Logo

Navigation
  • Home
  • Services
    • ERP Solutions
    • Implementation Solutions
    • Support and Maintenance Solutions
    • Custom Solutions
    • Upgrade Solutions
    • Training and Mentoring
    • Web Solutions
    • Production Support
    • Architecture Designing
    • Independent Validation and Testing Services
    • Infrastructure Management
  • Expertise
    • Microsoft Development Expertise
    • Mobile Development
    • SQL Server Database and BI
    • SAP BI, SAP Hana, SAP BO
    • Oracle and BI
    • Oracle RAC
  • Technical Training
    • Learn Data Management
      • Business Intelligence
      • Data Mining
      • Data Modeling
      • Data Warehousing
      • Disaster Recovery
    • Learn Concepts
      • Application Development
      • Client Server
      • Cloud Computing Tutorials
      • Cluster Computing
      • CRM Tutorial
      • EDI Tutorials
      • ERP Tutorials
      • NLP
      • OOPS
      • Concepts
      • SOA Tutorial
      • Supply Chain
      • Technology Trends
      • UML
      • Virtualization
      • Web 2.0
    • Learn Java
      • JavaScript Tutorial
      • JSP Tutorials
      • J2EE
    • Learn Microsoft
      • MSAS
      • ASP.NET
      • ASP.NET 2.0
      • C Sharp
      • MS Project Training
      • Silverlight
      • SQL Server 2005
      • VB.NET 2005
    • Learn Networking
      • Networking
      • Wireless
    • Learn Oracle
      • Oracle 10g
      • PL/SQL
      • Oracle 11g Tutorials
      • Oracle 9i
      • Oracle Apps
    • Learn Programming
      • Ajax Tutorial
      • C Language
      • C++ Tutorials
      • CSS Tutorial
      • CSS3 Tutorial
      • JavaScript Tutorial
      • jQuery Tutorial
      • MainFrame
      • PHP Tutorial
      • VBScript Tutorial
      • XML Tutorial
    • Learn Software Testing
      • Software Testing Types
      • SQA
      • Testing
  • Career Training
    • Career Improvement
      • Career Articles
      • Certification Articles
      • Conflict Management
      • Core Skills
      • Decision Making
      • Entrepreneurship
      • Goal Setting
      • Life Skills
      • Performance Development
      • Personal Excellence
      • Personality Development
      • Problem Solving
      • Relationship Management
      • Self Confidence
      • Self Supervision
      • Social Networking
      • Strategic Planning
      • Time Management
    • Education Help
      • Career Tracks
      • Essay Writing
      • Internship Tips
      • Online Education
      • Scholarships
      • Student Loans
    • Managerial Skills
      • Business Communication
      • Business Networking
      • Facilitator Skills
      • Managing Change
      • Marketing Management
      • Meeting Management
      • Process Management
      • Project Management
      • Project Management Life Cycle
      • Project Management Process
      • Project Risk Management
      • Relationship Management
      • Task Management
      • Team Building
      • Virtual Team Management
    • Essential Life Skills
      • Anger Management
      • Anxiety Management
      • Attitude Development
      • Coaching and Mentoring
      • Emotional Intelligence
      • Stress Management
      • Positive Thinking
    • Communication Skills
      • Conversation Skills
      • Cross Culture Competence
      • English Vocabulary
      • Listening Skills
      • Public Speaking Skills
      • Questioning Skills
    • Soft Skills
      • Assertive Skills
      • Influence Skills
      • Leadership Skills
      • Memory Skills
      • People Skills
      • Presentation Skills
    • Finding a Job
      • Etiquette Tips
      • Group Discussions
      • HR Interviews
      • Interview Notes
      • Job Search Tips
      • Resume Tips
      • Sample Resumes
 

ASP.NET Security

By Exforsys | on September 2, 2005 |
ASP.NET 2.0

ASP.NET Security

In this tutorial you will learn about ASP.NET 2.0 Security, The Security Architecture of ASP.NET 2.0, The security infrastructure and subsystem relationships of the ASP.NET and the sequence of events that occur when a authentication is sought.

When we talk of ‘security’ we are basically acknowledging that there is a possibility of ‘vulnerability’. The developer and the Administrator need to focus on various threats and mitigation techniques and security concepts including principals, authorities, services, security identifiers, tokens, logon sessions, window stations, access control and so on…

Security of websites is a very critical and complex issue that needs to be handled by the developer and the administrator. It requires an understanding of possible threats and a thorough knowledge of access points and vulnerabilities of the application being developed. It presupposes that the developer and the administrator will build in sufficient safeguards in the application being deployed over the network.

ASP.NET 2.0 comes up membership services that manage a database of user accounts, hashed passwords, a role manager for managing role membership for users, and five new server-side controls that make implementing forms authentication much easier. ASP.NET 2.0 also offers a provider model that gives the developer and the administrator complete control over the implementation of the Membership and Role services and cookie-less forms authentication. The Web-based administration enables simple local and remote administration of user accounts and roles, as well as enhanced control of other non-security related settings.

The Security Architecture of ASP.NET 2.0

The security infrastructure and subsystem relationships of the ASP.NET are illustrated in the following diagram.

Web clients communicate with the Internet Information Services (IIS). The IIS deciphers and authenticates the user request. It examines whether the ‘Allow Anonymous’ property has been set to true authentication processes are bypassed, else they are set in motion. The IIS also searches for the requested resource and if the client is authorized it returns the resource else denies the resource. The IIS also assumes that a set of credentials is mapped to the Operating System account and uses them to authenticate the user. Different kinds of authentication is available in IIS.5.0 and 6.0—the basic, the digest and the Integrated Windows Authentication. However, a detailed study on IIS authentication modes is beyond the purview of this tutorial and, therefore, only receives a mention here.

