We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy

Check Writers' Offers

What's Your Topic?

Hire a Professional Writer Now

The input space is limited by 250 symbols

What's Your Deadline?

Choose 3 Hours or More.
2/4 steps

How Many Pages?

3/4 steps

Sign Up and Get Writers' Offers

"You must agree to out terms of services and privacy policy"
Get Offer

Authentication And Authorization Objectives Computer Science Essay

Paper type: Essay
Pages: 16 (3789 words)
Categories: Computer, Essay, Science
Downloads: 13
Views: 1

5.2 Security in Web Applications

Security is an of import factor that you must see when developing or keeping a Web application. Each Web site has different security demands. For illustration, see a hunt engine, an on-line library, and an online shopping application. A typical hunt engine does non necessitate security characteristics. An on-line library with user enrollment shops user names, watchwords, and personal information. Although the information is non extremely sensitive, you require some security to protect user inside informations.

However, for the shopping application, you require strong security to protect sensitive information, such as users ‘ recognition card inside informations.

Web sites that are vulnerable to assail necessitate some security mechanism to let merely authorised users to entree of import information. ASP.NET provides security characteristics that help you decide this every bit good to implement other security steps.

5.3 Security Features in ASP.NET Applications

Three cardinal security characteristics for an ASP.NET application are Authentication, Authorization, and Impersonation.


Authentication is used to look into the individuality of a user before leting or denying a petition. For illustration, in an e-mail application, a user ‘s name and watchword are validated against a database of registered users. After confirmation, no farther hallmark is required to direct and have messages unless the user logs off from the application.


Using mandate, merely users with a valid individuality can entree specific resources in an application. For illustration, a pupil is non allowed to see scrutiny records that a instructor or a Web decision maker can entree.


In caricature, the ASP.NET application procedure acts on behalf of a user whose individuality is authenticated utilizing Internet Information Services ( IIS ) . IIS passes an hallmark item to the ASP.NET application. ASP.NET so uses the item and operates under the individuality of the authenticated user.

5.4 ASP.NET Authentication Methods

ASP.NET implements hallmark by utilizing hallmark methods. ASP.NET hallmark methods contain the codification to authenticate the credentaials of the user.

Three types of hallmark method are supported in ASP.NET. They are:

Windows-Based Authentication

Windows hallmark is the default hallmark method in ASP.NET. This type of hallmark is based on users ‘ Windows histories. Windows hallmark uses IIS, which can be configured to let merely users on a Windows sphere to log on to the application.

Forms-Based Authentication

Forms-based hallmark uses the Forms hallmark supplier. In forms-based hallmark, Hypertext Markup Language ( HTML ) signifiers are used to roll up hallmark information, such as user names and watchwords. The application needs to hold the codification to verify the supplied certificates against a database. The certificates of an authenticated user can be stored in a cooky to be used during a session.

Microsoft Passport Authentication

In passport hallmark, users are authenticated utilizing the Passport Service provided by Microsoft. However, to utilize this type of hallmark, you must be registered with Microsoft ‘s Passport Service. The Passport waiter uses encrypted cookies to place and formalize users.

5.5 Mandate in ASP.NET

Authorization specifies whether an individuality can be granted entree to a specific resource. The two types of mandate available in ASP.NET are:

File Authorization

This type of mandate utilizations NTFS file system ( NTFS ) permissions to look into the entree rights of the user history that the ASP.NET application is utilizing. For illustration, if a user wants to open a peculiar file, the user history that is used to entree the ASP.NET application must hold read permission to that file.

URL Authorization

In the web.config file, the mandate regulations for assorted booklets or files of an application can be specified. Using the & lt ; mandate & gt ; component, you can stipulate the names of users who are allowed or denied entree.

The followers shows the sentence structure for the URL mandate.


& lt ; mandate & gt ;

& lt ; [ allow|deny ] users functions verbs / & gt ;

& lt ; /authorization & gt ;

Herem the allow or deny component is specified. The users or the functions attributes need to be specified. You can include both, but both are non required. The verbs property in the sentence structure is optional.

The allow component grant the one and the deny component revoke the entree.

Code Snippet 1 grants entree to John individuality and members of the Admin functions, and denies entree to the David individuality ( non in Admin function ) and to all anon. users.

