authentication and authorization in ASP.NET

Hello Experts,

I want to study about authentication and authorization in asp.net. Can anybody tell me where should I begin?

Thanks in advance.

Authentication

Authentication is the process of determining the authenticity of a user based on the user's credentials. Whenever a user logs on to an application, the user is first authenticated and then authorized. The application's web.config file contains all of the configuration settings for an ASP.NET application. It is the job of the authentication provider to verify the credentials of the user and to decide whether a particular request should be considered authenticated or not. An authentication provider is used to prove the identity of the users in a system. 

Authorization

Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work with authenticated users, hence ensuring that no un-authenticated user can access the application. The default authentication mode is anonymous authentication. There can be three types of authorization in ASP.NET

Source: http://www.dotnetjohn.com/articles.aspx?articleid=246

Or you can say :

Authorization: WHAT can you do?

Authentication: WHO are you?

I like the last two sentences that @Raghav has written in his post about Authorization/Authentication.

Actually, the first time I heard about Authentication/Authorization in general, these two statements explained me almost everything regarding the logic behind both of these two concepts.

Authentication: WHO are you? (hajan, raghav, mohit, anonymous or someoneThatDoesntExists) - confirming your identity of who you are.
Authorization: WHAT can you do? (create posts/threads, manage/administer posts/threads) - which means what are your authorization access rights you have in the system to resources. It's like dealing with defining rules and policies to different authorization groups. Ex: Administrators can access the Admin pages (they are authorized to do so), Moderators can access to the Mods pages (they are authorized to do so), Normal members are authorized to view the main page and do some normal stuff.

The previous two statements regarding Authorization & Authentication are completely defined by me :) so if you find something doubtful to you - just ask like what do I mean with this and that.

About Authentication & Authorization in ASP.NET - take a look at the following articles:

Security in ASP.NET - http://www.asp.net/web-forms/security

Authentication and Authorization in ASP.NET (c-sharpcorner.com) - http://www.c-sharpcorner.com/UploadFile/lmoningi/AuthenticationAndAuthorizatio11252005233533PM/AuthenticationAndAuthorizatio.aspx (very nice explanation!)

Authentication and Authorization in ASP.NET (aspalliance.com) - http://aspalliance.com/907

Hope this was helpful

raghav_khunger said:

 

Authorization: WHAT can you do?

Authentication: WHO are you?

 

Thank you Raghav Sir. These two sentences are too simple and understandable.

hajan said:

Authentication: WHO are you? (hajan, raghav, mohit, anonymous or someoneThatDoesntExists) - confirming your identity of who you are.

Authorization: WHAT can you do? (create posts/threads, manage/administer posts/threads) - which means what are your authorization access rights you have in the system to resources. It's like dealing with defining rules and policies to different authorization groups. Ex: Administrators can access the Admin pages (they are authorized to do so), Moderators can access to the Mods pages (they are authorized to do so), Normal members are authorized to view the main page and do some normal stuff.

Thank you so much Hajan.

Can you pls explain bit more about authentication?

What are the stuffs we need to configure in web.config file for authentication?

Kannapiran,

Please post your query in new thread.