Authentication And Authorization Objectives Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

5.2 Security in Web Applications

Security is an important factor that you must consider when developing or maintaining a Web application. Each Web site has different security requirements. For example, consider a search engine, an online library, and an online shopping application. A typical search engine does not require security features. An online library with user registration stores user names, passwords, and personal information. Although the information is not highly sensitive, you require some security to protect user details. However, for the shopping application, you require strong security to protect sensitive information, such as users' credit card details.

Web sites that are vulnerable to attacks require some security mechanism to allow only authorized users to access important information. ASP.NET provides security features that help you resolve this as well to enforce other security measures.

5.3 Security Features in ASP.NET Applications

Three fundamental security features for an ASP.NET application are Authentication, Authorization, and Impersonation.


Authentication is used to check the identity of a user before allowing or denying a request. For example, in an e-mail application, a user's name and password are validated against a database of registered users. After verification, no further authentication is required to send and receive messages unless the user logs off from the application.


Using authorization, only users with a valid identity can access specific resources in an application. For example, a student is not allowed to view examination records that a teacher or a Web administrator can access.


In impersonation, the ASP.NET application process acts on behalf of a user whose identity is authenticated using Internet Information Services (IIS). IIS passes an authentication token to the ASP.NET application. ASP.NET then uses the token and operates under the identity of the authenticated user.

5.4 ASP.NET Authentication Methods

ASP.NET implements authentication by using authentication methods. ASP.NET authentication methods contain the code to authenticate the credentaials of the user.

Three types of authentication method are supported in ASP.NET. They are:

Windows-Based Authentication

Windows authentication is the default authentication method in ASP.NET. This type of authentication is based on users' Windows accounts. Windows authentication uses IIS, which can be configured to allow only users on a Windows domain to log on to the application.

Forms-Based Authentication

Forms-based authentication uses the Forms authentication provider. In forms-based authentication, Hypertext Markup Language (HTML) forms are used to collect authentication information, such as user names and passwords. The application needs to have the code to verify the supplied credentials against a database. The credentials of an authenticated user can be stored in a cookie to be used during a session.

Microsoft Passport Authentication

In passport authentication, users are authenticated using the Passport Service provided by Microsoft. However, to use this type of authentication, you must be registered with Microsoft's Passport Service. The Passport server uses encrypted cookies to identify and validate users.

5.5 Authorization in ASP.NET

Authorization specifies whether an identity can be granted access to a specific resource. The two types of authorization available in ASP.NET are:

File Authorization

This type of authorization uses NTFS file system (NTFS) permissions to check the access rights of the user account that the ASP.NET application is using. For example, if a user wants to open a particular file, the user account that is used to access the ASP.NET application must have read permission to that file.

URL Authorization

In the web.config file, the authorization rules for various folders or files of an application can be specified. Using the <authorization> element, you can specify the names of users who are allowed or denied access.

The following shows the syntax for the URL authorization.



<[allow|deny] users roles verbs />


Herem the allow or deny element is specified. The users or the roles attributes need to be specified. You can include both, but both are not required. The verbs attribute in the syntax is optional.

The allow element grant the acess and the deny element revoke the access.

Code Snippet 1 grants access to John identity and members of the Admin roles, and denies access to the David identity (not in Admin role) and to all anonymous users.

Code Snippet 1:


<allow users ="John"/>

<allow roles ="Admin"/>

<deny users = "David"/>

<deny users="?"/>


5.6 ASP.NET Authentication Methods - Comparison

Each of the three authentication methods that ASP.NET supports (Windows-based, Forms-based, and Microsoft Passport) is best suited to specific situations. Each method has significant advantages and disadvantages.

Table 5.1 shows the advantages and disadvantages of Windows-based and Forms-based authentication.




Windows-based Authentication

The existing Windows infrastructure is used

Controls access to sensitive information

Not suitable for most Internet applications

Forms-based Authentication

Best-suited for Internet applications

Supports all client types

Based on cookies

Table 5.1: Advantages and Disadvantages

Windows-Based Authentication

Windows-based authentication uses the existing Windows infrastructure. Therefore, it is best suited to situations in which you have a fixed number of users with existing Windows user accounts. Two example situations are as follows:

Developing an intranet for your organization. For example, your organization may already have Windows user accounts configured for each employee.

Controlling access to sensitive information. For example, you may want users in the Human Resources group to have access to directories that contain employee resumes and salary details. You can use Windows-based authentication to prevent employees in other Windows groups such as the Developers group from accessing these sensitive documents.

