Scribd Logo
Upload

Welcome to Scribd!

  • Security

    Uploaded by

    suresh1130
    113 views4 pages
    In an ASP.NET application, authentication is implemented through one of four possible authentication systems: windows authentication Forms authentication Passport authentication a custom authentication process. When using windows authentication, make sure to use the domainNameuserName format for the user name and the format domainNamegroupName for the group name.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    In an ASP.NET application, authentication is implemented through one of four possible authentication systems: windows authentication Forms authentication Passport authentication a custom authentication process. When using windows authentication, make sure to use the domainNameuserName format for the user name and the format domainNamegroupName for the group name.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    113 views4 pages

    Security

    Uploaded by

    suresh1130
    In an ASP.NET application, authentication is implemented through one of four possible authentication systems: windows authentication Forms authentication Passport authentication a custom authentication process. When using windows authentication, make sure to use the domainNameuserName format for the user name and the format domainNamegroupName for the group name.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Levels of security:

    Authentication
    Authorization
    Confidentiality
    Integrity

    In an ASP.NET application, authentication is


    implemented through one of four possible
    authentication systems:
    • Windows authentication
    • Forms authentication
    • Passport authentication
    • A custom authentication process

    1. Authentications
    a. In Web.config

    Windows option using Integrated Windows Authentication

    1. Uses the windows users


    2. Web.config
    <authentication mode="Windows"/>
    <authorization>
    <allow users="deepa-pc\deepa"/>
    <deny users="*"/>
    </authorization>

    db2admin get the following error


    3. allow/ deny attributes
    a. users
    b. roles
    (<allow roles=”Administrator”/>)
    c. verbs  http transmission method that is allowed or denied
    (<deny verbs=”GET”/>)

    4. wild cards
    a. *: implies all
    b. ?: represents all anonymous users

    5. Permissions : allow U deny

    Use the IPrincipal interface of the User object attached to the current
    HTTP request. This approach works with ASP.NET versions 1.0, 1.1.
    and 2.0. When using Windows authentication, make sure to use the
    domainName\userName format for the user name and the format
    domainName\groupName for the group name

    Checking Role Membership in Code


    • i f (Use r . I s InRo le (@"Doma inName\Manager " ) )
    • / / Per fo rm res t r i c ted opera t i on
    • e l se
    • / / Retu rn unautho r i zed access er ro r .

    • Alternatively, use role manager APIs introduced in ASP.NET version 2.0, which supports

    a similar Roles.IsUserInRole method, as shown here.

    • i f (Ro les . I sUser InRo le (@"Doma inName\Manager " ) )


    • / / Per fo rm res t r i c ted opera t i on
    • e l se
    • / / Retu rn unautho r i zed access er ro r .
    Windows option using basic authentication

    1. Part of HTTP specs


    2. supported by most browsers
    3. passes user name and password as plain text
    4. Basic with SSL is more secure
    5. IIS  open your applications properties and in Authentication Methods
    dialog click on Basic authentication

    Digest uses an algorithm to encrypt the user name and password.

    Form based

    Web.config

    <authentication mode="Forms">
    <forms name="secure" loginUrl="Login.aspx"
    path="/"/>

    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    protected void Button1_Click(object
    sender, EventArgs e) {
    if (TextBox1.Text == "deepa" &&
    TextBox2.Text == "deepa")
    FormsAuthentication.Redi
    rectFromLoginPage(TextBox1.Text,
    true);
    else
    Response.Write("Unauthorized");
    }
    Authentication against values contained in web.config

    <authentication mode="Forms">
    <forms name="secure" loginUrl="Login.aspx" path="/">
    <credentials passwordFormat="Clear">
    <user name="deepa" password="deepa"/>
    </credentials>
    </forms>

    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>

    Authenticating specific path or file


    <location path="AdminPage.aspx">
    <system.web>
    <authentication mode="Windows"/>
    <authorization>
    <allow users="deepa-pc\db2admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    You might also like