Difference between Authentication and Authorization


What is ASP.Net Authentication

Authentication is the process of verifying the identity of a user by obtaining some sort of credentials and using those credentials to verify the user's identity. If the credentials are valid, the authorization process starts. Authentication process always proceeds to Authorization process.

ASP.Net Authentication

The ASP.NET authentication scheme that is used to identify users who view an ASP.NET application. An ASP.net application has two separate authentication levels because all requests coming through IIS before it handled by ASP.NET. After IIS authentication schemes ASP.NET implements additional authentication schemes. They are :

  1. Windows Authentication
  2. Forms Authentication
  3. Passport Authentication

The mode attribute specifies the authentication scheme.

<authentication mode="[Windows|Forms|Passport|None]" >

None Authentication

You can specify "None" as the authentication provider when requests are not authenticated at all or if you plan to develop custom authentication code.

When you need "None" authentication, use the following Web.config configuration:

<system.web> <authentication mode="None" /> </system.web>


What is ASP.Net Authorization

Authorization is the process of allowing an authenticated users to access the resources by checking whether the user has access rights to the system. Authorization helps you to control access rights by granting or denying specific permissions to an authenticated user.

Asp.Net Authorization

ASP.NET allows two ways to authorize access to a given resources, they are URL authorization and File authorization

URL authorization

URL authorization maps users and roles to URLs in ASP.NET applications

File authorization

File authorization validate the ACL (access control list) of the .aspx or .asmx handler file to determine whether a user should have access to the file.

How to implement Authorization ?

The following example shows a sample implementation of Authorization logic in web.config file.

<authorization> <allow roles="Administrators" /> <deny users="*" /> </authorization>