The disadvantage of Windows-based authentication is that it is not suitable for most Internet applications. For example, if you build a public user registration and password system, Windows-based authentication is not a good authentication option. With Windows-based authentication, a valid Windows user account must be configured for each user who accesses a restricted page. You cannot easily automate the process of adding new user accounts.

Forms-Based Authentication

Forms-based authentication is an appropriate solution if you want to set up a custom user registration system for your Web site. The advantage of this type of authentication is that it enables you to store user names and passwords in whatever storage mechanism that you want. For example, you can store credentials in the web.config file, an XML file, or a database table.

Forms-based authentication relies on cookies to determine the identity of the user. After Forms-based authentication is enabled, the user cannot access the requested page unless a specific cookie is found on the client. If this cookie is not found, or if the cookie is invalid, ASP.NET rejects the request and returns a logon page.

Microsoft Passport Authentication

Microsoft Passport authentication includes several advantages:

You can use the same user name and password to sign in to many Web sites; users are therefore less likely to forget their passwords. For example, both Microsoft Hotmail and Microsoft MSN use Microsoft Passport to authenticate users.

You do not have to set up and maintain a database to store user registration information. Microsoft performs all of this maintenance for you.

You can customize the appearance of the registration and sign-in pages by supplying templates.

There are two disadvantages of Microsoft Passport authentication. First, there is a subscription fee to use the Microsoft Passport service. Second, Microsoft Passport authentication is based on cookies.

5.7 Secure Sockets Layer

When you develop Web applications, certain parts of the application require extra security. For example, Web pages that send confidential data, such as login credentials or financial transaction details, require strong security. You can use Secure Sockets Layer (SSL) to add security for such pages.

SSL provides the following features:

SSL is supported by most Web servers and browsers.

Only trusted digital certificates are needed to protect Web applications through SSL.

In client-server operations, the SSL protocol uses a third party, a Certificate Authority (CA), to identify one end, or both ends of the communication.

SSL encrypts data transmission and incorporates a mechanism to detect any change in data transmission. This helps prevent eavesdropping or tampering with sensitive data during transmission.

5.7.1 SSL with Client Browser and Server

SSL uses a public key and a private key to encrypt data transmission between a client and a Web server. The public key is known to everyone, and the private key is known only to the recipient of the message. A typical communication process between a client and Web server is shown in figure XXXX.

Figure 5.2: Communication Process

Each of the step is explained as follows:

Step 1

The client browser contacts the Web server.

Step 2

The server sends back its certificate, encrypted with a trusted third-party private key.

Step 3

The browser decrypts the certificate with a trusted third-party public key.

Step 4

The browser uses the trusted third-party public key to encrypt a session ticket. The ticket is sent back to the server.

Step 5

The Web server receives the request and decrypts the session ticket with its private key. The server and the browser use the same session ticket for further encryption in transmission.

5.7.2 Configuring SSL in ASP.NET Pages

After configuring the server to use SSL, any page can be requested from the Web site by using a secure connection. SSL uses Hypertext Transfer Protocol Secure (HTTPS) to retrieve a Web page. For example, the secured page can be accessed by the address with the format

Note: The Request.IsSecureConnection property can be used to check whether you are on a secure HTTPS connection.

5.7.3 Obtaining an SSL Certificate

Consider a Web application in which you want to implement SSL for a login page. To use SSL, you need to obtain a certificate. To get an SSL certificate, a Certificate Signing Request (CSR) has to be submitted. CSR is a data file that holds details of the requesting party to a CA.

You can create a CSR using the Certificate wizard in IIS. The cert.txt file that is created needs to be submitted to a certificate-issuing authority. You save the certificate that is issued. Then, using the Certificate wizard in IIS, you process the pending request and install the certificate on the server.

After you install the SSL certificate, a user requesting the Home page is redirected to the SSL-secured login page. A padlock icon appears in the lower-right corner of the status bar to indicate the use of SSL. You can view the certificate by clicking the padlock icon.

Code Snippet XXX is an example of how to redirect users from the Home page to a login page that uses SSL.

<script runat="server">

protected void Page_Load(object sender, EventArgs e)


string url = "https://localhost/SSLexample/login.aspx";




In the above code, the user is redirected from Home.aspx to login.aspx by the Response object's Redirect method. The application has to explicitly switch to SSL when it is redirecting to an SSL-secured resource. This is done using an absolute Uniform Resource Locator (URL) such as https://server/application/page.aspx because relative URLs such as ~/page.aspx will not work.

