Maintain security
A process of identifying correct user is called Authentication . After the authentication process, user need to grant some permission , this process is consider Authorization.
A website is a public domain , thousands of user come to visit the website, some are visitor, some have some particular work to do in the website. Some has some ill intention to hack the website or get secure data from the website .
Consider a company website, the company website display the product of the company. Millions of users visit the website to see the product. They browse the product, and so on. The sales person of the company,do not goes to office regularly , they upload their attendance an official document through this website. Hacker also visit the website regular basis, try to get secret data of the company.
The company website has a login page , where username and password need to be enter before login .The website identify the proper user, and allowed login to the employee portal . The salesman get some interface and reports for his purpose.But the office stuff , get some other report and user interface from this website.
Here identify the login user, is called Authentication , and salesman get his portal and office stuff get his portal ,which is different from each other .This is code Authorization.
There are three ways to authenticate user
Maintenance security comes under the namespace System.Web.Security. Windows authentication, Forms authentication, Passport authentication all comes under this namespace.
Windows Authentication
In Windows system there is a list of user who can log in the system. Another list is to authorize user giving add/edit/delete permission to files folders read /write/ delete / execute command
.A Website can be applied Windows authentication also . The main advantage with Windows permission to a website is having same security features to the website as like Windows operating system.
To enable Windows authentication to a website , you need to change web.config file
<authorization/> tag.
Below is the example of Windows Authentication applied on a website , web.config file code.
A simple example
A website is created with Windows Authentication mode , a Asp.net page added
Asp.Net aspx page
C# Code
C# code retrieve the user information , display in the page.
Web.config
After you have enter your credential , you will get the following output
You have notice, that Windows validate the credentials and allow to access in the website.
Windows authentication is best used, for networking, intranet system. For any network based system, there any list of user, who can enter into the network. If there is a valid user login into the system, and try to use the website, this website does not ask the credential again. It relies on networking and Windows security to login the website. It is best suited for a group of people at a small company, add an extra layer of security to the website.
It is obvious that, all user of a group wouldn't be reachable to the website.The web.config can we configure to allow and deny user list. Web config allow comma separated username allow user and deny user. Below is the example
web.config have some other option also. If web.config can be configured to allow all
user.* sign tells web.config to allow all user.? sign tells web.config
to allow unauthorized user.
web.config can be configure on
roll base also. For example the users who have administrator roles, can
do everything. For example, the user who have data entry role , can do
data entry only. The web config can be configured as we below.
How to enable Windows Authentication to IIS
A process of identifying correct user is called Authentication . After the authentication process, user need to grant some permission , this process is consider Authorization.
A website is a public domain , thousands of user come to visit the website, some are visitor, some have some particular work to do in the website. Some has some ill intention to hack the website or get secure data from the website .
Consider a company website, the company website display the product of the company. Millions of users visit the website to see the product. They browse the product, and so on. The sales person of the company,do not goes to office regularly , they upload their attendance an official document through this website. Hacker also visit the website regular basis, try to get secret data of the company.
The company website has a login page , where username and password need to be enter before login .The website identify the proper user, and allowed login to the employee portal . The salesman get some interface and reports for his purpose.But the office stuff , get some other report and user interface from this website.
Here identify the login user, is called Authentication , and salesman get his portal and office stuff get his portal ,which is different from each other .This is code Authorization.
There are three ways to authenticate user
- Windows Authentication : A server has a list of user, who can operate the server . The list of valid user data is stored in the server . Depending upon server list , user get access or deny to the server. Server also heave a list of authorization of each user . After the authentication process , server authorized the user on file ,folder,command execution.
- Forms Authentication : An user interface accept login name and password and verify it with the database. Database have a list of valid user login name and password.When login name and password is sent from user interface , database tally and send a indicator to the user interface.
- Passport Authentication: It is a kind of centralized service to server multiple client. There are several authentication company , for example Facebook ,Google ,Microsoft etc , they have their own login service, after the verification , indicator and corresponding data is send to the client website. For example , you have a website , you have a login page , you are using passport authentication. When user try to login your website, your website redirect user to the authentication company, the company verify the credential, after it is redirect to your website again with some information about the user valid or not. If valid user, user is allowed to access to you website.
