13-04-2012, 02:28 PM
ASP.Net Security
ASP.Net Security.ppt (Size: 210 KB / Downloads: 35)
Web application security
Physical security,
Firewalls and DoS (port security),
SSL and HTTPS (protocol security),
IIS security,
ASP.Net security,
SQL Server security,
Windows security,
COM and others…
Authentication and Authorization
Authentication identifies a user (Who are you?)
Windows,
Forms,
Passport, and
None (Custom).
Authorization controls what they can see and do.
Authentication Modes
Windows
Best used in internal applications and intranets,
Can use no prompts,
Must be Windows Domain user,
Can use either
Basic Authentication (clear text passwords)
Simple Base64 encoded password may not be secure enough
Digest Authentication (encrypted passwords)
Internet Explorer only
Integrated Authentication (Kerberos)
Generally won’t work through a firewall or over the internet
Cannot be persistent.
Can be cookieless.
Web.Config None Authentication
Mainly for anonymous sites.
Lets you handle authentication and authorization completely via ISAPI.
Just need to specify the mode:
GenericPrincipal
GenericIdentity
AuthenticationType property,
Name property, and
IsAuthenticated property.
PassportIdentity
Same as GenericIdentity plus many other things…
Separate topic.
Summary
Remember security is not just a username and password…
Authentication and Authorization, learn the difference…
Decide on your mode…
Learn about the Web.config file…
Have a look at MSDN…