuration>
<system.web>
<identity impersonate="true" userName="compName\user" password="********"/>
</system.web>
</configuration>