For the security purpose the ASP.NET provides an extensive security model that makes it easy to protect your web applications. Although this security model is powerful and flexible, it can appear confusing because of the many different layers that is includes. In this article you will sort out the tangled ASP.NET security model. Also we will take a look at two main ways to secure the web applications i.e. Authentication and Authorization.
Determining Security Requirements:
The first step in securing your application is deciding where you need security and what is needed to protect. Security doesn’t need to be complex, but it does need to be wide-ranging and multilayered. Also you need to hunt carefully for weakness in the code you have written.
The ASP.NET Security Model:
As you know that web requests are fielded first by the IIS web server, which examines the file type. If the file type is registered to ASP.NET, the web server passes the request to ASP.NET. in the following steps we will see the process for an ordinary web page request.
Step 1 : IIS attempts to authenticate the user.
Step 2: If IIS Authenticates the user successfully, it attempts to send the user the appropriate HTML File.
If we talk about the ASP.NET, it requires several additional steps.
Step 1: IIS attempts to authenticate the user.
Step 2: If IIS authenticates the user successfully, it passes the request to ASP.NET with additional information about the authenticated user.
Step 3: If ASP.NET authenticates the user, it allows requests to the .aspx page of .asmx web services.
Step 4: When the ASP.NET code requests resources the operating system performs its own security checks. As your code performs various actions, Windows checks to make sure the account has the required permissions.
Authentication and Authorization:
Authentication: This is the process of determining a user’s identity and forcing users to prove they are who they claim to be.
Authorization: Once a user is authenticated, authorization is the process of determining whether that user has sufficient permissions to perform a given action.