Authentication and Authorization in ASP.NET

Authentication and Authorization in ASP.NET is a common question asked by most of the ASP.NET interview questions.

There are a lot of developers who do not use the inbuilt processes of authentication and authorization provided by ASP.NET framework, as they commonly use the normal process of user authentication and then storing the details in session variables to be accessed in various times.

In this article we will take a deep dive into the inbuilt methods provided by ASP.NET framework to achieve authentication and authorization in your application.



What is Authentication?


Authentication is the process of evaluating the identity of a user, trying to access some resource of the application. Basically it is the process of validating a user's username with its password.

Basically we need to authenticate a user when our application's resource is not public facing and we do not want everyone to access it over the internet.

What is Authorization?


Authorization is the process of authorizing a user to access some resources according to role assigned to him/her. let me give you a small example. 

Let's say we have a web application for a company where we have a sales department, a HR department and an admin department. And all the department have different works to do and we do not want them to peep into other's profiles and other details. So here we limit the access of a HR only to the HR related resources, sales person to access only sales related resources and admins to access only admin related resources. This process of evaluating if a user is a valid user to access certain resources of the application is called authorization.



Types of Authentication in ASP.NET


There are 3 type of authentication available in ASP.NET, such as
  • Windows Authentication
  • Form's Authentication
  • Passport Authentication
  • Anonymous Access
Now we will see each type in detail.

Windows Authentication


Windows Authentication is a process of authentication where we use the local windows users and groups for authentication and authorization.

This is basically used when we prefer to use an application in intranet than internet. Consider a company where an application is designed only to run within the organization and not outside, then we can implement windows authentication over there to validate the identity of the user using their own credentials for the system.

To achieve windows authentication you need to configure the application as well as the IIS for it.



In Web.config file you have to mention the type of authentication the application is going to have. For Windows Authentication we have to set the authentication mode to Windows as below;
<authentication mode="Windows"/>
Once the authentication mode is set we have to set the authorization accordingly.
<authorization>
  <deny users="?"/>
</authorization>
The above code will deny all users to access the website except the authorized users.

Form's Authentication


Form's Authentication is a process where user has to provide the username and password for authentication in a web page and after authentication the user details will be stored in a cookie at client's machine and will be accessed at various times for authorization.

Below is the code to set Form's Authentication in web.config.
<authentication mode="Forms">
Now the question in how to set the login url and all. Below is the code you have to write in the web.config file to achieve form's authentication and to set the login url for all users.
<system.web>
  <authentication mode="Forms">
    <forms loginUrl="logon.aspx" name=".ASPXFORMSAUTH">
    </forms>
  </authentication>
  <authorization>
<deny users="?" />
  </authorization>
</system.web>
The above code will set logon.aspx page as the login page where user has to provide his/her login credentials. and after verification he will be allowed to access the resources of the website.

Passport Authentication


passport authentication is the process where users are redirected to a third party website for authentication and after verification they are redirected back our website. Once authentication is done it creates a cookie in the client's machine which will be accessible to our website for authentication.



basically this type of authentication is being used mostly now-a-days to help users not to remember their username and password for every site. Just remember the username and password for a common site like facebook, google or microsoft and use that credential to login into any site.

In order to set this authentication you need not to do any configuration in your web.cofig file.

Anonymous Authentication


When your website is public facing and you do not want any type of authentication then this anonymous type of authentication is being used. Basically all the site resources are accessible to all users.

Hope in this article I have cleared all the concepts of authentication and authorization in ASP.NET.

Happy codding...

No comments:

Post a Comment