Authentication and Authorization with ASP.net Webforms

  • Article

When you hear someone knocking at your door, it is important to know who the person behind to door is. You will most likely open the door only to those who you trust and know. Let´s join Paul Cociuba to explain us how the same logic applies for ASP.net Webforms Authentication and Authorization.    

The second video of the series aims at setting up authentication for the sample website. Just like most internet sites on the web, the sample web site will be using Forms Based Authentication, a mechanism that was not invented by ASP.net but comes almost out of the box with the product. .

The first part of the video deals with setting up the authentication on the site to work with a database server like SQL 2008. The second part of the video, looks at how different users can be granted or denied access to different parts of the site using the authorization rules from ASP.net.

Let us spend a few words on Authentication before we move on. Authentication is the process by which a website is able to recognize a user and then allow access to reserved content. Authentication actually consists of a two stage process:

  • The actual user authentication, whereby the user sends some credentials to the webserver for verification. Normally these credentials consist of some username and password combination
  • The authorization part – knowing who a given user is, the site has to implement some logic to make sure that the user can access parts of the site that are reserved only for authenticated users. Depending on who the user is or what group the user belongs to, the site has to grant or deny access to specific resources.

For your convenience, here’s the video timeline (note that it will launch a new browser Windows):

  • [1:49] General overview of the Universal Membership Provider that comes with ASP.net 4.5.
  • [4:30] We look at how you would configure a SQL Database to work with the ASP.net SQL Membership provider (legacy).
  • [7:00] Using the Server Explorer from Visual Studio, we can then connect to the new database instance created in SQL Server. Sensitive connection string Information can be encrypted. Here are two articles (1 & 2) that show you how.
  • [11:23] The sample application uses a SQL Server 2008 database server that is configured to accept mixed mode SQL authentication.
  • [13:40] Setup of the authorization rules to grant Access based on the user and Group membership
  • [16:30] The ASP.net configuration tool is used to add authorization rules to the existing site configuration.
  • [21:10] Let´s look at a neat time saving feature in the Visual Studio HTML Editor

The next video in the series will focus on the construction of the classes, that will define the business layer objects that the application will manipulate data with. We will also start a quick dive into the usage of Entity Framework.

Thank you for watching!

Original content from Paul Cociuba; posted by MSPFE Editor Aydin Aslaner