Why Authentication and Authorization Needed Essay Example

indicate authenticated users. If the users have already been signed into Passport when they visit the application page, ASP. NET will consider them as authenticated; otherwise, the users will be redirected to Passport servers to login. Upon successful login, theyll be redirected back to the application page. Forms Authentication: With forms authentication, custom logic can be built into an ASP. NET application. The following happens when forms authentication is us ed in an ASP. NET application: o When a user requests a page for the application, ASP. NET checks for the presence of a special session cookie. o If the cookie is present, ASP. NET assumes the user is authenticated and processes the request. o If the cookie isn't present, ASP. NET redirects the user to a web form where the custom logic has been built into the code.

The authentication checks can be incorporated into the web form, and when the user is authenticated ASP. NET needs to be informed of the same by setting a property. Once this is done, ASP. NET creates the special cookie to handle any subsequent requests. Authentication and Authorization - Configuring Authorization (Page 4 of 4 ) Impersonation is a technique that allows the ASP. NET process to act as the uthenticated user, or as an arbitrary specified user. ASP. NET impersonation is controlled by entries in the application's web. config file. By default, impersonation is disabled.

Including the following code in the file can explicitly turn impersonation off: ASP. NET does not perform impersonation if the above piece of code is found in the file. This means that ASP. NET will run with its own privileges. After

the user has been authenticated, ASP. NET uses it own identity to request access to resources. By default, ASP. NET runs as an unprivileged account. By changing the userName attribute of the process. Model section in the machine. onfg file, the account can be changed from a low-privileged one to a high-privileged one.

When this modification is made, it applies to all sites on the server. If the userName attribute of the process. Model is changed to SYSTEM, the user account becomes a high privileged account. However, this is a security risk as it elevates the privileges of the ASP. NET process and the OS may be at risk. To enable impersonation, the following code should be included: In this case, ASP. NET takes on the identity 11S passes to it. If anonymous access is allowed in I'S, ASP. NET will impersonate the IUSR_ComputerName account that 11S ses. If anonymous access is not allowed, ASP.

NET will take on the credentials of the authenticated user and makes requests for resources taking on that identity. A further important feature of any ASP. NET application is that a particular identity can also be used for all authenticated requests. To accomplish this, the following line of code needs to be included: In this case, all authenticated users will be taking on the identity and using this identity ASP. NET makes all requests for resources. The drawback to this technique is that the password must be coded in plain text in the web. confg file. Though ASP. NET oes not allow for this file to be downloaded, it is still a security risk. Best Practices Below is a list

of some best practices to help you in choosing an authentication mode and configuring authorization: If there is no sensitive data in the application, no anonymous authentication is the best authentication mode. This allows all users, who have access to the host, to access the application. If authentication of users needs to be performed, there are several choices. Windows Authentication in ASP. NET is the best authentication mode to use if all user accounts exist on the network in which the application is running.