Windows Authentication
Windows Authentication is used to validate a user based on the user’s Windows Account; however, this is only applicable in intranet environments where the administrator has full control over the users in the network. The following code snippet illustrates how we can implement Windows Authentication in ASP.NET.
<authentication mode=”Windows”/>
<authorization>
<allow users =”*” />
</authorization>
Note that the symbol “*” indicates all users inclusive of Authenticated and Anonymous users. Windows authentication can be of the following types
- Anonymous Authentication
- Basic Authentication
- Digest Authentication
- Integrated Windows Authentication
In the Anonymous Authentication mode IIS allows any user to access an ASP.NET application without any authentication checking.
In Basic Authentication mode users will be required to provide the Windows user name and password; however, this is very insecure.
The Digest Authentication mode is identical to Basic Authentication with the exception that the password is hashed before it is sent across the network.
In Integrated Windows Authentication mode, the passwords are not sent across the network; rather, the application uses some network authentication protocols for it to operate.
Passport Authentication
Passport authentication is a centralized authentication service that uses Microsoft’s Passport Service to authenticate the users of an application. It allows the users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. The following code snippet illustrates how we can implement Passport Authentication in ASP.NET.
<configuration>
<system.web>
<authenticationmode=”Passport”>
<passportredirectUrl=”LoginForm.aspx” />
</authentication>
<authorization>
<deny users=”?” />
</authorization>
</system.web>
</configuration>
Authorization
Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work on authenticated users, hence ensuring that no un-authenticated user can access the application. The syntax for specifying authorization in ASP.NET is as follows.
<authorization>
< [ allow | deny ] [ users ] [ roles ] [ verbs ] />
</authorization>
In ASP.NET, there are the following types of authorizations.
- URL Authorization
- File Authorization
- Authorization based on ACLs
File Authorization is performed by the FileAuthorizationModule, and is active when the application is configured to use Windows authentication. It checks the access control list ( ACL ) of the file to determine whether a user should have access to the file. ACL permissions are verified for the Windows identity or, if impersonation is enabled, for the Windows identity of the ASP.NET process.
URL authorization is performed by the URLAuthorizationModule, which maps users and roles to URLs in ASP.NET applications. This module can be used to selectively allow or deny access to arbitrary parts of an application ( typically directories ) for specific users or roles.”
Authorization like authentication is specified in the web.config file of the application. The following is an example of how we can use authorization in ASP.NET using the application’s configuration file.
<authorization>
<allow users=”Joydip”/>
<deny users=”Jude”/>
<deny users=”?”/>
</authorization>
It is also possible to specify the location to which the authorization settings defined in that particular location is applicable. Refer to the following code snippet that illustrates this.
<configuration>
<location path = “Test.aspx”>
<system.web>
<authorization>
<allow users = “?” />
</authorization>
</system.web>
</location>
</configuration>
You can also restrict or grant a GET or POST to one or more users of the ASP.NET application. The following code snippet illustrates how we can allow the user “Jude” to do a POST while the other users can do only a GET.
<authorization>
<allow verb = “GET” users = “*” />
<allow verb = “POST” users = “Jude” />
<deny verb = “POST” users = “*” />
</authorization>