Code Snippet 1:

& lt ; mandate & gt ;

& lt ; allow users = ” John ” / & gt ;

& lt ; allow functions = ” Admin ” / & gt ;

& lt ; deny users = “ David ” / & gt ;

& lt ; deny users= ” ? “ / & gt ;

& lt ; /authorization & gt ;

5.6 ASP.NET Authentication Methods – Comparison

Each of the three hallmark methods that ASP.NET supports ( Windows-based, Forms-based, and Microsoft Passport ) is best suited to specific state of affairss. Each method has important advantages and disadvantages.

Table 5.1 shows the advantages and disadvantages of Windows-based and Forms-based hallmark.




Windows-based Authentication

The bing Windows substructure is used

Controls entree to sensitive information

Not suited for most Internet applications

Forms-based Authentication

Best-suited for Internet applications

Supports all client types

Based on cookies

Table 5.1: Advantages and Disadvantages

Windows-Based Authentication

Windows-based hallmark uses the bing Windows substructure. Therefore, it is best suited to state of affairss in which you have a fixed figure of users with bing Windows user histories. Two illustration state of affairss are as follows:

Developing an intranet for your organisation. For illustration, your organisation may already hold Windows user histories configured for each employee.

Controling entree to sensitive information. For illustration, you may desire users in the Human Resources group to hold entree to directories that contain employee sketchs and salary inside informations. You can utilize Windows-based hallmark to forestall employees in other Windows groups such as the Developers group from accessing these sensitive paperss.

The disadvantage of Windows-based hallmark is that it is non suited for most Internet applications. For illustration, if you build a public user enrollment and watchword system, Windows-based hallmark is non a good hallmark option. With Windows-based hallmark, a valid Windows user history must be configured for each user who accesses a restricted page. You can non easy automatize the procedure of adding new user histories.

Forms-Based Authentication

Forms-based hallmark is an appropriate solution if you want to put up a usage user enrollment system for your Web site. The advantage of this type of hallmark is that it enables you to hive away user names and watchwords in whatever storage mechanism that you want. For illustration, you can hive away certificates in the web.config file, an XML file, or a database tabular array.

Forms-based hallmark relies on cookies to find the individuality of the user. After Forms-based hallmark is enabled, the user can non entree the requested page unless a specific cooky is found on the client. If this cooky is non found, or if the cooky is invalid, ASP.NET rejects the petition and returns a logon page.

Microsoft Passport Authentication

Microsoft Passport hallmark includes several advantages:

You can utilize the same user name and watchword to subscribe in to many Web sites ; users are hence less likely to bury their watchwords. For illustration, both Microsoft Hotmail and Microsoft MSN usage Microsoft Passport to authenticate users.

You do non hold to put up and keep a database to hive away user enrollment information. Microsoft performs all of this care for you.

You can custom-make the visual aspect of the enrollment and sign-in pages by providing templets.

There are two disadvantages of Microsoft Passport hallmark. First, there is a subscription fee to utilize the Microsoft Passport service. Second, Microsoft Passport hallmark is based on cookies.

5.7 Secure Sockets Layer

When you develop Web applications, certain parts of the application require excess security. For illustration, Web pages that send confidential informations, such as login certificates or fiscal dealing inside informations, require strong security. You can utilize Secure Sockets Layer ( SSL ) to add security for such pages.

SSL provides the undermentioned characteristics:

SSL is supported by most Web waiters and browsers.

Merely trusted digital certifications are needed to protect Web applications through SSL.

In client-server operations, the SSL protocol uses a 3rd party, a Certificate Authority ( CA ) , to place one terminal, or both terminals of the communicating.

SSL encrypts informations transmittal and incorporates a mechanism to observe any alteration in informations transmittal. This helps forestall eavesdropping or fiddling with sensitive informations during transmittal.

5.7.1 SSL with Client Browser and Server

SSL uses a public key and a private key to code informations transmittal between a client and a Web waiter. The public key is known to everyone, and the private key is known merely to the receiver of the message. A typical communicating procedure between a client and Web waiter is shown in figure XXXX.

Figure 5.2: Communication Procedure

Each of the measure is explained as follows:

Measure 1

The client browser contacts the Web waiter.

Measure 2

The waiter sends back its certification, encrypted with a sure third-party private key.

Measure 3

The browser decrypts the certification with a sure third-party public key.

Measure 4

The browser uses the sure third-party public key to code a session ticket. The ticket is sent back to the waiter.

Measure 5

The Web waiter receives the petition and decrypts the session ticket with its private key. The waiter and the browser use the same session ticket for farther encoding in transmittal.