Figure 5.3 shows the content of the cert.txt file.

Figure 5.3: Client Certificate Details

5.7 Windows-Based Authentication

You can use Windows-based authentication to secure Web applications when you know which users access your Web site.

You can secure Web applications using Windows-based authentication in a four-step process:

Configure IIS

Set up authentication in Web.config

Set up authorization in Web.config

Request of logon information from the users by IIS

Configure IIS

In Windows-based authentication, for securing Web application, you must configure IIS to use its one or more authentication mechanisms:

Basic Authenication

Digest Authentication

Windows Integrated Security

Set up authentication in Web.config

The second step is to set ASP.NET security to Windows-based authentication in Web.config. The <authentication>, <authorization>, and <identity> sections in Web.config can be used for the security settings.

Code Snippet 2 sets the authentication method for the application to Windows by using the <authentication> subsection in Web.confg file.

Code Snippet 2:


<authentication mode = "Windows" />


Set up authorization in Web.config

You can secure specific pages in a Web application by using the <location> section in the <configuration> section with <system.web> and <authorization> subsections.

Code Snippet 3 demonstrates securing a page named LibraryRegister.aspx by denying access to all anonymous users.

Code Snippet 3:

<location path="LibraryRegister.aspx">



<deny users="?" />




Note: A Web Form or a folder can be specified in the the <location> section. If you specify a folder name, all of the subfolders under it are secure. You can secure multiple Web Forms or folders by using multiple <location> sections.

Code Snippet 4 secures and entire Web application by creating an <authorization> section in the <system.web> section.

Code Snippet 4:



<deny users="?" />



Request of logon information from the users by IIS

The last step of enabling Windows-based authentication is when users attempt to access a Web Form from your Web application and IIS requests logon information from the user. The user must provide his or her user name and password. If the user's credentials are approved, IIS grants the user access to the secure Web page.

5.7.1 User Information

After completion the Windows-based authentication, the Web server can read the user identity from any Web page of the Web application. The User.Identity.Name is used to read the identity of the user. The Web server can also use User.Identity.AuthenticationType to identify the IIS authentication mechanism that is used to authenticate the user. Additionally, it can test if the user is authenticated by using User.Identity.IsAuthenticated.

Code Snippet 5 shows the code that allows the Web server to read the user identity.

Code Snippet 5:

userIdentity.Text = User.Identity.Name;

userTypeIdentity.Text = User.Identity.AuthenticationType;

userAuthenticatedIdentity.Text = User.Identity.IsAuthenticated;

5.8 Forms-Based Authentication

The most common method to secure a Web application is Forms-based authentication.

Figure <XXX> shows the sequence of Forms-based authentication.

Figure <xxxx>:

The Forms-based authentication provides a customized means of authentication without having to use cookies to manage sessions. When a user requests restricted resources in a Web application, user authentication is first performed by IIS. If anonymous access is enabled in IIS or on successful authentication, the request is forwarded to the ASP.NET application. ASP.NET examines the request for a valid authentication cookie and then performs the authorization check. If the user clears the authorization check, access to the resources is granted. Otherwise, access is denied.

If the user request is without an authentication cookie, ASP.NET redirects the user to the login page. On the login page, the user credentials are resubmitted for authentication by the application code. On authentication, ASP.NET attaches a cookie and redirects the user to the requested resources. The same cookie is then used to allow the user to revisit restricted resources during the session.

5.8.1: Enabling Forms-Based Authentication

The following four steps are required to enable Forms-based authentication.

Configure IIS to use Anonymous authentication

Configure authentication in Web.config

Configure authorization in Web.config

Create the login page

Configure IIS to use Anonymous authentication

The first step for Form-based authentication is to configure IIS to use anonymous authentication so that the user is authenticated by ASP.NET and not by IIS.

Configure authentication in Web.config

The second step is to set the authentication method to Forms-based for the application in Web.config file.

Code Snippet 6 demonstrates the Forms-based authentication in Web.config file by using the <authentication> sub-section of <system.web>.

Code Snippet 6:


<authentication mode="Forms">

<forms name=".ASPXAUTH" loginUrl="login.aspx" />



In the code snippet, the name attribute specifies the Hypertext Transfer Protocol (HTTP) cookie to use for authentication. The default value is .ASPXAUTH. The loginUrl specifies the URL to redirect the user to if a valid authentication cookie is not found.

If the authentication mode is Forms, the <forms> element must be added to the <authentication> section.

