Understanding Different Levels of Security in .NETSecurity is of vital importance in any application. Ensuring Security depends on the language you use for Coding. This article will help you in justifying .NET for ensuring security. Authentication: Authentication is the process of validating Users identity. If the credentials are valid, then the User can access your application based on the authorization provided. .NET performs authentication using the following authentication providers:
Windows
Authentication Provider can be used if Users of your application already
have Windows user accounts. In this case instead of creating custom login
screen and prompting the users to register, you can directly use credentials
from windows user accounts. Windows Authentication is not built into .NET.
This provider works in conjunction with IIS. To enable this provider in
your application, include the following entry in web.config file: Windows
Authentication doesnt require any login page. How is Authentication
performed then? When User requests for a page, Users credentials
are transmitted to IIS through browser. In your program include your block
of code inside the following if loop to ensure that only authenticated
users can have the code executed. Forms
Authentication Provider has the applications first page to be a custom
login screen wherein User enters the login credentials and submits the
form. If the credentials are valid, User is authenticated. If not, then
User is redirected to another HTML form. You can enable this provider
by making an entry in web.config file and specifying the configuration
options of the login page. An example is given below: However if you are using Forms Authentication, apart from creating your own login screen and performing authentication validations you also have to concentrate on managing users and assigning roles for them to perform authorization. This can be established using Membership and Roles APIs. Passport
Authentication Provider provides a wrapper facility associated with Authentication
Service of Microsoft. Users are authenticated based on Microsofts
Passport Database. You can use the existing User Credentials in the passport
database to perform Authentication. To implement Passport Authentication
in ASP.NET Application, you have to install Passport Software Development
Kit of Microsoft and setup the authentication mode in the web.config file
as: But for
installing the kit, you have to sign the license agreement with Microsoft
and pay annual usage fees for that. URL
Authorization is used to set security permissions for either users or
defined roles on specific files or directories. Security Permissions are
set by defining declarative rules in web.config file. Sample code fragment
in ASP.NET for users authenticated using Form Authentication is given
below for the rules: As per this
example, only User1, User2 and Users mapped to roles GuestRole, AdminRole
are provided access to the resource. Access to other Users and Roles are
denied. Other than
these two predefined approaches, you can also write custom code in your
application to perform authorization. For writing custom code you can
use HttpContext.Current.User object. What is Encryption? Developers will generally record sensitive data in plain text which is stored in a server-side location. But still Security Breaches can occur by retrieving passwords and fetching the file from the Server. To enforce Security, the plain text information is transformed into some unreadable format which can then be parsed using cipher algorithm and a secured key. Encryption is also used when data is transferred across networks. .NET supports Encryption by Cryptography. Cryptography is a technique which encrypts data to ensure Confidentiality and detects tampering by adding hash code. You can refer System.Security.Cryptography for performing Encryption in your application.
|