Authentication and Authorization

Securing web application is a very important task. Security of web application can not be taken lightly. It must be implemented to prevent stored information from being compromised. We need to ensure that certain security measures are implemented to keep web site working and in compliance with expected level of service. Also, access to sensitive parts of web site should be restricted to only certain users such as administrators.

ASP.NET MVC is built on top of ASP.NET and it has access to security features in the framework. There are different authentication methods and how to implement security to avoid threats like cross site scripting (XSS) and cross site request forgery (CSRF). Authorize users can perform only the tasks they are authorized to do. We can use certain techniques to prevent SQL injection and HTML injection attacks. We will be able to secure our application by applying security best practices.

In web applications, the process of authentication refers to identifying who is the user whereas authorization refers to determine what are allowed for the user. In addition to users, roles is another concept which is often implemented to identify groups of users. Instead of assigning permissions to individual user, we can assign permissions to role and

all users within the same role inherit the permission.

ASP.NET MVC is capable to work with different schemes of authentication. There are two most relevant authenticate which are Windows Authentication and Form Authentication. Windows Authentication is used in the application where all user accounts are stored in Windows Active Directory (AD). In this scenario the web application rely on Internet Information Services (IIS) to authenticate requests. If the request is valid then IIS transfers the request to ASP.NET for processing. This authentication method is very useful for us as they do not have to deal with user management and everything is managed through the AD administrators.

Form authentication is suitable for Internet facing applications where users identify themselves with user name and password. Alternatively, users can be authenticated using the OAuth protocol and use their third party accounts like Facebook, Twitter or Google etc.