ASP.NET Security

ASP.NET Security part two

In addition to the IIS permission levels, NTFS permissions can also be used to secure the files and directories on a Web server. The following are the different access permissions that can be assigned to users and groups for the files and directories on the server:

Full Control: Allows users to have complete control on files and/or directories.

Modify: Allows users to modify the contents of files and/or directories. However, users will not be able to delete files and/or directories.

Read & Execute: Allows users to read the contents of the existing files and/or directories and execute any application stored in that folder. However, users will not be able to modify the contents of the files and/or directories.

List Folder Contents: Allows users to view the contents of the folder. However, users will neither be able to read the contents of any file in the folder nor modify any contents.

Write: Allows users to make changes to files and/or directories.

No Access: Does not allow any access to files and/or directories. Authentication in Web applications Various ways exist to authenticate user access to Web applications. In intranet
applications, it is possible to use Integrated Windows Authentication to authenticate user access and implement access control. But, in most of the Internet applications, it is not possible to use Windows authentication as it puts various restrictions. The following are two of these restrictions:

Number of user accounts: Although Windows Active Directory can scale up to a large number of user accounts, managing all the user accounts for Internet applications (that involve millions of user accounts) can be a big management challenge, if not a nightmare. Therefore, most Web administrators and developers prefer an authentication mechanism that is based on databases, such as SQL databases.

Licensing issues: If millions of users were to be authenticated against an Active Directory database, the Web site would need to procure user licenses for all the users. Thus, to say the least, it can prove to be an expensive proposition.

In classic ASP, authentication issues were addressed by security implementations that relied on cookies or client IP. This approach, typically, meant writing a lot of code and proved to be an unnecessary overhead for developers. The approach is very different from implementing security in Windows applications. In Windows, applications are developed in a way that maximizes the leverage on the services provided by the operating system. With ASP.NET, however, the days of writing tedious user validation code are gone. Developers can rely on the underlying Microsoft .NET Framework to provide security. They just need to focus on solving business problems and implementing the functionality in the Web site. Let us now explore the various authentication models that are supported by ASP.NET.

ASP.NET authentication options

The security section of the Web.config file contains the information related to the level and type of authentication services that would be provided for a Web application. The Web.config file is an XML file and is located in the root directory of a Web application.Various configuration options for an ASP.NET Web application can be controlled and configured from this XML file.

The system.web section of the Web.config file is used to control the various aspects of security that are provided to the Web application. An ASP.NET Web application can be provided with one of the following types of security:

Windows: The application is secured by using Integrated Windows Authentication. In this method, access to a Web application is allowed only to those users who are able to verify their Windows credentials.

Credentials can be verified against the Windows authentication database (SAM) or against Active Directory.

Passport: The application is secured by using Microsoft Passport authentication. Passport is a single-sign-on technology developed by Microsoft for use on the Web.

Forms: The application is secured by using a custom authentication model with cookie support.
None: The application is not secured; access to the application does not require authentication.

Forms-based Authentication


ASP.NET includes a built-in feature, called forms-based authentication, which can be used to implement customized logic for authenticating users and authentication handlers without having to worry about session management using cookies. In forms-based authentication, when a user is determined to be unauthenticated, the user is automatically redirected to the login page. Some of the benefits of the forms-based authentication are the following:

Developers can configure forms-based authentication for various parts of the Web site differently, because the Web.config file is a hierarchical XML document.
Administrators and developers can change the authentication scheme quickly and easily in the Web.config file.
Administration is centralized because all the authentication entries are in one place — the Web.config file. You can enable forms-based authentication for a Web application by setting the
Authentication mode property to "Forms" in the Web.config file.

No comments: