Security in ASP.

NET
 Asp.net provides various
authentication methods to achieve
security.
 They are: 
– Forms Authentication
– Windows Authentication
– Passport Authentication
– Custom Authentication
 FORMS Authentication

 Itis used to authenticate the user

credentials for Internet and Intranet
applications.
 IIS Receives
Client
the request
IP address and domain
permission verified

NO
Access Denied

Security
Flow YES
for
Forms
Authentication User Authentication

Sends the request

for ASP.Net runtime
for further
verification
 IIS

ASP.net Impersonation
ASP.NET RUNTIME
enabled
ASP.net “Local
NO Machine”identity

NO YES
YES Access Denied

ASP.NET APPLI.
CLIENT ENABLED
IDENTITY Passes the
control for
further verifications

NTFS Permission
allow access

NO

YES
YES
ACCESS GRANTED
To Achieve
 It is used to specify the
authentication mode to be used by
the ASP.Net web application, to
specify the login page information
and to specify the format of the
password to be used for providing
additional security and also it acts
like a database which maintains the
user credentials information.
Syntax
 Syntax to set the authentication
<authentication mode=“Forms”>
<forms loginUrl = “login.aspx”>
<Credentials passwordFormat
=“SHA1/MD5/Clear”>
<User name =“_____” password=“____” />
_____________
_____________ any no of user information
</credentials>
</forms>
</authentication>
Authorization

 Itis used to allow or deny the users

from accessing the webforms
present in the web application.
Syntax
 <authorization>
– <allow users=“__,__,__ / * “ />
– <deny users=“__,__,__ / * ”/>
 </authorization>
 Note: the tags and the attributes present in the
web.config is a case sensitive contents.
 In order to support Forms Authentication in
ASP.Net the Dot Net Framework provides a base
class library called as
“System.web.security.Formsauthentication”
 Methods to support Forms
Authentication…1
 Authenticate :It is used to
authenticate if the provided
information belongs to a valid user
credentials or not.It returns True if
user info is valid else returns false.
 Syntax 
authenticate(username,password)
 Methods to support Forms
Authentication…2
 RedirectFromLoginPage  It is used to
redirect to the requested webform from
the login page if the provided user
credentials belongs to a valid user.
 Syntax :-
redirectFromLoginPage(username,booleanvalue)
 If specified TRUE then the user info will
be maintained as a permanent HTTP
Cookie at the client system and if FALSE
is specified then user info will be
maintained temporarily till the browser is
closed.
 Methods to support Forms
Authentication…3
 HashPasswordForStoringInConfigFileit
is used to encrypt the data using either
SHA1 or md5 hash algorithms.
 Syntax 
HashPasswordForStoringInConfigFile
(original Text,”md5/sha1”)
 SignOut  It is used to clear the session
of the user which has been set the
application
 User.identity.name  returns the name
of the user who has currently logged in.
Windows Authentication

 Itis used to authenticate the user

information based on the users
registered on the network.
 Note it is used to validate the users
on the intranet environment.
 To achieve Windows Authen…

 In web.config file 
– <authentication mode=“windows” />
– <authorization>
<allow users/role =“DomainName/UserName,---”
/ roleName />
<deny users/role = “DomainName/UserName,---”
/ roleName />
– </authorization>
To achieve Windows Authen…
 Whenever the user who has been
currently logged in is present in the
allow users list then all the webforms
can be accessed directly present in the
web application.Else implicilty the
webserver will project a dialog box to
provide the user credentials and allow
the user to access the webforms
provided the information belongs to a
valid user credentials.
Types of Windows Authenti….
 Basic Authentication  if used as
authentication type then the user credentials
will be passed across the n/w in cleartext
Format.
 DigestAuthentication  it is a special
authentication type used to authenticate the
Domain server users.
– Note if the OS is not a domain server then the
Digest authentication type will be disabled in
that system
 NTLM authentication  it is a default
authentication type used by the windows
authentication where NTLM stands for
Integrated Windows Authentication
Steps to set the authentication Type
 Start > RUN > inetmgr
 Right click on default web site and select
properties
 Click on Directory Security tab
 Click on the Edit button present in the
anonymous access and authentication
control
 Check on the different authentication
types to be used
 To know the domain name of the system
– [ In command prompt ]
• C:\host Name
– This gives the domain name
 Passport Authentication
 If the same user credentials has to be maintained
across multiple websites then passport
authentication can be used.
 To achieve this 
– Install Microsoft Passport SDK
– In web.config file
• <authentication mode =“passport”>
– <passport redirectUrl =“internal /URL ‘ />
– </authentication>
 Custom Authentication

 Itis used to Validate the user

credentials as per the requirement
of the application.