Maintenance security comes under the namespace System.Web.Security. Windows authentication, Forms authentication, Passport authentication all comes under this namespace.
Windows Authentication
In Windows system there is a list of user who can log in the system. Another list is to authorize user giving add/edit/delete permission to files folders read /write/ delete / execute command
.A Website can be applied Windows authentication also . The main advantage with Windows permission to a website is having same security features to the website as like Windows operating system.
To enable Windows authentication to a website , you need to change web.config file
Below is the example of Windows Authentication applied on a website , web.config file code.
<system.web>
<authentication
mode="Windows"/>
<authorization/>
</system.web>
A simple example
A website is created with Windows Authentication mode , a Asp.net page added
Asp.Net aspx page
<%@
Page
Language="C#"
AutoEventWireup="true"
CodeFile="Default.aspx.cs"
Inherits="_Default"
EnableViewState="false"
%>
<%@
OutputCache
Duration="60"
VaryByParam="DropDownList1"
%>
<!DOCTYPE
html
PUBLIC
"-//W3C//DTD
XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml">
<head
runat="server">
<title></title>
</head>
<body>
<form
id="form1"
runat="server">
<div>
<table>
<tr>
<td>Authenticated
User :
</td>
<td>
<asp:Label
ID="id_auth_use"
runat="server"
Text="0"></asp:Label>
</td>
</tr>
<tr>
<td>User
Name :
</td>
<td><asp:Label
ID="id_name_use"
runat="server"
Text="0"></asp:Label>
</td>
</tr>
<tr>
<td>Authentication
Type :
</td>
<td><asp:Label
ID="id_authen_type"
runat="server"
Text="0"></asp:Label>
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
C# Code
C# code retrieve the user information , display in the page.
using
System;
using
System.Web;
using
System.Web.UI;
using
System.Web.UI.WebControls;
using
System.Web.Security;
public
partial
class
_Default
: System.Web.UI.Page
{
protected
void
Page_Load(object
sender, EventArgs
e)
{
this.id_auth_use.Text
= User.Identity.IsAuthenticated.ToString();
this.id_authen_type.Text
= User.Identity.AuthenticationType.ToString();
this.id_name_use.Text
= User.Identity.Name.ToString();
}
}
Web.config
<system.web>
<authentication
mode="Windows"/>
<authorization/>
</system.web>
Now , Run the application (Press F5) . You will get ,this type box will appear to ask your credential.
Now , Run the application (Press F5) . You will get ,this type box will appear to ask your credential.
After you have enter your credential , you will get the following output
You have notice, that Windows validate the credentials and allow to access in the website.
Windows authentication is best used, for networking, intranet system. For any network based system, there any list of user, who can enter into the network. If there is a valid user login into the system, and try to use the website, this website does not ask the credential again. It relies on networking and Windows security to login the website. It is best suited for a group of people at a small company, add an extra layer of security to the website.
It is obvious that, all user of a group wouldn't be reachable to the website.The web.config can we configure to allow and deny user list. Web config allow comma separated username allow user and deny user. Below is the example
xml
version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow
users="myCompany\John,myCompany\Micle,myCompany\John,myCompany\Brock"
/>
</authorization>
</system.web>
</configuration>
web.config have some other option also. If
xml
version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow
users="*"
/>
<deny
users="?"
/>
</authorization>
</system.web>
</configuration>
xml
version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow
roles="myCompany\Administrators,myCompany\SupportStaff"/>
</authorization>
</system.web>
</configuration>
How to enable Windows Authentication to IIS
- Open Control Panel
- Click Programs ,Select Programs and Features
- From left side ,Select "Turn Windows Features on or off"
- Expand Internet Information Services ,Select World Wide Web Services ,Select Security.
- Select Windows Authentication and click OK.
- Reset the IIS and Check in IIS now for windows authentication.
No comments:
Post a Comment