SQL Server 2008 - Worth the Wait
Security is one of the most important concerns in application software development. Building a robust security model is one of the most important factors that drive the success of application software. As far as security in ASP.NET is concerned, three terms come into my mind, i.e., Authentication, Authorization and Impersonation. Put simply, authentication authenticates the user’s credentials and authorization relates to the resources that an authenticated user has access to. This article is the first in a series of articles on ASP.NET security and discusses these concepts and their applicability.
Let us start our discussion with a brief outline on the sequence of events are as far as authentication and authorization are concerned when a new request comes in. When a new request arrives at IIS, it first checks the validity of the incoming request. If the authentication mode is anonymous (default) then the request is authenticated automatically. But if the authentication mode is overridden in the web.config file settings, IIS performs the specified authentication check before the request is passed on to ASP.NET.ASP.NET then checks whether Impersonation is enabled or not. We will discuss impersonation later in this article. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the task; otherwise, the application executes with the identity of the IIS local machine and the privileges of the ASP.NET user account. Finally, the ASP.NET engine performs an authorization check on the resources requested by the authenticated user and if the user is authorized, it returns the request through IIS pipeline.The following section discusses Authentication, Authorization and Impersonation and how we can implement them in ASP.NET applications.Authentication
Authentication determines whether a user is valid or not based on the user’s credentials. Note that a user can be authorized to access the resources provided the user is an authenticated user. The application’s web.config file contains all of the configuration settings for an ASP.NET application. An authentication provider is used to prove the identity of the users in a system. There are three ways to authenticate a user in ASP.NET:
Forms AuthenticationThis is based on cookies where the user name and the password are stored either in a text file or a database. It supports both session and persistent cookies. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is secured, he or she is redirected to the login page of the application. The following code snippet illustrates how this can be implemented in ASP.NET.<configuration><system.web><authentication mode="Forms"/><forms name="LoginForm" loginUrl="LoginForm.aspx" /><authorization><deny users="?"/></authorization></system.web></configuration>
Note that the symbol "?" indicates all Non Authenticated and Anonymous users. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from that stored in a persistent store, usually a database. The following code snippet illustrates how this can be validated.
String username = txtUserName.Text;String password = txtPassword.Text;bool isUserValid = false;//Code to validate the user name and password
if(isUserValid){FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);else // User is not valid
lblMessage.Text = “Invalid login…”;}
The RedirectFromLoginPage method creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The following code snippet illustrates how we can specify the user’s credentials in the application’s web.config file.
<configuration><system.web> <authentication mode="Forms"><forms loginUrl="LoginForm.aspx"><credentialspasswordFormat="Clear"><user name="JoydipK" password="JudeK" /></credentials></forms></authentication> <authorization></system.web></configuration>
However you choose the above technique of authentication you should provide a means of encrypting the configuration file for security reasons. I will discuss these and other issues in the forthcoming articles in this series of articles on ASP.NET Security.You can also use Forms Authentication to verify the user’s credentials using a database where the user’s credentials are stored. The following code example illustrates how this can be achieved. The method ValidateUserCredentials accepts a user name and the password, connects to the database where the user’s credentials is stored and verifies whether the supplied user’s credentials are correct.
private bool ValidateUserCredentials(String userName, String password){// Connect to the database where the user credentials are stored and then verify whether the user's credentials that // are passed as parameters to this method are correct. The method would return true if success, false otherwise.}
The above method can be called as illustrated in the code snippet below.
bool isAuthenticatedUser = false;try{isAuthenticatedUser = ValidateUserCredentials(txtUserName.Text,txtPassword.Text);}catch(Exception ex){//Some typical exception handling code}
if (isAuthenticatedUser == true ){//The user is authenticated, hence, redirect to the appropriate web form and/or display appropriate messages to the user}
else{//Display appropriate messages to the user indicating that the user is not authenticated}
Try Idera’s new SQL admin toolset
Try Idera’s new SQL admin toolset
Try Idera’s new SQL admin toolset