Authentication and Authorization

Authentication: It is the process that determines the identity of a user. Whenever a user logs on to an application, the user is first authenticated and then authorized. It is the process by which the system validates a user's logon information.

 Means:  identified user valid or not

Authorization: - Authorization determines whether a particular user should be granted access to a specific resource or not. In another word you can say it is a process of granting approval or permission on resources.

process of granting approval or permission on resources.

Means:  this resources which are permission or not.

Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use

Types of authentication

1. Windows authentication: - In this methodology ASP.NET web pages will use local windows users and groups to authenticate and authorize resources.Windows authentication is best suited for Intranet Web applications.

The advantage of Windows authentication is that, the Web application can use the exact same security scheme that applies to your corporate network. User names, passwords, and permissions are the same for network resources and Web applications.

Windows Authentication provider is the default authentication provider for ASP.NET applications. When a user using this authentication logs in to an application, the credentials are matched with the Windows domain through IIS.

There are 4 types of Windows Authentication methods:

1) Anonymous Authentication - IIS allows any user

2) Basic Authentication - A windows username and password has to be sent across the network (in plain text format, hence not very secure).

3) Digest Authentication - Same as Basic Authentication, but the credentials are encrypted. Works only on IE 5 or above

4) Integrated Windows Authentication - Relies on Kerberos technology, with strong credential encryption

2.Forms Authentication: - This is a cookie based authentication where username and password are stored on client machines as cookie files or they are sent through URL for every request. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.

3. Passport authentication :- Passport authentication is based on the passport website provided by the Microsoft .So when user logins with credentials it will be reached to the passport website ( i.e. hotmail,devhood,windows live etc) where authentication will happen. If Authentication is successful it will return a token to your website.

 2.Forms Authentication: ----Login page

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.Security;

namespace authentication_example

{

    public partial class WebForm1 : System.Web.UI.Page

    {

        protected void Page_Load(object sender, EventArgs e)

        {

           // Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile(TextBox2.Text, "SHA1"));

            //Label1.Visible = false;

        }

        protected void Button1_Click(object sender, EventArgs e)

        {

            if (FormsAuthentication.Authenticate(TextBox1.Text, TextBox2.Text))

            {

                FormsAuthentication.RedirectFromLoginPage(TextBox2.Text,false);

                Response.Redirect("Registration.aspx");

            }

            else

            {

  Page.RegisterStartupScript("Alert Message","<script language='javascript'>alert('username and password is incorrect try again');</script>");

                return;

            }

        }

        protected void Button2_Click(object sender, EventArgs e)

        {

            FormsAuthentication.SignOut();

            FormsAuthentication.RedirectToLoginPage();

        }

      

    }

}

-------Registration page-------

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Web.Security;

namespace authentication_example

{

    public partial class Registration : System.Web.UI.Page

    {

        protected void Page_Load(object sender, EventArgs e)

        {

            Label1.Text = "Welcome";

            //Response.Write(User.Identity.Name + "<br>");

            //Response.Write(User.Identity.AuthenticationType + "<br>");

            //Response.Write(User.Identity.IsAuthenticated + "<br>");

            //Response.Write(User.IsInRole("Administrators") + "<br>");

        }

        protected void Button1_Click(object sender, EventArgs e)

        {

            FormsAuthentication.SignOut();

            FormsAuthentication.RedirectToLoginPage();

        }

    }

}

-------web Config----------

<?xml version="1.0"?>

<!--

  For more information on how to configure your ASP.NET application, please visit

  http://go.microsoft.com/fwlink/?LinkId=169433

  -->

<configuration>

    <system.web>

      

      <compilation debug="true" targetFramework="4.0" />

    </system.web>

  <system.web>

    <authentication mode="Forms">

      <forms defaultUrl="registration.aspx" cookieless="UseCookies">

        <credentials passwordFormat="Clear">

          <user name="sunil" password="123" />

          <user name="kumar" password="567" />

        </credentials>

      </forms>

    </authentication>

   

    <authorization>

      <deny users="?" />

     

    </authorization>