1. What is the difference between Authentication and Authorization?
Authentication is the process of identifying and verifying who the client accessing the server is. For example, if you use Windows authentication and are browsing an ASP.NET page from server, ASP.NET/IIS would automatically use NTLM to authenticate you as SYNCFUSION\user1 (for example). Forms based authentication, then you would use an html based forms page to enter username/password, which would then check a database and authenticate you against the username/password in the database.
Authorization is the process of determining whether an authenticated user has access to run a particular page within an ASP.NET web application. Specifically, as an application author decide to grant or deny the authenticated user "SYNCFUSION\user1" access to the admin.aspx page. This could be done either by explicitly granting/denying rights based on the username or use role based mappings to map authenticated users into roles (for example: an administrator might map "SYNCFUSION\user1" into the "Power Users" role) and then grant/deny access based on role names (allowing a degree of abstraction to separate out your authorization policy).
2. How to implement Authentication via web.config?
Include the <authorization> element in web.config as below-.
3. How to run a web application using the permission of an authenticated user?
Use the <identity> element in the web.config as below-
4. Which are the different ASP.NET Authentication Modes?
ASP.NET supports the following types of Authentications-
1) Windows: Is used in conjunction with IIS authentication. Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access
2) Forms: The user provides credentials and submits the form.
3) Passport: Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.
4) None: No Authentication provided. This is default Authentication mode
In the web.config file, you can specify this setting
<authentication mode= " [Windows | Forms | Passport | None] ">
5. What is Code Access Security (CAS)?
CAS is the part of the .NET security model that determines whether or not a piece of code is allowed to run, and what resources it can use when it is running. For example, it is CAS that will prevent a .NET web applet from formatting your hard disk.
6. Can we turn on/off the CAS?
Yes, as long as you are an administrator. Just run:-
To off: caspol -s off
To on: caspol -s on
7. How does CAS work?
The CAS security policy revolves around two key concepts - code groups and permissions. Each .NET assembly is a member of a particular code group, and each code group is granted the permissions specified in a named permission set.
For example, using the default security policy, a control downloaded from a web site belongs to the 'Zone - Internet' code group, which adheres to the permissions defined by the 'Internet' named permission set. (Naturally the 'Internet' named permission set represents a very restrictive range of permissions.)
8. How do I change the permission set for a code group?
Use caspol. If you are the machine administrator, you can operate at the 'machine' level - which means not only that the changes you make become the default for the machine, but also that users cannot change the permissions to be more permissive. If you are a normal (non-admin) user you can still modify the permissions, but only to make them more restrictive. For example, to allow intranet code to do what it likes you might do this: '
caspol -cg 1.2 FullTrust
Note that because this is more permissive than the default policy (on a standard system), you should only do this at the machine level - doing it at the user level will have no effect.
9. How to determine the Windows User from a Web Form Application?
Use the System.Security.Principal namespace
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
dim wp as WindowsPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent())