Authentication in .NET

Authentication is the process of accepting credentials from a user and validating those credentials against authority. If the credentials are valid, the identity is said to be authenticated. Authorization is the process of determining whether that authenticated identity has access to a requested resource. Authentication can be accomplished by either system or business logic, and is available through a single application programming interface (API). The authentication API is fully extensible, so developers can use their own business logic as needed. Developers may code their authentication needs to this single API and may revise the underlying authentication methods without making major changes in their code. In addition to Microsoft Windows’ identity authentication, other available authentication methods include basic Hypertext Transfer Protocol (HTTP), Digest, and Kerberos, as well as Microsoft Passport and ASP.NET forms-based authentication. These methods of authentication are also fully integrated into ASP.NET. 

For example, in ASP.NET forms authentication, the user provides credentials and submits the forms using HTTP GET, POST, or PUT. If the application authenticates the requester, the system issues a cookie that contains the credentials in some form or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers, and they are authenticated and authorized by an ASP.NET handler using whatever validation method the application desires. 

If a request is not authenticated, HTTP client-side redirection is used to send that request to an authentication form, where the user can supply authentication credentials. Forms authentication is sometimes used for personalization, the customization of content for a known user. In some of these cases, identification rather than authentication is the issue, so a user's personalized information can be obtained simply by accessing the user name. 

ASP.NET offers two types of authorization services: file authorization and URL authorization. File authorization determines which access control lists are consulted based on both the HTTP method being used and the identity making the request. URL authorization is a logical mapping between pieces of the Uniform Resource Identifier namespace and various users or roles. 

Ebook Download
View all
Learn
View all