ASP.NET has its own security features and the application built on ASP.NET can have its own low level security features. When the IIS hands over the request to the ASP.NET application, the latter provides three kinds of authentication-forms authentication, Passport authentication and Windows authentication. The type of authentication required is declared in the configuration file of the application. If windows authentication is used the information about users and groups is stored in the Security Accounts Manager(SAM) database or in the Active Directory services. For Passport authentication, user information is stored in the internal passport database. Forms authentication allows the developer specify where to store the information.

Forms authentication is a system whereby unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides his credentials and submits a form. If the data is authenticated by the application the system issues a ticket in a cookie that contains the credentials or key for reacquiring the identity. All subsequent requests are issued with the cookie in the request headers and they are authenticated and authorized by an ASP.NET handler using the validation method specified by the developer.

Passport authentication is a centralized authentication service provider that is made available by Microsoft. It offers a single logon and core profile services for member sites.

Windows Authentication is used in conjunction with Microsoft IIS authentication. This type of authentication is commonly used in Intranet scenarios. It provides a user interface and backend code needed to collect user inputs. The developer can be unaware of the data storage and validation of user roles. The identity of the application user is passed in from the IIS.

However, Passport or Windows authentication are not practical for real life scenarios where websites are extremely vulnerable to attacks of hackers and unauthorized entrants. The forms based authentication is considered the best protection for ASP.NET applications and as such has received much focus in ASP.NET 2.0.

On completion of the authentication by IIS, ASP.NET uses the authenticated identity to authorize access.

The sequence of events that occur when a authentication is sought is as under:

…………….1. A client generates a request for a protected resource on the web.

…………….2. The request is received by the IIS. The IIS checks whether the resource is authenticated
…………….by IIS or if Anonymous Access has been enabled for the resource. If yes, the request is
…………….passed on to ASP.NET application. If the ASP.NET application is set to forms authentication,
…………….IIS authentication is bypassed.

…………….3. If the request does not have a cookie attached to it, ASP.NET redirects it to the Logon
…………….page. The configuration file of the application rests in this path. The client then, enters his
…………….credentials on the Logon page.

…………….4. The credentials are checked by the application code using an event handler which checks
…………….the credentials. If authenticated a ticket is attached(a cookie) containing the username. If
…………….authentication fails the access denied message is sent to the user and the logon form is
…………….again presented to the user.

…………….5. Once the ticket has been issued by the application, ASP.NET checks the ticket for validity
…………….using a message authentication check.

…………….6. If the user has been authenticated, ASP.NET proceeds to check for authorization. It either
…………….provides access to the original resource requested or if the user does not have
…………….authorization for the resource, the application will redirect the user to another page which
…………….can be a custom authorization module where the credentials are again tested for
…………….authorization access. If authorization fails the user is redirected to the logon page.

…………….7. If the user is authorized, access is granted.

« « ASP.NET Setting Application-Level Caching
Forms Authentication in ASP.NET » »

Author Description

Avatar

Editorial Team at Exforsys is a team of IT Consulting and Training team led by Chandra Vennapoosa.

Free Training

RSSSubscribe 392 Followers
  • Popular
  • Recent
  • ASP.NET Using Web Parts and Controls in Web Pages

    August 22, 2005 - 0 Comment
  • ASP.NET Setting Application-Level Caching

    August 30, 2005 - 0 Comment
  • ASP.NET Working With Master Pages

    August 17, 2005 - 0 Comment
  • ASP.NET Creating Web Wizards

    September 16, 2005 - 0 Comment
  • ASP.NET Web Pages and Layout

    August 23, 2005 - 0 Comment
  • ASP.NET Data Source Object Model

    September 6, 2005 - 0 Comment
  • ASP.NET Creating Content for Master Page

    August 17, 2005 - 0 Comment
  • ASP.NET : Dynamic Image control

    September 16, 2005 - 0 Comment
  • ASP.NET – Adding Web Parts at Run Time

    August 22, 2005 - 0 Comment
  • Getting started with ASP.NET 2.0

    July 4, 2005 - 0 Comment
  • Application Development in .NET

    November 21, 2007 - 0 Comment
  • ASP.NET Advanced Site Functionality

    September 16, 2005 - 0 Comment
  • ASP.NET : Dynamic Image control

    September 16, 2005 - 0 Comment
  • ASP.NET Creating Web Wizards

    September 16, 2005 - 0 Comment
  • Displaying Master-Detail Data on Separate Pages in ASP.NET

    September 16, 2005 - 0 Comment
  • ASP.NET Displaying Master-Detail Data on the Same Page

    September 13, 2005 - 0 Comment
  • ASP.NET DataBound Controls – Details View

    September 13, 2005 - 0 Comment
  • ASP.NET Using a Grid to Display Detail Information

    September 13, 2005 - 0 Comment
  • ASP.NET Adding Sorting and Paging in GridView

    September 10, 2005 - 0 Comment
  • ASP.NET GridView Filtering

    September 10, 2005 - 0 Comment

Exforsys e-Newsletter

ebook
 

Related Articles

  • Application Development in .NET
  • ASP.NET Advanced Site Functionality
  • ASP.NET : Dynamic Image control
  • ASP.NET Creating Web Wizards
  • Displaying Master-Detail Data on Separate Pages in ASP.NET

Latest Articles

  • Project Management Techniques
  • Product Development Best Practices
  • Importance of Quality Data Management
  • How to Maximize Quality Assurance
  • Utilizing Effective Quality Assurance Strategies
  • Sitemap
  • Privacy Policy
  • DMCA
  • Trademark Information
  • Contact Us
© 2023. All Rights Reserved.IT Training and Consulting
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptReject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT