----------------------------------------------------------- New Message on BDOTNET
----------------------------------------------------------- From: Sitaraman Message 3 in Discussion Hi Vaishali Form ur post i understand that the following will be involved 1) Checking of User Credentials 2) Allowing Denying Pages based on credentials 3) (probably ) Customising Pages based on the user/role credential Right!! One thing that you have to note( and you are not the only one to use this approach), we sometimes mix the above three. Granted, that the above three operations are closely inter-related and the common denominator is the logged in user. But from a purely Design perspective, the above-mentioned three tasks should be cleary delineated. Whereas, Checking off User Credentials and granting entry to the application as a whole is the proces of Authentication, the process of allowing/denying the various resources is called Authorization. When you design ASP.Net security layer, you should clearly decouple this into different entities. Authentication is defined as <msdn_snip> Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource </msdn_snip> Authorization is defined as <msdn_snip> The purpose of authorization is to determine whether an identity should be granted the requested type of access to a given resource. There are two fundamental ways to authorize access to a given resource </msdn_snip> It is obvious that the credential is determined and authenticated in the Authentication Phase and is typically done at an application level only once. Whereas Authorisation is much more fine-grained, where the established credential is checked every time a resource(a url[web page] ora file for e.g.) is accessed, after gaining access to the application and DOES make use of the credential established at the Authentication Level Regarding authentication, from the information you have provided, Forms based approach looks the most suitable ( here i assume that you cannot have IIS Integrated Windows authenticaion+ASP.Net Windows authentication, as your users could be in different domains and connected thru the net and Passport based authentication is not something you are looking for). Regarding Authorization/Customisation you can have DB based User Role mapping to the resources and grant access and customise You also need to know that Security for such a web application is at IIS Level + ASP.Net level. Would suggest you go thru the following urls a) Security Features that ASPNet offers. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetwebapplicationsecurity.asp b) Security Considerations for ASP.NET Web Applications : has some overlapped topics, but also helps you with a Security Model Also attaching a Zip which contains the various ASP.Net Security related MSDN articles(.mht files, opened using IE) which i have collected over time and use for quick reference. Most of them downloaded from msdn links mentioned above. The zip file was quite heavy(1.6 mb :)), so i have broken it into five zips Hope this helps regards, sr View Attachment(s): http://groups.msn.com/BDotNet/_notifications.msnw?type=msg&parent=1&item=3064 ----------------------------------------------------------- To stop getting this e-mail, or change how often it arrives, go to your E-mail Settings. http://groups.msn.com/BDotNet/_emailsettings.msnw Need help? If you've forgotten your password, please go to Passport Member Services. http://groups.msn.com/_passportredir.msnw?ppmprop=help For other questions or feedback, go to our Contact Us page. http://groups.msn.com/contact If you do not want to receive future e-mail from this MSN group, or if you received this message by mistake, please click the "Remove" link below. On the pre-addressed e-mail message that opens, simply click "Send". Your e-mail address will be deleted from this group's mailing list. mailto:[EMAIL PROTECTED]
