Saturday, 31 August 2013

Security Configuration in ASP.net..?


Security Configuration:


              Security configuration in ASP.net refers to providing access to users. i.e. design pages for public users which are accessible to everyone and then also design pages which are accessible based on usernames and other identification process. Data level security and other security issues are handled externally with other concepts.

ASP.net provides security with 2 process.

  1.  Authentication
  2.  Authorization


1)Authentication:


The process of verifying user credentials and creating identity is called as Authentication.

2)Authorization:


The process of allowing or deny the requested resources is called as Authorization.




We combine both these process for providing effective security management for our website.


ASP.net provides 3 types of Authentication. Out of which we have to select one Authentication mode based on our website.

  • Windows Authentication
  • Passport Authentication
  • forms Authentication.

1)Windows Authentication:


In this method we will use IIS and windows for checking user credentials. This is default Authentication mode.

How it Works:

client makes a request and IIS at server Check for windows identity when not found it will redirect login window to client. After providing username, password by user to IIS it creates identity and redirects user to ASP.net application. Now, application will result secured page to user. Once Authenticated all further requests for pages are also identify. This type of Authentication is suitable for intranet environment ( LAN ).

EX: monster, Gmail..

2)Passport Authentication:


This is a third party Authentication and we use Microsoft passport service for Authentication. It is not implemented for commercial clients specific website but implemented for Microsoft related websites.

Note: for passport and forms Authentication we must set IIS level Authentication as anonymous. Which means at IIS level all users are allowed.

How it work:

  • Client makes request.
  • IIS allows user as anonymous .
  • Then ASP.net checks for identity and redirect users to Passport websites.
  • Passport displays login page to user.
  • Users enters credentials and submits back to passport.
  • Passport checks and creates identity along with passport given identity user gets a secured web page.

EX: Google.

3)Forms Authentication:



This authentication is the most implemented authentication in ASP.net . In this Authentication mode all process will third party services are used. User can implement any logic and perform authentication however required.

How it works:

  • Client makes a request for secured page.
  • IIS will allow user as Anonymous .
  • ASP.net checks for forms Authentication ticket / identity and redirects a login page present in root directory. When it is not found.
  • User responds to login page by entering the available credentials. Submits the page back to IIS. IIS again allows user as Anonymous and then ASP.net executes login page by verifying credentials against the DataSource on Successful checking it will create forms identity and redirects secured page along with created forms Authenticate ticket to user.
  • This ticket is used by client for further request. i.e. as long as ticket is available or valid. ASP.net takes as user as Authenticated user.

NOTE: All this implementation is provided by ASP.net with Authentication, Authorization tags and with System.Web.Security namespace.

1)To provide security first go to root web.Config file and add authentication .
2)Create a folder in root like "Admin" and which pages you want to provide security create that pages inside this folder.
3)Go to Admin folder and create Web.Config file inside it. In admin web config add authorization.

EX:

<Configuration>
 <System.Web>
  <authorization>
   <deny users="?"/>
   <allow users="*"/>
      </authorization>
 <System.Web>
<Configuration>


Note : Here "?" means do not allow Anonymous Users, "*" means allow all users.

4)Use the following code In Root Web config itself.

<Configuration>
 <System.Web>
  <authentication mode="forms"/>
    </System.web>
</Configuration>


Conclusion:


 In this article I'm trying to explain the configuration settings types and how to give permissions in different levels. Hope this information may be helpful to someone who are looking for this..