5.7.2 Configuring SSL in ASP.NET Pages

After configuring the waiter to utilize SSL, any page can be requested from the Web site by utilizing a unafraid connexion. SSL uses Hypertext Transfer Protocol Secure ( HTTPS ) to recover a Web page. For illustration, the secured page can be accessed by the reference with the format hypertext transfer protocol: //www.mysite.com/login.aspx.

Note: The Request.IsSecureConnection belongings can be used to look into whether you are on a secure HTTPS connexion.

5.7.3 Obtaining an SSL Certificate

See a Web application in which you want to implement SSL for a login page. To utilize SSL, you need to obtain a certification. To acquire an SSL certification, a Certificate Signing Request ( CSR ) has to be submitted. CSR is a information file that holds inside informations of the bespeaking party to a CA.

You can make a CSR utilizing the Certificate ace in IIS. The cert.txt file that is created demands to be submitted to a certificate-issuing authorization. You save the certification that is issued. Then, utilizing the Certificate ace in IIS, you process the pending petition and put in the certification on the waiter.

After you install the SSL certification, a user bespeaking the Home page is redirected to the SSL-secured login page. A padlock icon appears in the lower-right corner of the position saloon to bespeak the usage of SSL. You can see the certification by snaping the padlock icon.

Code Snippet XXX is an illustration of how to airt users from the Home page to a login page that uses SSL.

& lt ; script runat= ” waiter ” & gt ;

protected null Page_Load ( object transmitter, EventArgs vitamin E )


threading url = “ hypertext transfer protocol: //localhost/SSLexample/login.aspx ” ;

Response.Redirect ( url ) ;


& lt ; /script & gt ;

In the above codification, the user is redirected from Home.aspx to login.aspx by the Response object ‘s Redirect method. The application has to explicitly exchange to SSL when it is airting to an SSL-secured resource. This is done utilizing an absolute Uniform Resource Locator ( URL ) such as hypertext transfer protocol: //server/application/page.aspx because comparative URLs such as ~/page.aspx will non work.

Figure 5.3 shows the content of the cert.txt file.

Figure 5.3: Client Certificate Detailss

5.7 Windows-Based Authentication

You can utilize Windows-based hallmark to procure Web applications when you know which users entree your Web site.

You can procure Web applications utilizing Windows-based hallmark in a four-step procedure:

Configure IIS

Set up hallmark in Web.config

Set up mandate in Web.config

Request of logon information from the users by IIS

Configure IIS

In Windows-based hallmark, for procuring Web application, you must configure IIS to utilize its one or more authentication mechanisms:

Basic Authenication

Digest Authentication

Windows Integrated Security

Set up hallmark in Web.config

The 2nd measure is to put ASP.NET security to Windows-based hallmark in Web.config. The & lt ; hallmark & gt ; , & lt ; mandate & gt ; , and & lt ; individuality & gt ; subdivisions in Web.config can be used for the security scenes.

Code Snippet 2 sets the hallmark method for the application to Windows by utilizing the & lt ; hallmark & gt ; subdivision in Web.confg file.

Code Snippet 2:

& lt ; system.web & gt ;

& lt ; hallmark manner = “ Windows ” / & gt ;

& lt ; /system.web & gt ;

Set up mandate in Web.config

You can procure specific pages in a Web application by utilizing the & lt ; location & gt ; subdivision in the & lt ; constellation & gt ; subdivision with & lt ; system.web & gt ; and & lt ; mandate & gt ; subdivisions.

Code Snippet 3 demonstrates procuring a page named LibraryRegister.aspx by denying entree to all anon. users.

Code Snippet 3:

& lt ; location path= ” LibraryRegister.aspx ” & gt ;

& lt ; system.web & gt ;

& lt ; mandate & gt ;

& lt ; deny users= ” ? ” / & gt ;

& lt ; /authorization & gt ;

& lt ; /system.web & gt ;

& lt ; /location & gt ;

Note: A Web Form or a booklet can be specified in the the & lt ; location & gt ; subdivision. If you specify a booklet name, all of the subfolders under it are unafraid. You can procure multiple Web Forms or booklets by utilizing multiple & lt ; location & gt ; subdivisions.

Code Snippet 4 secures and full Web application by making an & lt ; mandate & gt ; subdivision in the & lt ; system.web & gt ; subdivision.

Code Snippet 4:

& lt ; system.web & gt ;

& lt ; mandate & gt ;

& lt ; deny users= ” ? ” / & gt ;

& lt ; /authorization & gt ;

& lt ; /system.web & gt ;

Request of logon information from the users by IIS

The last measure of enabling Windows-based hallmark is when users attempt to entree a Web Form from your Web application and IIS petitions logon information from the user. The user must supply his or her user name and watchword. If the user ‘s certificates are approved, IIS grants the user entree to the secure Web page.

