2. What is security
ASP.NET security is based on the concepts of user
accounts, roles, and access rules and lets you restrict
access to your Web application resources to only the
user accounts that you specify. Security settings are
established using a combination of configuration
settings and data stored in a database (or other data
store). User accounts and roles that you create are
stored in the database and access rules are stored in
the Web.config file.
• Security authentication:-
• Who are u.
• Server must authenticate client
• Client should authenticate server.
• Need a directory or data base to share user account.
3. Authentication vs Autharization
Authentication:- is the process of ensuring the user's identity and
authenticity. ASP.NET allows three types of authenticationstion
1. Form authentication.
2. Window authentication.
3. Passport authentication. (not yet use)
4. Form based authenticatin or (internet
authentication):- Forms-based authentication is used for
Web sites that are made available to the Internet. Forms-based
authentication uses the ASP.NET membership system to manage
individual user accounts and groups (roles). User account
information is stored in a local database or in a Microsoft SQL
Server database. You can use the ASP.NET logon controls to
create a logon page where users can enter their credentials
4. 2. Window based authentication (local
network authentication):- Windows
authentication interacts with Windows security, using the
logon credentials that users provide when they log on to
Windows. Therefore, Windows authentication is suited
for intranet scenarios, where users have logged on to a
Windows-based network. You do not have to create a
logon page, because users are automatically logged on to
your application with their Windows credentials.
• Use the Users section of the Security tab to complete the
following tasks:
• Create, edit, and delete registered user accounts for the
Web site.
• View a list of all registered user accounts for the Web
site.
• Change the authentication method that is used by the
Web site
5. Note:-
• You can create and manage user accounts, if you chose the From
the Internet option for your authentication type (if you are using
forms-based authentication). If you chose the From a local
network option as your authentication type (if you using integrated
Windows authentication), you cannot manage individual user
accounts. If you change the authentication type, any user
information that you have created will be lost. Additionally, access
rules might no longer work in the way that you configured them.
Generally, you should select an authentication type only when you
first configure the Web site.
• Use the Roles section of the Security tab to group user accounts,
which makes it easier to assign permissions (authorization).
• Use the Access Rules section of the Security tab to allow or deny
access for specified pages to specific user accounts or to all user
accounts that belong in a specified role. Typically, you use an access
rule to restrict pages for some user accounts
6. 2. Autherization
• What you allow to do autherized user
• Grant a permission
• Asp.net support autherization
• Rolls map users into logical group like, manager,
employee, teacher, chairman etc.
• For autherization and authentication we use
webconfig file. Contain authentication element
i.e <autherization>
<authentication> i.e element
<authentication mode=“form”/>
7. IIS (Internet Information Service
. Anonymous
– A single Windows account is used for all visitors
– It is also called guest user.
• Basic authentication
– It is Standard and commonly supported
– Password sent in clear text form
• Digest authentication
– It is Standard, but not yet common
• Password in encrypt form
• Confidentiality : It involves encrypting the channel between the
client browser and the web server.
• Integrity : It involves maintaining the integrity of data. For example,
implementing digital signature.
8. SSL (Source Socket Layer)
• The Secure Socket Layer or SSL is the protocol used to
ensure a secure connection. With SSL enabled, the browser
encrypts all data sent to the server and decrypts all data
coming from the server. At the same time, the server
encrypts and decrypts all data to and from browser.
• The URL for a secure connection starts with HTTPS instead
of HTTP. A small lock is displayed by a browser using a
secure connection. When a browser makes an initial
attempt to communicate with a server over a secure
connection using SSL, the server authenticates itself by
sending its digital certificate.
• To use the SSL, you need to buy a digital secure certificate
from a trusted Certification Authority (CA) and install it in
the web server. Following are some of the trusted and
reputed certification authorities:
• www.verisign.com