How Authentication and Authorization Work in ASP.NET?
With increasing cases of data or information hacking happening around, it’s really very important for everyone to see that they do not fall prey to these sort of tactics and so holds the same for the businesses as well. The businesses today should more be concerned for the security of their websites or web applications in order to protect them from being molested by the hackers. As such they can opt to implement security measures like input validation, data encryption, using strong passwords and last but not the least authentication and authorization to ensure that their websites or applications remain safe from intruders. Authentication and authorization are the two important interlinked concepts that are widely used for development of distributed ASP.NET applications. Hence, ASP.NET application development with security integration calls for implementation of these two concepts.
- Authentication in ASP.NET:
Authentication is the process of obtaining credentials from the user and thereafter determining the user’s identity with them. ASP.NET offers variety of alternatives for authentication implementation. Using these, one can either delegate themselves or delegate authentication to others. An ASP.NET application is built on top of IIS (Internet Information Services) and hence, all the requests made to ASP.NET application have to flow through IIS initially.
- Authentication as a Joint Process between IIS and ASP.NET:
Let’s have a look at the joint IIS and ASP.NET authentication process, how it happens.
First of all, as the incoming request comes to the IIS, it checks for the IP address from where it is generated. If from a valid address, it allows access to domain or else denies the request. Then IIS performs its own user authentication if from a valid address. Actually by default, requests are automatically authenticated by IIS. However, one can change this default on a per – application basis with in IIS according to their needs. Then as request is passed to the ASP.NET, it checks for impersonation. If there is impersonation enabled then it behaves as though it were the authenticated user and if not enabled then it goes on with the identity of the IIS local machine and privileges of the ASP.NET user account. Finally, the identity from this step is used to request resources from the OS. Once the authentication is completed, ASP.NET performs an authorization to check whether the user is authorized to access the requested resources.
- Authentication Providers and Types:
As the user tries to log on to the application, he/she is initially authenticated followed by the authorization process. It’s the responsibility of the authentication provider to validate user’s identity based on the credentials entered by him/her. Authentication provider checks whether the credentials entered by the user or valid or not and decides whether a particular request should be considered authenticated or not. During ASP.NET development, one can go for implementing in any of the below three ways in order to authenticate the users for access to the required application. For this three different authentication providers are used – forms authentication provider which uses HTML forms to gather information or credentials from the users for authentication, the Windows authentication provider which uses the user’s windows account and passport authentication provider that uses Microsoft’s passport service to authenticate users. Apart from these, ASP.NET also supports custom authentication providers.
To selecting an authentication provider, one needs to make an entry in the web.config file for the application.
Authorization: Authorization is the process of determining the accessibility to a resource for an authenticated user. Only authenticated users can undergo the authorization for access of application. Default authorization mode in ASP.NET is anonymous authorization, while other forms are URL authorization, file and ACL based authorizations. Just like authentication, authorization can also be specified in the web.config file of the application.
This way authentication and authorization ensure the security of information in applications and hence, are used during ASP.NET application development process especially when distributed application development is the requirement.