1 / 21

Authentication and Authorisation in ASP.Net

Learn about the structure of authentication and authorisation in ASP.Net, including the review of application directory structure, simple authentication process, built-in security controls, and website administration panel.

danielr
Download Presentation

Authentication and Authorisation in ASP.Net

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorisation in ASP.Net By Dharam Shadija

  2. Structure of Presentation • Review Application Directory structure • Review Simple Authentication process • Authentication in ASP.Net • SQLMembershipProvider, SQLRoleProvider and SQLProfileProvider class • Built-in Security controls • Website Administration panel • Summary

  3. Authorisation and Authentication • Authentication • Whereas Authentication is the process of checking user credentials against a database or active directory. • Authorisation • Authorisation is the process of checking whether a user or role has access to a particular part of the web site.

  4. Simple Authentication process IIS Browser Login page Client enters Login information Login page authenticates user info Puts user name in session and forwards user to secure area If incorrect details Access denied Default.asp

  5. Simple Authentication process Advantages • Simple to setup Disadvantages • Lot of code required from developers perspective • High Maintenance • User details not secure as stored as plain text

  6. Forms Authentication process IIS 2 Forms Authentication 1 Request forwarded to login page using settings in web.config Browser Client accesses secure area Authenticated Not Authenticated Login page 3 Puts user name in Authentication Cookie and forwards user to the page requested 3 If incorrect details Access denied Default.aspx

  7. Authentication and Authorisation in ASP.Net • Provides ways to authenticate using pre-built database or against Active Directory • Number of built-in security controls • Based on Provider model i.e. can be extended by developers to write custom logic • Number of pre-written methods to perform repetitive functions • Pre-built SQL server database to hold user, role and access information • Built on top of current implementation of Forms Authentication

  8. Authentication and Authorisation in ASP.Net System.Web.Security Namespace ProviderBase Inherits Inherits MembershipProvider ValidateUser() CreateUser() DeleteUser() RoleProvider AddUsersToRoles() CreateRole() DeleteRole()

  9. SQLMembershipProvider and SQLRoleProvider class SQLMembershipProvider • Used to store user information in a pre-built SQL Server database file (ASPNetDB.mdf) • Can be configured to point to another location using web.config file • aspnet_user table SQLRoleProvider • Used to store role information in a pre-built SQL Server database file (ASPNetDB.mdf) • aspnet_role and aspnet_userInRole tables

  10. SQLProfileProvider class SQLProfileProvider • Enable developers to store user profile information in a pre-built SQL Server database file (ASPNetDB.mdf) • User profile configured in web.config file • aspnet_profile table • Key methods GetAllProfiles(), DeleteProfiles() <add name="UIPreference" type="String" serializeAs="String"/> <add name="Address" type="String" serializeAs="String"/>

  11. Built-in Security controls • Login control • VerifyUser(username, password) • PasswordRecovery control • LoginStatus control • LoginView control

  12. Built-in Security controls • LoginName control • CreateUserWizard control • ChangePassword control

  13. ASPNetDB.mdf

  14. Configuring Forms Authentication Use a custom login page to validate the user ' web.config file <configuration> <system.web> <authentication mode= "Forms"> <forms name=".ASPXAUTH" loginUrl="Login.aspx" /> </authentication> </system.web> </configuration> Authentication information goes in web.config file at root level

  15. Configuring Authorisation • To deny unauthorised users accessing files in a particular folder <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> • Authorisation information goes in web.config file, could be at root level and at sub folder level • Access level is inherited Deny anonymous access

  16. Configuring Authorisation Allow particular user or role access to this folder <configuration> <system.web> <authorization> <deny users="*"/> <allow users=“Jim, Mo" /> <allow roles=“Administrator" /> </authorization> </system.web> </configuration> Deny anonymous access

  17. Forms Authentication Advantages • Automatically encrypts user information in Authentication cookie • Takes away the plumbing from developer • Provides a structure to implement Authentication and authorisation in ASP.Net applications • Built-in UI controls • Pre-written authentication logic Disadvantages • Needs some work setting it up

  18. Website Administration Panel • Developer friendly tool to setup Authentication and Authorisation information • Stores information in an SQL Server database • Configures Web.config to reflect changes done using Administration panel

  19. Website Administration Panel

  20. Summary • Reviewed Forms Authentication • Authentication in ASP.Net • SQLMembershipProvider and SQLRoleProvider class • Built-in Security controls • Website Administration panel

  21. References • Examining ASP.NET 2.0's Membership, Roles, and Profilehttp://aspnet.4guysfromrolla.com/articles/120705-1.aspx This is a multipage article, explore all the pages.

More Related