Authentication
Authorization
Users and Roles
Impersonation
Authentication
Determines the identity of the requesting entity
It answers the question “Who is this user?”
The entity presents credentials usually in the form of user id/Password
Authorization
For any identified entity, it determines the access rights to a resource
It answers the question “Do you have rights to this? If so, then what kind of rights?”
Usually managed through the operating system or a database
Users and Roles
Users are the entities that make the request to access resources
Roles are the “HATS” users wear once they are authenticated
Each entity has a single user profile, but can have multiple roles
Impersonation
Allows the ASP .Net application to take on the user’s identity when the request is passed to the application from IIS
Access is granted or denied based on the impersonated identity
Authentication
ASP .Net supports the following authentication providers:
Windows authentication
Form-based authentication
Passport authentication
Windows authentication
Define the security scheme in config.web
Validates user against every web request
Use Application_AuthenticateRequest() in global.asax to capture user info through Context.User.Identity object
Windows authentication
Advantages
OS based integrated policy management
Easy to manage complex security
More familiar to admins and developers
Disadvantages
OS dependent
Unable to secure URLs
Settings in config.web
Authenticate using windows
Deny all un-authorized users
Form-based authentication
Define the security scheme in config.web
Identify the resources (files, folders) to protect and create entries in config.web
Add proper users and roles to the protected resource entries
Specify a login form for users that can handle cookies
From-based authentication
Advantages
Does not require users specified in OS
Easy to implement and start
Disadvantages
Requires some coding
Settings in config.web
Authenticate using form-based (cookies)
Deny all un-authorized users
Passport authentication
Install Microsoft Passport SDK
Define the security scheme in config.web
Identify the resources (files, folders) to protect and create entries in config.web
Specify a “no rights” page for the app (redirecturl = “AccessDenied.aspx”)
Add code to inspect the User.Identity values
Passport authentication
Advantages
User Management and authorization is handled by someone else
Can be integrated with many other online services
You still get to control the policy details through config files and code
Disadvantages
Internet connected solutions
Only handles authentication
Settings in config.web
Authenticate using passport
Deny all un-authorized users
Authorization
ASP .Net can perform two types of authorization
File authorization
URL authorization
File authorization
Performed when Windows authentication is used
Does an ACL check to determine whether the user should have access
ACL (Access Control List) checks the resource itself for proper permissions
URL authorization
URL authorization checks configuration data store (config.web) in ASP .Net for proper permissions
Implements both positive and negative authorization assertions through
Allows us to control access to GET, POST and HEAD for each user/role
Setting up authorizations
Allow access to all except snoopy
Setting up authorizations
Allow everyone access to do a GET but only Snoopy and Admins can do a POST
Config.web (
Is there a Catch?ASP .Net configuration system only applies to ASP .Net resources; Those registered to be handled by xspisapi.dll
So, it does not provide authorization for TXT, GIF, JPG, ASP, HTML etc.
Can be fixed by mapping such files to xspisapi.dll
The problem – Possibility that there could be a performance impact
Review
Windows authentication
Uses ACL checks to authorize access to resources
Additionally, URL authorization can be specified in config.web
Form-based (cookie) authentication
Setup authentication in config.web and create a default login form
Uses authorization specified in config.web ONLY
Passport authentication
Download Passport SDK and setup config.web
No comments:
Post a Comment