Authentication in ASP.NET

Security is a major concern for both application architects and developers. Applications that store sensitive information need to be protected from malicious attacks and from competitors attempting to steal information or intellectual property. When designing a security model for your application, you need to be aware of security requirements from a business perspective and the implications that a chosen security model can have on performance, scalability, and deployment.

Relationship Between IIS and ASP.NET

You should understand the relationship between Internet Information Services (IIS) authentication and the Microsoft® ASP.NET security architecture when designing your application. This will allow you to authenticate your users appropriately and obtain the correct security context within your application. You should note that ASP.NET application security configuration and IIS security configuration are completely independent and can be used independently or in conjunction with each other.

IIS maintains security related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in XML configuration files. While this generally simplifies the deployment of your application from a security standpoint, the security model adopted by your application will necessitate the correct configuration of both the IIS metabase and your ASP.NET application via its configuration file (Web.config).

The security relationship between IIS and ASP.NET

ASP.NET Authentication Providers and IIS Security

ASP.NET implements authentication using authentication providers, which are code modules that verify credentials and implement other security functionality such as cookie generation. ASP.NET supports the following three authentication providers:

• Forms Authentication. Using this provider causes unauthenticated requests to be redirected to a specified HTML form using client side redirection. The user can then supply logon credentials, and post the form back to the server. If the application authenticates the request (using application-specific logic), ASP.NET issues a cookie that contains the credentials or a key for reacquiring the client identity. Subsequent requests are issued with the cookie in the request headers, which means that subsequent authentications are unnecessary.
• Passport Authentication. This is a centralized authentication service provided by Microsoft that offers a single logon facility and membership services for participating sites. ASP.NET, in conjunction with the Microsoft® Passport software development kit (SDK), provides similar functionality as Forms Authentication to Passport users.
• Windows Authentication. This provider utilizes the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity’s token to authorize access.

In addition to authentication, ASP.NET provides an impersonation mechanism to establish the application thread’s security token. Obtaining the correct token relies upon you configuring IIS authentication, ASP.NET authentication providers, and ASP.NET impersonation settings appropriately. This figure the most likely combinations between IIS authentication and ASP.NET providers.

ASP.NET and IIS security settings matrix

N-Tier Web Applications using ASP.NET 2.0

When .NET Framework was first introduced, it provided excellent features that made the construction of ASP.NET applications a breezy experience. Then the next version of .NET Framework (version 2.0) along with SQL Server 2005 builds on the foundation of the previous versions and introduces some new features that can greatly aid in the design and development of N-Tier ASP.NET 2.0 applications.

Introduction

Designing N-Tier client/server architecture is no less complex than developing two-tier architecture, however the N-Tier architecture, produces a far more flexible and scalable client/server environment. In two-tier architecture, the client and the server are the only layers. In this model, both the presentation layer and the middle layer are handled by the client. N-Tier architecture has a presentation layer and three separate layers – a business logic layer and a data access logic layer and a database layer. The next section discusses each of these layers in detail.

Different Layers of an N-Tier application

In a typical N-Tier environment, the client implements the presentation logic (thin client). The business logic and data access logic are implemented on an application server(s) and the data resides on database server(s). N-tier architecture is typically thus defined by the following layers:

• Presentation Layer: This is a front-end component, which is responsible for providing portable presentation logic. Since the client is freed of application layer tasks, which eliminates the need for powerful client technology. The presentation logic layer consists of standard ASP.NET web forms, ASP pages, documents, and Windows Forms, etc. This layer works with the results/output of the business logic layer and transforms the results into something usable and readable by the end user.
• Business Logic Layer: Allows users to share and control business logic by isolating it from the other layers of the application. The business layer functions between the presentation layer and data access logic layers, sending the client’s data requests to the database layer through the data access layer.
• Data Access Logic Layer: Provides access to the database by executing a set of SQL statements or stored procedures. This is where you will write generic methods to interface with your data. For example, you will write a method for creating and opening a SqlConnection object, create a SqlCommand object for executing a stored procedure, etc. As the name suggests, the data access logic layer contains no business rules or data manipulation/transformation logic. It is merely a reusable interface to the database.
• Database Layer: Made up of a RDBMS database component such as SQL Server that provides the mechanism to store and retrieve data.