Wednesday, 28 September 2011

What is the difference between Authorization and Authentication?

Both Authentication and Authorization are concepts of providing permission to users to maintain different levels of security, as per the application requirement.

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems depend on some unique bit of information known only to the individual being authenticated and the authentication system.

Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.

When a user logs on to an application/system, the user is first Authenticated, and then Authorized.

ASP.NET has 3 ways to Authenticate a user:
1) Forms Authentication
2) Windows Authentication
3) Passport Authentication (This is obsolete in .NET 2.0)
The 4th way is "None" (means no authentication)

The Authentication Provider performs the task of verifying the credentials of the user ans decides whether a user is authenticated or not. The authentication may be set using the web.config file.

Windows Authentication provider is the default authentication provider for ASP.NET applications. When a user using this authentication logs in to an application, the credentials are matched with the Windows domain through IIS.

There are 4 types of Windows Authentication methods:
1) Anonymous Authentication - IIS allows any user
2) Basic Authentication - A windows username and password has to be sent across the network (in plain text format, hence not very secure). 3) Digest Authentication - Same as Basic Authentication, but the credentials are encrypted. Works only on IE 5 or above
4) Integrated Windows Authentication - Relies on Kerberos technology, with strong credential encryption

Forms Authentication - This authentication relies on code written by a developer, where credentials are matched against a database. Credentials are entered on web forms, and are matched with the database table that contains the user information.

Authorization in .NET - There are two types:

FileAuthorization - this depends on the NTFS system for granting permission
UrlAuthorization - Authorization rules may be explicitly specified in web.config for different web URLs.

No comments:

Post a Comment