Authentication and Authorisation in ASP.Net By Dharam Shadija
Structure of Presentation Review Application Directory structure Review Simple Authentication process Authentication in ASP.Net SQLMembershipProvider, SQLRoleProvider and SQLProfileProvider class Built-in Security controls Website Administration panel Summary
Authorisation and Authentication Whereas Authentication is the process of checking user credentials against a database or active directory. Authorisation Authorisation is the process of checking whether a user or role has access to a particular part of the web site.
Simple Authentication process IIS Browser Login page Client enters Login information Login page authenticates user info Puts user name in session and forwards user to secure area If incorrect details Access denied Default.asp
Simple Authentication process Advantages Simple to setup Disadvantages Lot of code required from developers perspective High Maintenance User details not secure as stored as plain text
Forms Authentication process IIS 2 Forms Authentication 1 Request forwarded to login page using settings in web.config Browser Client accesses secure area Authenticated Not Authenticated Login page 3 Puts user name in Authentication Cookie and forwards user to the page requested 3 If incorrect details Access denied Default.aspx
Authentication and Authorisation in ASP.Net Provides ways to authenticate using pre-built database or against Active Directory Number of built-in security controls Based on Provider model i.e. can be extended by developers to write custom logic Number of pre-written methods to perform repetitive functions Pre-built SQL server database to hold user, role and access information Built on top of current implementation of Forms Authentication
Authentication and Authorisation in ASP.Net System.Web.Security Namespace ProviderBase Inherits Inherits MembershipProvider ValidateUser() CreateUser() DeleteUser() RoleProvider AddUsersToRoles() CreateRole() DeleteRole()
SQLMembershipProvider and SQLRoleProvider class Used to store user information in a pre-built SQL Server database file (ASPNetDB.mdf) Can be configured to point to another location using web.config file aspnet_user table SQLRoleProvider Used to store role information in a pre-built SQL Server database file (ASPNetDB.mdf) aspnet_role and aspnet_userInRole tables
SQLProfileProvider class Enable developers to store user profile information in a pre-built SQL Server database file (ASPNetDB.mdf) User profile configured in web.config file aspnet_profile table Key methods GetAllProfiles(), DeleteProfiles() <add name="UIPreference" type="String" serializeAs="String"/> <add name="Address" type="String" serializeAs="String"/>
Built-in Security controls Login control VerifyUser(username, password) PasswordRecovery control LoginStatus control LoginView control
Built-in Security controls LoginName control CreateUserWizard control ChangePassword control
ASPNetDB.mdf
Configuring Forms Authentication Use a custom login page to validate the user ' web.config file <configuration> <system.web> <authentication mode= "Forms"> <forms name=".ASPXAUTH" loginUrl="Login.aspx" /> </authentication> </system.web> </configuration> Authentication information goes in web.config file at root level
Configuring Authorisation To deny unauthorised users accessing files in a particular folder <configuration> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </configuration> Authorisation information goes in web.config file, could be at root level and at sub folder level Access level is inherited Deny anonymous access
Configuring Authorisation Allow particular user or role access to this folder <configuration> <system.web> <authorization> <deny users="*"/> <allow users=“Jim, Mo" /> <allow roles=“Administrator" /> </authorization> </system.web> </configuration> Deny anonymous access
Forms Authentication Advantages Disadvantages Automatically encrypts user information in Authentication cookie Takes away the plumbing from developer Provides a structure to implement Authentication and authorisation in ASP.Net applications Built-in UI controls Pre-written authentication logic Disadvantages Needs some work setting it up
Website Administration Panel Developer friendly tool to setup Authentication and Authorisation information Stores information in an SQL Server database Configures Web.config to reflect changes done using Administration panel
Website Administration Panel
Summary Reviewed Forms Authentication Authentication in ASP.Net SQLMembershipProvider and SQLRoleProvider class Built-in Security controls Website Administration panel
References Examining ASP.NET 2.0's Membership, Roles, and Profile http://aspnet.4guysfromrolla.com/articles/120705-1.aspx This is a multipage article, explore all the pages.