By default, ASP.NET executes in the security context of a restricted user account on the local machine. Sometimes you need to access network resources such as a file on a shared drive, which requires additional permissions. One way to overcome this restriction is to use impersonation. With impersonation, ASP.NET can execute the request using the identity of the client who is making the request, or ASP.NET can impersonate a specific account you specify in web.config.
Can you explain in brief how the ASP.NET authentication process works?
ASP.NET does not run by itself, it runs inside the process of IIS. so there are two authentication layers which exist in ASP.NET system. First authentication happens at the IIS level and then at the ASP.NET level depending on the WEB.CONFIG file.
Below is how the whole process works :
IIS first checks to make sure the incoming request comes from an IP address that is allowed access to the domain.If not it denies the request.
Next IIS performs its own user authentication if it is configured to do so. By default IIS allows anonymous access,so requests are automatically authenticated, but you can change this default on a per - application basis with in IIS.
If the request is passed to ASP.net with an authenticated user, ASP.net checks to see whether impersonation is enabled. If impersonation is enabled, ASP.net acts as though it were the authenticated user. If not ASP.net acts with its own configured account.
Finally the identity from step 3 is used to request resources from the operating system. If ASP.net authentication can obtain all the necessary resources it grants the users request otherwise it is denied. Resources can include much more than just the ASP.net page itself you can also use .Net's code access security features to extend this authorization step to disk files, Registry keys and other resources.
What are the various ways of authentication techniques in ASP.NET?
Following are the various authentication techniques :
Windows Authentication
If you select windows authentication for your ASP.NET application, you also have to configure authentication within IIS. This is because IIS provides Windows authentication. IIS gives you a choice for four different authentication methods:
Anonymous, basic, digest and windows integrated
If you select anonymous authentication, IIS does not perform any authentication, Any one is allowed to access the ASP.NET application.
If you select basic authentication,users must provide a windows username and password to connect. How ever this information is sent over the network in clear text, which makes basic authentication very much insecure over the internet.
If you select digest authentication, users must still provide a windows user name and password to connect. However the password is hashed before it is sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that windows accounts to stored in active directory.
If you select windows integrated authentication, passwords never cross the network. Users must still hava a username and password, but the application uses either the Kerberos or challenge/response protocols authenticate the user. Windows-integrated authentication requires that all users be running internet explorer 3.01 or later kerberos is a network authentication protocol. It is designed to provide strong authentication for client/ server applications by using secret-key cryptography. Kerberos is a solution to network security problems. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.
Password Authentication
Passport authentication lets you to use Microsoft's passport service to authenticate users of your application. If your users have signed up with passport, and you configure the authentication mode of the application to the passport authentication, all authentication duties are off-loaded to the passport servers.
Passport uses an encrypted cookie mechanism to indicate authenticated users. If users have already signed into passport when they visit your site, they will be considered authenticated by ASP.NET. Otherwise they will be redirected to the passport servers to log in. when they are successfully log in, they will be redirected back to your site.
Forms Authentication
Forms authentication provides you with a way to handle authentication using your own custom logic with in an ASP.NET application. The following applies if you choose forms authentication
When a user requests a page for the application, ASP.NET checks for the presence of a special session cookie. If the cookie is present, ASP.NET assumes the user is authenticated and processes the request.
If the cookie is not present, ASP.NET redirects the user to a web form you provide.
you can carry out whatever authentication, it checks you like it checks your form. when the user is authenticated, you indicate this to ASP.NET by setting a property, which creates the special cookie to handle subsequent requests.
How does authorization work in ASP.NET?
ASP.NET impersonation is controlled by entries in the applications web.config file. The default setting is "no impersonation". You can explicitly specify that ASP.MET should not use impersonation by including the following code in the file.
<identity impersonate="false" / >
It means that ASP.NET will not perform any authentication and runs with its own privileges. By default ASP.NET runs as an unprivileged account named ASPNET. you can change this by making a setting in the processModel section of the machine.config file. When you make this setting, it automatically applies to every site on the server. To user a high-privileged system account instead of a low-priveleged set the userName attribute of the processModel element to SYSTEM. Using this setting is a definite security risk, as it elevates the privileges of the ASP.NET process to a point where it can do bad things to the operating system.
When you disable impersonation, all the request will run in the context of the account running ASP.NET: either the ASPNET account or the system account. This is true when you are using anonymous access or authenticating users in some fashion. After the user has been authenticated, ASP.NET uses its own identity to request access to resources.
The second possible setting is to turn on impersonation.
