Authentication and Authorization in ASP.NET

Note: This article was originally published on AspAlliance.
By: Joydip Kanjilal Spacer Date: October 28, 2007Spacer Printer Friendly Version

Authentication

Authentication is the process of determining the authenticity of a user based on the user's credentials. Whenever a user logs on to an application, the user is first authenticated and then authorized. The application's web.config file contains all of the configuration settings for an ASP.NET application. It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. An authentication provider is used to prove the identity of the users in a system. ASP.NET provides three ways to authenticate a user:

Hence, ASP.NET contains the three respective authentication providers to support the above authentication modes.

Forms Authentication

This authentication mode is based on cookies where the user name and the password are stored either in a text file or the database. After a user is authenticated, the user's credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is insecure, he or she is redirected to the login page of the application. Forms authentication supports both session and persistent cookies. Authentication modes can be specified in the application's web.config file as shown below:

Listing 1

<configuration>
  <system.web>     
    <authentication mode="[Windows/Forms/Passport/None]">
    </authentication>
  </system.web>
</configuration>

The following needs to be specified in the application's web.config file for using Forms Based Authentication in ASP.NET:

Listing 2

<configuration>
  <system.web>
    <authentication mode="Forms"/>
    <forms name="login"loginUrl="login.aspx" />
    <authorization>
        <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

Note: The statement <deny users="?"> in the web.config file as stated in Listing 2 implies that all permissions are granted only to the authenticated users. The users who are not authenticated are not granted any permission. The symbol "?" indicates all Non Authenticated and Anonymous users.

Generally the user's credentials are stored in the database and the entered credentials are verified using those that are stored in the database. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from the database. This is shown in the code snippet below:

Listing 3

if (Verify (txtUserName.Text, txtPassword.Text))
{
  FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);
    else
  lblMessage.Text = "Invalid login name orpassword specified...";
}
 
private Verify(string userName, string password)
{
      //Usual Code to connect to the DB 
      // and verify the user's credentials
}

The static method RedirectFromLoginPage creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The authentication ticket creates a persistent cookie that becomes a part of the HttpResponse object. Later, when the user tries to access a page in a restricted folder, the ASP.NET framework uses the cookie to retrieve the ticket and determine whether the user has access to that particular resource. The first parameter to this method identifies the user while the second is used to specify whether the user's authentication cookie needs to be persisted across multiple site visits.

The user's credentials can be also be specified in the web.config file as shown below:

Listing 4

<configuration>
    <system.web>       
    <authentication mode="Forms">
    <forms loginUrl="login.aspx">
        <credentialspasswordFormat="Clear">
            <user name="Joydip"password="Joydip" />
        </credentials>
    </forms>
    </authentication>          
    <authorization>
    </system.web>
</configuration>

Windows Authentication

This is the default authentication mode in ASP.NET. Using this mode, a user is authenticated based on his/her Windows account. Windows Authentication can be used only in an intranet environment where the administrator has full control over the users in the network. The following should be set in the web.config file to use Windows Authentication:

Listing 5

<authentication mode="Windows"/>
<authorization>
<allow users ="*" /> 
</authorization> 

Note: The symbol "*" indicates all users inclusive of Authenticated and Anonymous users. Hence the statement <allow users = "*"> in the web.config file as stated in Listing 5 indicates that all permissions are granted to both the Anonymous and Authenticated users.

Windows authentication can be of the following types

Passport Authentication

Passport authentication is a centralized authentication service that uses Microsoft's Passport Service to authenticate the users of an application. It allows the users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. The following code shows how we can specify Passport Authentication in the web.config file:

Listing 6

<configuration> 
  <system.web>
    <authenticationmode="Passport">
      <passportredirectUrl="login.aspx" />
    </authentication>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

ASP.NET also supports custom authentication. In such a case the authentication mode has to be specified as none in the web.config file as shown below: 

<authentication mode="none">

Then we need to write our own custom authentication provider.

Authorization

Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work with authenticated users, hence ensuring that no un-authenticated user can access the application. The default authentication mode is anonymous authentication. There can be three types of authorization in ASP.NET. They are

Authorization like authentication is specified in the web.config file of the application. The following specification in the web.config file allows or grants access to the user Joydip but denies the same to Jini and all anonymous users.  Note that the <allow> and <deny> element ordering is important, since the first one that matches the request will be used.  Hence, if you were to add a <deny users="*" /> to the top of the list, it would always deny everyone, regardless of any <allow /> elements that followed it.

Listing 7

<authorization>
  <allow users="Joydip"/>
  <deny users="Jini"/>
  <deny users="?"/>
</authorization>
Impersonation

According to MSDN, "When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user and either pass an authenticated token to the ASP.NET application or, if unable to authenticate the user, pass an unauthenticated token. In either case, the ASP.NET application impersonates whichever token is received if impersonation is enabled. The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set.

Impersonation is disabled by default and allows the ASP.NET process to act as the authenticated user, or as an arbitrary specified user. Impersonation can be specified in the web.config file as shown below:

Listing VIII

<identity impersonate="true"/> or <identityimpersonate="false"/>

It is also possible to use a particular identity for all authenticated requests. This is possible by specifying the following in the application’s web.config file: 

<identity impersonate="true" username="username"password="password"/>

How Authentication and Authorization Works

The following section lists the sequence of events that take place in the authentication and authorization process when a new request arrives.

The IIS first checks the validity of the incoming request. If the authentication mode is anonymous (default) then the request is authenticated automatically. But if this authentication mode is overridden in the web.config file settings, the IIS performs the specified authentication check first before the request is passed on to ASP.NET.

Now ASP.NET checks whether Impersonation is enabled or not. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing executing the task. If impersonation is not enabled, the application runs with the identity of the IIS local machine's identity and the privileges of the ASP.NET user account. ASPNET or NETWORK SERVICE is the default ASP.NET unprivileged account on Windows XP and Windows Server 2003, respectively. Now, the identity that has already been authenticated and verified is used to request resources from the operating system. Then ASP.NET performs an authorization check on the requested resources and if the user is authorized, it returns the request through IIS.

Suggested Readings

http://aspnet.4guysfromrolla.com/articles/031204-1.aspx

http://www.c-sharpcorner.com/Code/2003/Sept/AuthenticationAndAuthorization.asp

http://www.aspfree.com/c/a/IIS/Authentication-and-Authorization/

Conclusion

Application security plays a major role in building robust applications. The application should be able to restrict or limit access to the resources based on the user's credentials and even disallow access to resources to unauthorized users of the system. This article just gave a basic idea about ASP.NET's in-built Authentication and Authorization support. Please post your comments and suggestions. Happy reading!