Page 246 - DCAP312_WEB_TECHNOLOGIES_II
P. 246
Web Technologies-II
Notes This Figure 12.3 shows the following sequence of events:
1. A client generates a request for a protected resource.
2. IIS receives the request, and if the requestor is authenticated by IIS, or if IIS anonymous
access is enabled, the request gets passed on to the ASP.NET application. Because
the authentication mode in the ASP.NET application is set to forms in this case, IIS
authentication is not used.
3. If there is no cookie attached to the request, ASP.NET redirects the request to a logon
page, the path of which resides in the application’s configuration file. On the logon page,
the client user enters the required credentials (usually a name and password).
4. The application code checks the credentials to confirm their authenticity, usually in an
event handler. If the credentials are authenticated, the application code attaches a ticket
(as a cookie) containing the user name, but not the password. If authentication fails, the
request is usually returned with an Access Denied message or the logon form is presented
again.
5. After a ticket is issued by the application, ASP.NET just checks the ticket for validity using
a message authentication check. Applications do not need the credentials in the .config
files. In fact, ASP.NET does not check them after the cookie is issued, even if they are
present.
6. If the user is authenticated, ASP.NET checks authorization and can either allow access to
the originally requested, protected resource or redirect the request to some other page,
depending on the design of the application. It can also direct the request to a custom
authorization module where the credentials are tested for authorization to access the
protected resource. If authorization fails, ASP.NET always redirects to the logon page.
7. If the user is authorized, access is granted to the protected resource; or the application
might require an additional test of the credentials before authorizing access to the protected
resource, depending on the design of the application.
The first Microsoft web server was a research project at the European Microsoft
Windows NT Academic Centre (EMWAC), part of the University of Edinburgh
in Scotland, and was distributed as freeware.
Create a flow chart of ASP.NET authentication.
Self Assessment Questions
1. ……………… uses a SQL Server user store.
( a) ActiveDirectory Membership Provider
( b) Directory Application Mode
( c) SqlMembership Provider
( d) None of these
2. A successful system requires careful planning, and web site ………………must have a
clear understanding of the options for securing their site.
( a) administrators (b) programmers
( c) administrators and programmers (d) None of these
3. ……………………. are a number of different ways to design security into ASP.NET
applications.
( a) Internet Information Services (b) Security data flow
( c) Data flow (d) Data control flow
240 LOVELY PROFESSIONAL UNIVERSITY