<identity impersonate="true" / >
In this case, ASP.NET takes on the identity IIS passes to it. If you are allowing anonymous access in IIS, this means ASP.NET will impersonate the IUSR_ComputerName account that IIS itself uses. If you are not allowing anonymous access, ASP.NET will take on the credentials of the authenticated user and make requests for resources as if it were that user. Thus by turning impersonation on and using a non-anonymous method of authentication in IIS, you can let users log on and use their identities within your ASP.NET application.
Finally, you can specify a particular identity to use for all authenticated requests
<identity impersonate="true" username="DOMAIN\username" password="password" / >
With this setting, all the requests are made as the specified user. So, for example you could designate a user for a single application, and use that users identity every time someone authenticates to the appliction. The drawback to this technique is that you must embed the users password in the web.config file in plain text. Although ASP.NET won't allow anyone to download this file, this is still a security risk if anyone can get the file by other means.
What is the difference between Datagrid, Datalist and repeater?
A Datagrid, Datalist and Repeater are all ASP.NET data web controls.
They have many things in common like DataSource Property, DataBind Method ItemDataBound and ItemCreated
When you assign the DataSource Property of a Datagrid to a DataSet then each DataRow present in the DataRow Collection of DataTable is assigned to a corresponding DataGridItem and this is same for the rest of the two controls also. But the HTML code generated for a Datagrid has an HTML TABLE <ROW > element created for the particular DataRow and its a Table form representation with Columns and Rows.
For a Datalist its an Array of Rows and based on the Template Selected and the RepeatColumn Property value we can specify how many DataSource records should appear per HTML <table > row. In short in datagrid we have one record per row, but in datalist we can have five or six rows per row.
For a Repeater Control, the DataRecords to be displayed depends upon the Templates specified and the only HTML generated is the due to the Templates.
In addition to these, Datagrid has a in-built support for Sort, Filter and paging the Data, which is not possible when using a DataList and for a Repeater Control we should require to write an explicit code to do paging.
From performance point of view how to rate DataGrid, Datalist and Repeater?
Repeater is fastest followed by Datalist and finally datagrid.
What is the method to customize columns in DataGrid?
Use the template column
How can we format data inside DataGrid?
Use the DataFormatString property.
How to decide on the design consideration to take a Datagrid, datalist or repeater?
many make a blind choice of choosing datagrid directly, but that is not the right way.
Datagrid provides ability to allow the end-user to sort, page and edit its data. But it comes at a cost of speed. Second the display format is simple that is in row and columns. Real life scenarios can be more demanding that.
With its templates, the DataList provides more control over the look and feel of the displayed data than the DataGrid. It offers better performance than datagrid
Repeater control allows for complete and total control. With the Repeater, the only HTML emitted are the values of the databinding statements in the templates along with the HTML markup specified in the templates-no "extra" HTML is emitted, as with the DataGrid and DataList. By requiring the developer to specify the complete generated HTML markup, the Repeater often requires the longest development time. But repeater does not provide editing features like datagrid so everything has to be coded by programmer. However, the Repeater does boast the best performance of the three data web controls. Repeater is fastest followed by Datalist and finally datagrid.
Difference between ASP and ASP.NET?
ASP.NET new feature supports are as follows :
Better Language Support
New ADO.NET concepts have been implemented.
ASP.NET supports full language (C#,VB.NET,C++) and not simple scripting like VBSCRIPT.
Better controls than ASP
ASP.NET covers large set's of HTML controls.
Better Display grid like Datagrid, Repeater and datalist. Many of the display grids have paging support.
Controls have events support
All ASP.NET controls support events.
Load,Click and Change events handled by code makes coding much simpler and much better organized.
Compiled code
The first request for an ASP.NET page on the server will compile the ASP.NET code and keep a cached copy in memory. The result of this is greatly increased performance.
Better Authentication Support
ASP.NET supports forms-based user authentication, including cookie management and automatic redirecting of unauthorized logins.
User Accounts and Roles
ASP.NET allows for user accounts and roles, to give each user access to different server code and executables.
High Scalability
Much has been done with ASP.NET to provide greater scalability.
Server to server communication has been greatly enhanced, making it possible to scale an application over several servers. One example of this is the ability to run XML parsers, XSL transformations and even resource hungry session objects on other servers.
Easy Configuration
Configuration of ASP.NET is done with plain text files.
Configuration files can be uploaded or changed while the application is running. No need to restart the server. No more metabase or registry puzzle.
Easy Deployment
No more server restart to deploy or replace compiled code. ASP.NET simply redirects all new requests to the new code.
Main Page
DotNet