ASP .NET SECURITY CONFIGURATIONS

ASP .NET SECURITY CONFIGURATIONS

Security in ASP .NET refers to authenticating users and providing authorization on resources. Authentication means verifying weather user is valid or not, in other words checking for right credentials is authentication. In ASP .NET we have authentication methods like “windows passport” forms. Windows and passport authentication methods are not performed by ASP .NET and also are less important as for as web applications are concerned. Forms authentication is performed by ASP .NET only .and mostly implemented in web applications. Every resource in ASP .NET is accessible only to authenticated users.             i. Authentication            ii. Authorization     Both are processors (or) programmer only.

(i) Authentication :     Authentication means getting permission to use the account is called authentication. Users can have     the permission to participate in the developing or to use the application but he cannot change or     modify the data base.     EX: if we have an account in a bank we are authenticated to use the services of the bank but we don’t    have the authorization to modify or to change the data base or to get the transaction info of other    account holders.

(ii)Authorization:

-

It is a process where we deny or allowed users for ASP.NET resources. Every user normally authenticated first and the authorized in the development.     i.Windows    ii.Passport   iii.Form(ASP .NET) Process involved in the Authentication     1. User makes a request for a “secured page”.     2. IIS stops the user and redirects him to “OS” or the browser itself displays a dialogue box like “Pleases        Enter Username and Password”.     3. “OS” displays a “Logon window” asking for user credentials.     4. User enters the required credentials and submits the same to OS and OS checks for        Username/Password and if it is “TRUE” creates a “Ticket” and redirects to IIS.     5. IIS allows user now because he holds an” Authentication Ticket”. Note: The created “Ticket” will travel between request and response using that so that every time user is not asked for it. Passport Authentication Note: NO more “Passport.com” but it changed as “Live.com”.this is a third-party web provides authentication services and this is a Microsoft service and can be easily incorporated in ASP .NET. Steps involved in Passport Authentication: 1. User makes a request for a “secured page”. 2. IIS allows user as an anonymous. 3. ASP .NET denies request because user doesn’t have “Passport Ticket“and it redirects him. 4. Passport provides a login page where user enters his passport credentials and passport verifies    the same and creates a ticket. Also redirects back to the request secured source. 5. ASP .NET allows the user now because the user holds an authentication ticket. In the above picture • • • Note: Once a passport ticket is available with the client he can visit all the similar passport enabled sites.                                   Request USER OS Ticket Passport Logon Page 1 2 3 IIS ASP .NET The process 1= ASP .NET Redirects the user to a passport logon page. The process 2= User gets the Passport Ticket by entering necessary credentials. The process 3=ASP .NET allows user to the required web page. Forms Authentication:    1. User request for a secured page.    2. User enters IIS as anonymous.    3. Now ASP.NET (checks whether) has FAM=”Form authentication Module” that checks whether user is        authenticated or not.    4. If user is found not to be authenticated, it redirects him to login.ASPX page which is in the same site. NOTE: In form/passport authentication what is the mode of entry? Ans: Anonymous.    <Authentication mode = <windows/passport/form> /> USER OS 3 IIS ASP .NET