Understanding Security Framework Model in ASP.NET 3.5

Why security is important: Security is an important part of any web application development which is necessary to protect assets from unauthorized actions. This encapsulates verifying users, granting or denying access to sensitive information, or protecting data stored on the server.

What ASP.NET has to offer: ASP.NET provides built-in functionality in the form of a security framework which includes classes for authentications and authorizations and sets of base classes for implementing confidentially and integrity. The ASP.NET security model is an extension of ASP.NET 2.0, or you can say it's the foundation of the ASP.NET 3.5 security model. ASP.NET 3.5 extends this Infrastructure with functionality for integration into Ajax.

How ASP.NET implement security model: Gatekeepers.

ASP.NET implements many components that enforce security for applications. Gatekeepers are conceptual patterns that apply a pipelining model to a security infrastructure. In this pipeline, a security mechanism is implemented by these individual components or gatekeepers. So this pipeline looks something like below.


You can in the above image see a pipeline of gatekeepers. At the end of the pipeline, you can see the protected resource which could be anything like custom page code. The protected resource will be accessed or executed only if every gatekeeper grants access. If just one gatekeeper denies access, the request processing is returned to the caller with a security exception.

What is this pipeline and gatekeeper in ASP.NET?
This pipeline is a HTTP pipeline and ASP.NET implements the concept of gatekeepers through HTTP modules.

These modules are just classes which are implementing the interface IHttpModule. Although a HTTP module is capable of multiple use, most of them are dedicated to a security level.

How ASP.NET HTTP Modules acts as security gatekeepers: We know that web applications communication is based on HTTP which is stateless, which is that no information is retained for the user between requests. So it becomes important and necessary to authenticate and authorize the user at the beginning of each request. What ASP.NET does is that it fires a global application event to handle events by the use of HTTP modules to perform these authentication and authorization jobs.

Let's see below what all these IHTTPModules classes are and how they act as gatekeeper.


What are levels of Security in ASP.NET: Level of security is implemented by a few security mechanisms, discussed below:

1. Authentication: Identifying user's identity and ensuring authenticity of this identity. There are 4 ways of implementing authentication, discussed below:

  • Windows Authentication:

    The FormsAuthenticationModule uses forms authentication, which allows you to design your own login pages, write your own authentication logic, but rely on ASP.NET to track user and role information using an encrypted cookie. The FormsAuthenticationModule is active when the <authentication> element is set as follows:

    <authentication mode="Forms" />
  • Forms Authentication:

    The WindowsAuthenticationModule works in conjunction with IIS to perform Windows authentication. This module is active when the <authentication> element in the web.config file is set as follows:

    <authentication mode="Windows" />
  • Passport Authentication

    PassportAuthenticationModule is active when the <authentication> element in the web.config file is set as follows:

    <authentication mode="Passport" />
    When using Passport, users are authenticated using the information in Microsoft's Passport database (the same technology that powers the free Hotmail e-mail system). The advantage of Passport is that you can use existing user credentials (such as an e-mail address and password), without forcing users to go through a separate registration process.
  • Custom authentication:

    What is Impersonation: It is the process of executing code in the context of another user identity. By default all ASP.NET code is executed using a fixed machine specific account which ASPNET on IIS for IIS5.x which is window XP and Network Service on IIS.60 and 7.0 which is Window Server 2003 and Window 7.

We can use Impersonation under two circumstances:
  • To give each web application a different set of permissions: while using IIS5.x, the default setting in the machine.config wil be applicable for all web applications, but there are scenarios when we want to give a different web application a different set of permissions; we can use impersonation to designate different window accounts for reach application. For example, a web application for user A does not access directories or a database from a web application of user B.
  • To use existing windows user permissions: lets' take a scenario where we want to access a file from another directory that already has specific permissions for a user of groups, so to access them we can use impersonation to assume the identity of the current user. That way, Windows will perform the authorization for you, checking permissions as soon as you attempt to access a file.

How ASP.NET works in absence of any Authentication:

ASP.NET uses the same underlying HTTP pipeline model to represent user and role information. Any user who logs into an application is granted two object principals and an identity object based on credentials provided at the time of login. Let us understand their purpose and their role.

Principal Object Identity Object


Represent the current security context of user. It combines user's identity with other information like Role, Priviledge etc and therefore allow to perform Roles based Authorization. Represent successfully authenticated user and therefore provides user information such as user name.
Interface: IPrincipal Interface IIdentity Interface
provides information about the current user The IIdentity interface defines the basic information needed to represent the current user
Property: 1. Identity: provides information about the current user 1. AuthenticationType: returns the type of authentication used as string, i.e. form, window
Methods: 1. IsInRole(): to test whether current user is member of a role say admin. 2.IsAuthenticated: Returns a boolean value which tell whether user has been authenticated or(true) is anonymous(false)

3.Name: return the name of current user as string

Example: if (HttpContext.Current.User.Identity.IsAuthenticated)
lblUserName.Text = HttpContext.Current.User.Identity.Name +
" is logged in";
Example: if (HttpContext.Current.User.IsInRole("Admin"))

2. Authorization:

It is the process of determining the rights and restrictions assigned to an authenticated user. After the user has been authenticated, the user's specific information like name and security context is automatically available to ASP.NET, which later we can access this information by use of the HttpContext.Current.User object. Using this we can implement authorization in our web application. ASP.NET has two ways to impermanent authorization.
  • URLAuthorization:

    This authorization module works based on the content of <authorization> configuration in the web.config files or a different directory of web applications. The purpose is to restrict a user's access to files and even directories based on the user's name or the roles assigned.
  • FileAuthorization:

    This module works with Windows authentication only - but without impersonation. So when used with Windows authentication, ASP.NET automatically uses it to authorize users against files accessed by ASP.Net.

We can also implement authorization by writing custom code and thereby refer to the HttpContext.Current.User object and make decisions based on role membership or the user's name directly.


The above picture is a summation of how an authentication and authorization stage takes place.
  1. The request is sent to the browser and the user's identity is unknown so the user is presented a login page.
  2. The user provides the login credentials. This is the authentication stage.
  3. The authenticated user's role and information is checked in the allowed list and the user is granted access if the user is present in the list.
  4. Users who get access denied are shown the login page again.

3. Confidentiality: It means to ensure that data cannot be viewed by unauthorized users while being transmitted over a network or stored in a data store such as a database. Therefore, you have to encrypt the channel between the client's browser and the web server and also encrypt data stored at the backend or in the form of a cookie.

4. Integrity: It means ensuring that nobody can change the data while it is transmitted over a network or stored in a data store. Both are based on encryption. Digital signatures provide you with a way to mitigate this type of threat.

What is encryption, and at what stage it can be used: encryption can be used in any stage in combination with authentication, authorization or impersonation or individually i.e. it is an altogether different concept than these.
It is a process of scrambling / encrypting user data so that it is not readable by other users.
It can used in two most popular contexts:
  1. To protect data communicated over the internet: while doing credit card transaction, here you can use SSL certificates to implement digital signatures for encryption.
  2. To protect information saved in a database: here we can use ASP.NET encryption classes to manually encrypt data before they are stored.

Hope you enjoyed reading.


Similar Articles