Exploring various methods of Authentication (asp.net tutorial)

Lesson Objectives

A. Understanding Authentication & Authorization
B. Exploring various methods of Authentication
C. Understanding Impersonation
D.Overview of Security Controls

Needs are;

A.Asp.NET
B. Visual Studio
C. C#

The difficulty level of commands we use is middle.

The Security Overview

The security of a web application is an important factor that has to be considered when developing good web applications. The web pages and resources of the web application should be accessed only by authorized users. The ASP.NET provides security by Authentication and Authorization. The various users are authenticated. The authenticated users are checked if they are authorized to access the various web pages and resource of the web application. The different types of security provided by the Microsoft.NET Framework are Code-Based Security and Role-Based Security.

Authentication

Authentication is the process of identifying a user who logs onto the web application. Authentication is done in Role-Based security. The user generally enters the login and password which can be verified against his credentials, which is generally stored in a database. The types of authentication available in ASP.NET are Forms Authentication, Windows Authentication and Passport Authentication.

Authorization
Authorization is the process of allowing access or denying access for a particular user to the resources available in the web application. When an authenticated user tries to access a particular resource he will gain access if he is authorized to access the resource. If the user does not have permissions for a resource he will not be able to access the resource. The Authorization can be configured for a web application by using the
web.config configuration file as shown below:

<configuration>

<system.web>

<authorization>

<allow users=”Admin”/>

<deny users=”*”/>

</authorization>

</system.web>

</configuration>

ASP.NET Forms Authentication

The forms authentication is used when a login web page is displayed to the user. The user enters the login and password in the login page and submits the page. The login web page is specific to the web application. The user credentials are usually stored in a database. The programmer writes the code to connect to the database and check for the validity of the user credentials. The Login and Membership controls can be used with ease in web pages to perform forms authentication as it does not require much coding. The Forms Authentication can be configured for a web application by setting the "mode" attribute of the "authentication" element to "Forms" in the web.config configuration file as shown below:

<configuration>

<system.web>

<authentication mode="Forms">

<forms name="Login" loginUrl="Login.aspx" />

</authentication>

</system.web>

</configuration>

Windows Authentication

The windows Authentication allows the user to be authenticated based on the windows Operating System account. The default authentication enabled for a Web Site is windows authentication. The Internet Information Services (IIS) on which the web application is hosted does the authentication of the user credentials and creates a Windows identity. This identity can be used by the ASP.NET runtime to check the permissions for the user on various resources such as files in the windows files system, database connectivity etc. The authentication mode is set to windows by using the following tags in the web.config file.

Windows Authentication Methods

The various windows authentication methods are Anonymous authentication, Basic authentication, Digest Authentication and Integrated authentication. Let use discuss each one the authentication methods in detail:

a ) Anonymous Authentication
The Anonymous method of windows authentication allows user access to the web application without a login or password. Authentication is not performed by the Internet Information Services (IIS). The anonymous mode of authentication is the default mode of authentication. The Internet Information Services (IIS) maps the anonymous users to an account on the Windows Operating System which begins with IUSR followed by the IIS machine name like "IUSR_NameOfMachine" etc. The anonymous authentication can be implemented by using the following tags in the web.config file.

<configuration>

<system.web>

<authentication mode="None"/>

</system.web>

</configuration>

b ) Basic Authentication
The Basic Authentication requires a user name and password to allow access to the web application. The user credentials are sent from the client to the server through the network. This method allows the credentials of the user, such as the user login and password to be sent as clear text. It does not provide a secure mechanism of transferring the user credentials. The Basic authentication can be implemented by using the following tags in the web.config file.

<configuration>

<system.web>

<authentication mode="Windows"/>

</system.web>

</configuration>

c ) Digest Authentication
The Digest Authentication, similar to the Basic authentication requires a user name and password to allow access to the web application. The user credentials are sent from the client to the server through the network. This method encrypts the credentials such as the user password that is sent over the network. It does provide a secure mechanism of transferring the user credentials. The Digest authentication can be implemented similar to Basic authentication by using the following tags in the web.config file.

<configuration>

<system.web>

<authentication mode="Windows"/>

</system.web>

</configuration>

d ) Integrated Authentication
The Internet Information Services provides Integrated Windows authentication by using NTLM authentication. Integrated authentication can also be implemented using Kerberos authentication. This mode does not transmit passwords over the network. The Kerberos authentication allows the delegation and mutual authentication and provides good performance.

Passport Authentication
The Passport Authentication allows the user credentials to be validated by the Microsoft Passport Authentication Service. The Passport Authentication allows a user to access multiple member sites with a single login and password. The Passport Authentication is done by a XML web service. The users should have a Passport account for getting authenticated by using the Passport Authentication. The tags in the web.cofig file for Passport Authentication is shown below:

<configuration>

<system.web>

<authentication mode="Passport">

<passport redirectUrl="Login.aspx" />

</authentication>

</system.web>

</configuration>

Impersonation
The Impersonation is a process by which the credentials of a user are transferred to another user, who can access the resources on behalf of the user whose credentials have been transferred. The Impersonation of user credentials can be configured in the web.config file using the tag

<identity impersonate="true" />

in the web.config. The "impersonate" attribute of the "identity" tag is set to the value "true" to enable impersonation. The tags in the web.cofig file for impersonation is shown below:

<configuration>

<system.web>

<authentication mode="Windows"/>

<identity impersonate="true"/>

</system.web>

</configuration>

Security Controls
ASP.NET provides various Login controls such as the Login control, LoginView Control, PasswordRecovery control, LoginStatus control, LoginName control, CreateUserWizard control and ChangePassword controls. These controls help in managing the security of web applications. The Login controls are easy to use and require minimal coding. These controls work along with the ASP.NET Membership system and help automate the authentication process. The login controls are present in the Login tab which is displayed below:

Login Control
The Login Control displays the controls for accepting the User Name and Password. It also displays the "Remember me next time" check box and a Login button. Wehn the user checks the "Remember me next time" check box, allows the server to store the user credentials with the help of the ASP.NET membership system. Since the credentials are stored in the ASP.NET membership, the user is authenticated automatically when he accesses the site in future. The tags used to create the Login control is shown below:

<asp:Login ID="Login1" runat="server">

</asp:Login>

PasswordRecovery Control
The PasswordRecovery Control is a security control which can be used to recover a password.The recovered password can be received through an email. It is helpful to users who do not remember their password. This control can also be used to reset the password and get the new password through mail. The tags used to create the PasswordRecovery control is shown below:

<asp:PasswordRecovery ID="PasswordRecovery1" runat="server">

</asp:PasswordRecovery>

LoginView Control
The Login View controls are used to display the information to the logged in users and anonymous users. This control consists of the Anonymous Template and the LoggedInTemplate. The AnonymousTemplate can be used to produce customized information that can be displayed for anonymous users. The LoggedInTemplate can be used to produce customized information that can be displayed for anonymous users who are authenticated. The tags used to create the LoginView control is shown below:

<asp:LoginView ID="LoginView1" runat="server">

</asp:LoginView>

---

Posted on Utopian.io - Rewarding Open Source Contributors

---