The settings of the cookie can be configured in the <forms> section. You can set the name attribute to the suffix to be used for the cookies and the loginUrl attribute to the URL of the page to which unauthenticated requests are redirected.

Configure authorization in Web.config

The next step is to set the <authorization> section in Web.config. In this section you can allow or deny access to users in the Web application.

Create the login page

The final step is to create a logon Web Form. The page can be created by using the ASP.NET login controls. The user has to enter the user name and password in the logon page to establish authentication and to access the Web application.

5.8.2 Creating a Logon Page

Whenever a user visits a Web portal with facilities such as online shopping or money transactions, security of the account or data from other users is one of the most important requirements. For example, if a user has an account with, the data of the user needs to be secured from other users, who may use the same account. To enable this kind of functionality, there is a need to authenticate the user before he or she is allowed to access their online account.

To address this issue, ASP.NET provides a bunch of server controls that offer a complete login solution for Web applications. These controls provide users with an option to type and validate their login credentials. You can drag and drop the relevant login controls from the Toolbox and then customize the properties of the added controls.

You can use the login controls in ASP.NET to authenticate a user. These controls do not require any additional programming. Table 5.2 lists the ASP.NET login controls.




Provides all pre-built user interface elements that are required for user authentication


Customizes the information displayed to anonymous and logged-in users for a Web site


Provides a login link for the users who are not authenticated and a logout link for authenticated users for a Web site


Displays the name of authenticated users of a Web site who are logged on


Enables a user to recover a forgotten password. The password will be send to the e-mail address that was used when the account was created.


Creates a new user account and adds it to the ASP.NET membership system


Enables users to change their passwords

Table 5.2: ASP.NET Login Controls

5.9 IIS Authentication Mechanism

IIS needs to be configured before you can use Windows-based authentication. When the user requests a page that required authorization, the user is authenticated by IIS.

IIS uses several mechanisms that you can use to establish authentication. The four options are available in IIS are:

Anonymous Access

This mechanism allows any user to access the ASP .NET application. When a request from an anonymous user is received, IIS in turn makes the request to Windows by using the default IUSR_machinename account.

Basic Authentication

This authentication requires the use of a Windows user name and a password to connect to the application. However, the password is transmitted in plain text, making this type of authentication insecure.

Digest Authentication

This authentication is similar to Basic Authentication. However, the user information is encrypted and transmitted to the server. If Anonymous access is disabled, users are prompted for their credentials (logon information). The browser combines this logon information with the other information that is stored on the client and then sends an encoded hash called an MD5 hash (also known as Message Digest) to the server. The server already has a copy of this information; it recreates the original details from its own hash and authenticates the user. This mechanism works only with Microsoft Internet Explorer 5 or more recent browsers, but it does pass through firewalls and proxy servers and also over the Internet.

Integrated Windows Security

The Windows logon credentials are used here to authenticate users. In a Windows-based network, if the user has already been authenticated, IIS can pass on the user's credentials when they request access to a resource. The user name and password are not included in the credentials, only an encrypted token that indicates the user's security status.

However, Integrated Windows security is not practical in Web applications that confront firewalls. Therefore, it is best suited to a corporate intranet scenario.


Authorization, Authentication, and Impersonation are the security features in ASP.NET.

Authentication is used to verify the identity of a user before allowing or denying a request.

In authorization, only users with a valid identity can access specific resources in an application.

Authentication providers help you provide Windows-based, Forms-based, or Microsoft Passport authentication.

SSL secured pages help you protect parts of your Web site that process confidential information.

Check Your Progress

Which of the following statements about the security features in ASP.NET are true?


For forms-based authentication, you must provide the code to verify user credentials.


Impersonation does not work with anonymous user access.


Authentication is required before authorization.


File authorization makes use of authorization rules from the web.config file.


Impersonation requires the use of IIS to authenticate users.

Which of the following statements about forms-based authentication for an ASP.NET application are true?


Forms-based authentication requires the use of a Web page for user authentication.


ASP.NET provides an authenticated cookie for a valid user.


IIS performs the authorization check for users.


User credentials can be stored in the web.config file.


The <authorization mode> attribute in the web.config file is set to Forms.

Which of the following options refer to securing Web sites?


Restrict specific domain names


Authorize only authenticated users


SSL encrypts trusted certificates


ASP.NET encrypts data transmission


SSL prevents data tampering


SSL protocol uses CA


Install certificates using IIS

~~~ End of Document ~~~