5.7.1 User Information

After completion the Windows-based hallmark, the Web waiter can read the user individuality from any Web page of the Web application. The User.Identity.Name is used to read the individuality of the user. The Web waiter can besides utilize User.Identity.AuthenticationType to place the IIS hallmark mechanism that is used to authenticate the user. Additionally, it can prove if the user is authenticated by utilizing User.Identity.IsAuthenticated.

Code Snippet 5 shows the codification that allows the Web waiter to read the user individuality.

Code Snippet 5:

userIdentity.Text = User.Identity.Name ;

userTypeIdentity.Text = User.Identity.AuthenticationType ;

userAuthenticatedIdentity.Text = User.Identity.IsAuthenticated ;

5.8 Forms-Based Authentication

The most common method to procure a Web application is Forms-based hallmark.

Figure & lt ; XXX & gt ; shows the sequence of Forms-based hallmark.

Figure & lt ; xxxx & gt ; :

The Forms-based hallmark provides a customized agency of hallmark without holding to utilize cookies to pull off Sessionss. When a user petitions restricted resources in a Web application, user hallmark is foremost performed by IIS. If anon. entree is enabled in IIS or on successful hallmark, the petition is forwarded to the ASP.NET application. ASP.NET examines the petition for a valid hallmark cooky and so performs the mandate cheque. If the user clears the mandate cheque, entree to the resources is granted. Otherwise, entree is denied.

If the user petition is without an hallmark cooky, ASP.NET redirects the user to the login page. On the login page, the user certificates are resubmitted for hallmark by the application codification. On hallmark, ASP.NET attaches a cooky and redirects the user to the requested resources. The same cooky is so used to let the user to revisit restricted resources during the session.

5.8.1: Enabling Forms-Based Authentication

The undermentioned four stairss are required to enable Forms-based hallmark.

Configure IIS to utilize Anonymous hallmark

Configure hallmark in Web.config

Configure mandate in Web.config

Make the login page

Configure IIS to utilize Anonymous hallmark

The first measure for Form-based hallmark is to configure IIS to utilize anon. hallmark so that the user is authenticated by ASP.NET and non by IIS.

Configure hallmark in Web.config

The 2nd measure is to put the hallmark method to Forms-based for the application in Web.config file.

Code Snippet 6 demonstrates the Forms-based hallmark in Web.config file by utilizing the & lt ; hallmark & gt ; sub-section of & lt ; system.web & gt ; .

Code Snippet 6:

& lt ; system.web & gt ;

& lt ; hallmark mode= ” Forms ” & gt ;

& lt ; signifiers name= ” .ASPXAUTH ” loginUrl= ” login.aspx ” / & gt ;

& lt ; /authentication & gt ;

& lt ; /system.web & gt ;

In the codification snipping, the name property specifies the Hypertext Transfer Protocol ( HTTP ) cooky to utilize for hallmark. The default value is.ASPXAUTH. The loginUrl specifies the URL to airt the user to if a valid hallmark cooky is non found.

If the hallmark manner is Forms, the & lt ; signifiers & gt ; component must be added to the & lt ; hallmark & gt ; subdivision.

The scenes of the cooky can be configured in the & lt ; signifiers & gt ; subdivision. You can put the name property to the postfix to be used for the cookies and the loginUrl property to the URL of the page to which unauthenticated petitions are redirected.

Configure mandate in Web.config

The following measure is to put the & lt ; mandate & gt ; subdivision in Web.config. In this subdivision you can let or deny entree to users in the Web application.

Make the login page

The concluding measure is to make a logon Web Form. The page can be created by utilizing the ASP.NET login controls. The user has to come in the user name and watchword in the logon page to set up hallmark and to entree the Web application.

5.8.2 Making a Logon Page

Whenever a user visits a Web portal with installations such as on-line shopping or money minutess, security of the history or information from other users is one of the most of import demands. For illustration, if a user has an history with paypal.com, the information of the user needs to be secured from other users, who may utilize the same history. To enable this sort of functionality, there is a demand to authenticate the user before he or she is allowed to entree their on-line history.

To turn to this issue, ASP.NET provides a clump of waiter controls that offer a complete login solution for Web applications. These controls provide users with an option to type and formalize their login certificates. You can drag and drop the relevant login controls from the Toolbox and so custom-make the belongingss of the added controls.

