Fundamental Security Mechanisms

In developing secure ASP.NET Web applications, you must consider the following three fundamental mechanisms.

• Authentication

• Authorization

• Impersonation ^[4]

  ^[4] Impersonation is useful typically for further authentication or authorization against additional resources.

Authentication: Who Are You?

Authentication is the process of verifying the identity of the client application (principal) before permitting the user/application to access a resource. For example, the user or client application has to launch its identity by providing some form of credentials such as a name /password pair to provide the evidence.

Authorization: Are You Allowed to Access This Resource?

Authorization means, what privilege do you have to access this resource? After a user is authenticated, authorization is the process of granting access to the user based on identity. It is the next step to authentication, which validates which resources the authenticated user/application is permitted to access. For example, authorization verifies whether the client application has entire or limited access to the application.

Impersonation: Application Assumes Client's Identity

Impersonation is the process in which certain actions are performed under a different identity (i.e., assigning a user account to an unknown user). ASP.NET Web applications offer anonymous access to resources on the server by impersonation, where anonymous Web site users are authenticated under a default IIS_ [ServerName] account. Impersonation is heavily dependent on what that other resource is. Local resources on the same thread are no problem. Remote resources require delegation, which is an extension of impersonation and requires a delegatable authentication protocol, suitably configured (e.g., Kerberos).