Page 249 - DCAP312_WEB_TECHNOLOGIES_II
P. 249

Unit 12: Security and Membership



            When  the  user  requests  a  specific  resource  on  the  system,  that  request  will  come  to  IIS.  IIS   Notes
            authenticates the user requesting the resource and then hands off the request and the security
            token for the authenticating user to ASP.NET worker process.
            ASP.NET worker process will decide whether to impersonate the authenticated user supplied
            by IIS or not. If impersonation is enabled in the configuration setting in Web.config file, then
            ASP.NET worker process impersonates the authenticated user. Otherwise, the thread will run
            under the ASP.NET worker process identity.
            ASP.NET checks whether the authenticated user is authorized to access these resources. If they
            are allowed, ASP.NET serves the request; otherwise it sends an “access-denied” error message
            back to the user. ASP.NET application security configuration and IIS security configuration are
            completely independent and can be used independently or in conjunction with each other and
            also IIS maintains security related configuration settings in the IIS metabase. However, ASP.
            NET maintains security (and other) configuration settings in XML configuration files.

            Factors in choosing an authentication method:
               •  Server and client operating systems
               •  Client browser type

               •  Number of users, location and type of user name and password database
               •  Deployment considerations (Internet vs. intranet and firewalls)
               •  Application type (interactive Web site or non-interactive Web service)
               •  Sensitivity of data being protected

               •  Performance and scalability factors.
            Windows authentication for ASP.NET application, need to configure authentication within IIS.
            This is because IIS provides Windows authentication.
            IIS provides four different authentication methods:
               1.  Anonymous

               2.  Basic
               3.  Digest and
               4.  Windows integrated

                  •  IIS does not perform any authentication for the anonymous authentication ie it allows
                    anyone to access the ASP.NET application.

                  •  In the basic authentication, users must provide a windows user name and password
                    to connect. However this information is sent over the network in clear text, which
                    makes basic authentication very much insecure over the internet.
                  •  In  the  digest  authentication,  users  must  still  provide  a  windows  user  name  and
                    password to connect. However the password is hashed before it is sent across the
                    network.

                  •  Digest authentication requires that all users be running Internet Explorer5 or later
                    and that windows accounts to stored in active directory.

            Windows Integrated Authentication
            In  Windows  authentication, IIS performs  the authentication, and  the authenticated token is
            forwarded to the ASP.NET worker process. The advantage of using Windows authentication is



                                             LOVELY PROFESSIONAL UNIVERSITY                                   243
   244   245   246   247   248   249   250   251   252   253   254