Issue dated - 4th August 2003

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
STOCK FILE
INDIA TRENDS
NEWS ANALYSIS
OPINION
FOCUS
E-BUSINESS
COMPANY WATCH
TECHNOLOGY
TECHSPACE
PRODUCTS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

ASP.NET security

The C# Column - Yashawant Kanetkar

ASP.NET security is mostly concerned with building secure sites that serve up pages only to authorised users. There are certain sites on the Net that require login before displaying certain pages. These sites must implement some application level security to identify authorised users. This application level security is provided using ASP.NET. It works in conjunction with IIS, the .NET platform and the underlying operating system security services.

Whenever a client tries to connect to a website, it has to make a request to the Web server for a particular page. This request is known as a ‘Web request’. To implement security at the application level, the application needs to take two actions—identify the person who has made the request to the Web server, and specify who can access which pages.

This action of identifying the caller of the Web page is known as authentication. Once authentication is done, it is decided which pages the caller can view. This is known as authorisation. ASP.NET supports four types of authentication and authorisation mechanisms.

  • Windows authentication
  • Passport authentication
  • Forms authentication

Let us discuss them one by one.

Windows authentication

This type of authorisation is best suited for Intranet applications. A user will be able to access a requested resource only if he has a valid and active account on Windows. Moreover that account needs to have permissions to access the specific resource. This type of authentication is very secure since it uses hash algorithms to encode and decode the client’s credentials. However, there are a few problems—this type of authentication does not work through most proxy servers, firewalls, and some routers. Hence this technique is not very suitable for Internet applications.

Setting up Windows authentication is simple. Just make the following settings in the ‘web.config’ file of your project.

<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<system.web />
<configuration />

These entries ask ASP.NET to use Windows authentication with Identity impersonation for the authentication. Simply doing this will not work if IIS is configured to accept anonymous requests to this website (by default IIS accepts anonymous requests to any website). To turn off anonymous access to this site, follow the instructions given below:

  • (a) Start Internet Services Manager from Administrative tools in the Control Panel.
  • (b) In the IIS, explore the branch with the name that maps your local machine name.
  • (c) Explore ‘Default Websites’.
  • (d) Locate the website we want to authenticate using Windows authentication.
  • (e) Right-click on it and select Properties. The Properties pages get displayed.
  • (f) Select the tab named ‘Directory Security’.
  • (g) Click the Edit button inside the group box named Anonymous access and authentication control
  • (h) In the following dialog, uncheck the ‘Anonymous access’ check box. Make sure the ‘Integrated Windows Authentication’ check box is checked.
  • (i) Click OK to dismiss the dialogs.

This process will force IIS to pop up the Windows authentication dialog before displaying the Web page requested.

This can be done programmatically by modifying the <authorization> section of the web.config file. Make the following changes to the authentication section:

<configuration>
<system.web>
:::
<authorization>
<deny users="?" />
</authorization>
:::
</system.web>
</configuration>

We instruct IIS to not to allow any users without proper authentication. The tag deny users="?" will stop all unauthenticated users from accessing the website.

Passport authentication

Passport authentication is a service provided by Microsoft. This service allows us to implement single sign-in for multiple applications or websites that want to authenticate users. The user is expected to use only one username and password to access all the sites. Moreover, the user need not sign-in again whenever he switches from one site to another (provided both sites support Passport authentication). For example, if site1.com and site2.com both support Passport authentication, then if a user visits site1.com, signs into the site and then decides to visit site2.com, he will be automatically authenticated on the basis of the credentials he presented at site1.com. This is possible because whenever we sign into a Passport service supporting site, the service creates a secure cookie on our machine. Later when we visit another Passport supporting site, our browser presents this cookie. This cookie indicates that we have already been authenticated and no new authentication is required. To set up Passport authentication, the following configuration needs to be added to the ‘web.config’ file.

<configuration>


<system.web>
<authentication mode="Passport" >
<Passport redirectUrl="internal|url" />
<authentication />
<system.web />


<configuration />

But the Passport service is not free. If we want to support Passport authentication on our website, we will have to subscribe to it.

Forms authentication

Form-based authentication is best suited where a high degree of security is not required. We can use our own login form, replacing the default login provided by Windows. In almost all situations we will allow anonymous access to our website, since authentication is done by ASP.NET instead of IIS.

ASP.NET first checks whether there is any authentication cookie present in the request header. If a cookie is present, we know that the user is already authenticated and his identity is present in the cookie. Otherwise the user is automatically redirected to our custom login page. The user then presents his login credentials. If the user is authenticated, we place a cookie in the request header and pass it on to ASP.NET, otherwise access is denied.

Form based authentication is configured in the ‘web.config’ file. The <authentication> section carries information regarding cookies, password formats, list of registered users, etc.

Next time we will see an example that implements form-based authentication.

Yashavant Kanetkar, one of the first Express Computer columnists, is an established software expert, speaker and author with several best-sellers to his credit, including titles like “Let Us C” and the “Fundas” series. Contact him at kanet@nagpur.dot.net.in
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.