Understanding Different Levels of Security in .NET

Security is of vital importance in any application. Ensuring Security depends on the language you use for Coding. This article will help you in justifying .NET for ensuring security.

Authentication: Authentication is the process of validating User’s identity. If the credentials are valid, then the User can access your application based on the authorization provided. .NET performs authentication using the following authentication providers:

• Windows Authentication Provider can be used if Users of your application already have Windows user accounts. In this case instead of creating custom login screen and prompting the users to register, you can directly use credentials from windows user accounts. Windows Authentication is not built into .NET. This provider works in conjunction with IIS. To enable this provider in your application, include the following entry in web.config file:
<authentication mode = “Windows”></authentication>

Windows Authentication doesn’t require any login page. How is Authentication performed then? When User requests for a page, User’s credentials are transmitted to IIS through browser. In your program include your block of code inside the following if loop to ensure that only authenticated users can have the code executed.
If(Request.IsAuthenticated)
{
//your block of code
}
User.Identity.Name, User.Identity.AuthenticationType can be used to retrieve the User credentials.

• Forms Authentication Provider has the applications first page to be a custom login screen wherein User enters the login credentials and submits the form. If the credentials are valid, User is authenticated. If not, then User is redirected to another HTML form. You can enable this provider by making an entry in web.config file and specifying the configuration options of the login page. An example is given below:
<authentication mode = “Forms”>
<forms name=”TestForm”
loginUrl=”LoginPage.aspx”
timeout =”30”
requireSSL=”false”
defaultURL=”ApplicationPage.aspx”
path=”/”>
</forms>
</authentication>

However if you are using Forms Authentication, apart from creating your own login screen and performing authentication validations you also have to concentrate on managing users and assigning roles for them to perform authorization. This can be established using Membership and Roles APIs.

• Passport Authentication Provider provides a wrapper facility associated with Authentication Service of Microsoft. Users are authenticated based on Microsoft’s Passport Database. You can use the existing User Credentials in the passport database to perform Authentication. To implement Passport Authentication in ASP.NET Application, you have to install Passport Software Development Kit of Microsoft and setup the authentication mode in the web.config file as:
<authentication mode = “Passport”></authentication>

But for installing the kit, you have to sign the license agreement with Microsoft and pay annual usage fees for that.

Authorization: Authorization means that authenticated Users will be given certain privileges based on which they can perform actions in your application. Authorization is provided in two different ways:

• URL Authorization is used to set security permissions for either users or defined roles on specific files or directories. Security Permissions are set by defining declarative rules in web.config file. Sample code fragment in ASP.NET for users authenticated using Form Authentication is given below for the rules:
<configuration>
<location path=”testPage.aspx”>
<system.web>
<authorization>
<allow users=”User1,User2”>
<allow roles=”GuestRole,AdminRole”>
<deny users=”*”>
<deny roles=”*”>
</authorization>
</system.web>
</location>
</configuration>

As per this example, only User1, User2 and Users mapped to roles GuestRole, AdminRole are provided access to the resource. Access to other Users and Roles are denied.

• File Authorization is used only if you are using Windows Authentication in your application. User will be granted access to a page if the User has windows permissions for that page.

Other than these two predefined approaches, you can also write custom code in your application to perform authorization. For writing custom code you can use HttpContext.Current.User object.

Confidentiality and Integrity: Confidentiality means that data processed in your application should be secured such that nobody else can view it when data is transmitted over the network or even when the data is stored in the database. Integrity means that data transmitted from one end to another should not be corrupted in between by anonymous or unauthorized users. Both Confidentiality and Integrity is achieved in .NET using Encryption. In addition, IIS also implements Digital Signatures to ensure Integrity.

What is Encryption? Developers will generally record sensitive data in plain text which is stored in a server-side location. But still Security Breaches can occur by retrieving passwords and fetching the file from the Server. To enforce Security, the plain text information is transformed into some unreadable format which can then be parsed using cipher algorithm and a secured key. Encryption is also used when data is transferred across networks. .NET supports Encryption by Cryptography. Cryptography is a technique which encrypts data to ensure Confidentiality and detects tampering by adding hash code. You can refer System.Security.Cryptography for performing Encryption in your application.

| Additional Ways of Ensuring Security in .NET | Memory Lifecycle in .NET – An Overview | Few Best Coding Practices for ASP .NET | Handling Session Efficiently Using SQLSERVER State Management in .NET | How to Read and Write Files with Streams in ASP.NET? | How to Use a Custom Web Control in VS.NET? | Implementing .NET Passport Authentication in Web Applications Using Passport Authentication Provider | Using Atlas Architecture in ASP.NET |