You can utilize the login controls in ASP.NET to authenticate a user. These controls do non necessitate any extra scheduling. Table 5.2 lists the ASP.NET login controls.




Provides all pre-built user interface elements that are required for user hallmark


Customizes the information displayed to anon. and logged-in users for a Web site


Provides a login nexus for the users who are non authenticated and a logout nexus for attested users for a Web site


Displays the name of attested users of a Web site who are logged on


Enables a user to retrieve a forgotten watchword. The watchword will be send to the e-mail reference that was used when the history was created.


Creates a new user history and adds it to the ASP.NET rank system


Enables users to alter their watchwords

Table 5.2: ASP.NET Login Controls

5.9 IIS Authentication Mechanism

IIS needs to be configured before you can utilize Windows-based hallmark. When the user requests a page that required mandate, the user is authenticated by IIS.

IIS uses several mechanisms that you can utilize to set up hallmark. The four options are available in IIS are:

Anonymous Access

This mechanism allows any user to entree the ASP.NET application. When a petition from an anon. user is received, IIS in bend makes the petition to Windows by utilizing the default IUSR_machinename history.

Basic Authentication

This hallmark requires the usage of a Windows user name and a watchword to link to the application. However, the watchword is transmitted in field text, doing this type of hallmark insecure.

Digest Authentication

This hallmark is similar to Basic Authentication. However, the user information is encrypted and transmitted to the waiter. If Anonymous entree is disabled, users are prompted for their certificates ( logon information ) . The browser combines this logon information with the other information that is stored on the client and so sends an encoded hash called an MD5 hash ( besides known as Message Digest ) to the waiter. The waiter already has a transcript of this information ; it recreates the original inside informations from its ain hash and authenticates the user. This mechanism works merely with Microsoft Internet Explorer 5 or more recent browsers, but it does go through through firewalls and proxy waiters and besides over the Internet.

Integrated Windows Security

The Windows logon certificates are used here to authenticate users. In a Windows-based web, if the user has already been authenticated, IIS can go through on the user ‘s certificates when they request entree to a resource. The user name and watchword are non included in the certificates, merely an encrypted item that indicates the user ‘s security position.

However, Integrated Windows security is non practical in Web applications that confront firewalls. Therefore, it is best suited to a corporate intranet scenario.


Mandate, Authentication, and Impersonation are the security characteristics in ASP.NET.

Authentication is used to verify the individuality of a user before leting or denying a petition.

In mandate, merely users with a valid individuality can entree specific resources in an application.

Authentication suppliers help you supply Windows-based, Forms-based, or Microsoft Passport hallmark.

SSL secured pages help you protect parts of your Web site that process confidential information.

Check Your Advancement

Which of the undermentioned statements about the security characteristics in ASP.NET are true?

A )

For forms-based hallmark, you must supply the codification to verify user certificates.

B )

Caricature does non work with anon. user entree.

C )

Authentication is required before mandate.

D )

File mandate makes usage of mandate regulations from the web.config file.

Tocopherol )

Caricature requires the usage of IIS to authenticate users.

Which of the undermentioned statements about forms-based hallmark for an ASP.NET application are true?

A )

Forms-based hallmark requires the usage of a Web page for user hallmark.

B )

ASP.NET provides an attested cooky for a valid user.

C )

Iraqi intelligence service performs the mandate cheque for users.

D )

User certificates can be stored in the web.config file.

Tocopherol )

The & lt ; mandate manner & gt ; property in the web.config file is set to Forms.

Which of the undermentioned options refer to procuring Web sites?

A )

Restrict specific sphere names

B )

Authorize merely authenticated users

C )

SSL encrypts trusted certifications

D )

ASP.NET encrypts informations transmittal

Tocopherol )

SSL prevents informations fiddling

F )

SSL protocol uses CA

G )

Install certifications utilizing IIS

~~~ End of Document ~~~

Cite this essay

Authentication And Authorization Objectives Computer Science Essay. (2020, Jun 01). Retrieved from https://studymoose.com/authentication-and-authorization-objectives-computer-science-new-essay

How to Avoid Plagiarism
  • Use multiple resourses when assembling your essay
  • Use Plagiarism Checker to double check your essay
  • Get help from professional writers when not sure you can do it yourself
  • Do not copy and paste free to download essays
Get plagiarism free essay

Not Finding What You Need?

Search for essay samples now


Your Answer is very helpful for Us
Thank you a lot!