Re: Regarding Authentication in vb.net project

[Vaishali]

-----------------------------------------------------------

New Message on BDOTNET

-----------------------------------------------------------
From: Vaishali
Message 5 in Discussion






Hi,


 


Thanks for your reply.


Your info is really useful.


 


Regards,


Vaishali


 


-----Original Message-----

From: Sitaraman
[mailto:[EMAIL PROTECTED] 

Sent: Monday, June 30, 2003 11:41
AM

To: BDOTNET

Subject: Re: Regarding
Authentication in vb.net project


 





 
  
  

  
  
  
New
  Message on BDOTNET
  
 
 
  
  

  
 





 


Regarding
Authentication in vb.net project


 
  
  
Reply

  
  
  
  
   
    
    
 
    
    
    
Reply to Sender   Recommend
    
    
    
    
Message 3 in
    Discussion 
    
   
  
  

  
 
 
  
  
   
    
    
From: Sitaraman
    
    
   
   
    
    
 
    
    
Hi Vaishali
    
    
    
 
    
    
    
Form ur post i understand that the following will
    be involved
    
    
    
1) Checking of User Credentials
    
    
    
2) Allowing Denying Pages based on credentials
    
    
    
3) (probably ) Customising Pages based on the
    user/role credential
    
    
    
Right!!
    
    
    
 
    
    
    
One thing that you have to note( and you are not
    the only one to use this approach), we sometimes mix the above three. 
    Granted, that the above three operations are closely inter-related and the
    common denominator is the logged in user. 
    
    
    
 
    
    
    
 But from a purely Design perspective, 
    the above-mentioned three tasks should be cleary delineated.  
    Whereas, Checking off User Credentials and granting entry to the
    application as a whole is the proces of Authentication,  the
    process of allowing/denying the various resources is called Authorization. When 
you design
    ASP.Net security layer, you should clearly decouple this into different
    entities.
    
    
    
 
    
    
    
Authentication is
    defined as 
    
    
    
<msdn_snip>
    
    
    
Authentication is the process of obtaining
    identification credentials such as name and password from a user and
    validating those credentials against some authority. If the credentials are
    valid, the entity that submitted the credentials is considered an
    authenticated identity. Once an identity has been authenticated, the
    authorization process determines whether that identity has access to a
    given resource
    
    
    
</msdn_snip>
    
    
    
 
    
    
    
Authorization is
    defined as 
    
    
    
<msdn_snip>
    
    
    
The purpose of authorization is to determine
    whether an identity should be granted the requested type of access to a
    given resource. There are two fundamental ways to authorize access to a
    given resource
    
    
    
</msdn_snip>
    
    
    
 
    
    
    
It is obvious that the credential is determined
    and authenticated in the Authentication Phase and is typically done at an
    application level only once.  Whereas Authorisation is much more
    fine-grained, where the established credential is checked every time a
    resource(a url[web page] ora file for e.g.)  is accessed, after
    gaining access to the application and DOES make use of the credential
    established at the Authentication Level
    
    
    
 
    
    
    
Regarding authentication,  from the
    information you have provided,  Forms based approach looks the most
    suitable ( here i assume that you cannot have IIS Integrated Windows
    authenticaion+ASP.Net Windows authentication, as your users could be in
    different domains and connected thru the net and Passport based
    authentication is not something you are looking for). 
    
    
    
Regarding Authorization/Customisation  you
    can have DB based User Role mapping to the resources and grant access and
    customise
    
    
    
 
    
    
    
You also need to know that Security for such a web
    application is at IIS Level + ASP.Net level.  
    
    
    
 
    
    
    
Would suggest you go thru the following urls
    
    
    
a) Security  Features that ASPNet offers.
    
    
    
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetwebapplicationsecurity.asp
    
    
    
b) Security Considerations for ASP.NET Web
    Applications : has some overlapped topics, but also helps you with a Security
    Model
    
    
    
 
    
    
    
Also attaching a Zip which contains the various
    ASP.Net Security related MSDN articles(.mht files, opened using
    IE) which i have collected over time and use for quick reference. Most
    of them downloaded from msdn links mentioned above. The zip file was quite
    heavy(1.6 mb :)), so i have broken it into five zips
    
    
    
 
    
    
    
Hope this helps
    
    
    
 
    
    
    
 
    
    
    
regards,
    
    
    
 
    
    
    
sr
    
    
   
  
  

  
 
 
  
  
View
  Attachment(s)
  
 





View other groups in this
category. 







-----------------------------------------------------------

To stop getting this e-mail, or change how often it arrives, go to your E-mail 
Settings.
http://groups.msn.com/BDotNet/_emailsettings.msnw

Need help? If you've forgotten your password, please go to Passport Member Services.
http://groups.msn.com/_passportredir.msnw?ppmprop=help

For other questions or feedback, go to our Contact Us page.
http://groups.msn.com/contact

If you do not want to receive future e-mail from this MSN group, or if you received 
this message by mistake, please click the "Remove" link below. On the pre-addressed 
e-mail message that opens, simply click "Send". Your e-mail address will be deleted 
from this group's mailing list.
mailto:[EMAIL PROTECTED]