Authentication and Authorization in MVC Framework

May 03, 2018 0 Comments A+ a-

ASP .Net
In this we will discuss about the ASP.NET Roles and Membership API from MVC perspective. We will try to see how the default Roles and Membership provides can be used for authentication and authorization in an MVC application. We will also see how we can implement custom forms authentication in an ASP.NET MVC application.

Authentication and Authorization

Authentication means validating users. In this step, we verify user credentials to check whether the person tying to log in is the right one or not. Authorization on the other hand is keeping track of what the current user is allowed to see and what should be hidden from him. It is more like keeping a register to what to show and what not to show to the user.
Whenever a user logs in, he will have to authenticate himself with his credentials. Once he is authenticated, he will be authorized to see resources/pages of the website. Mostly these two concepts go together.
It is only a matter of time in developing most websites that you'll need to implement a way of restricting access to parts of the site. In MVC, the 'Authorize' attribute handles both authentication and authorization.

Type of Authentications

Before moving ahead, let us first see the two main type of authentications that are used mostly in ASP.NET applications.
  • No Authentication 
  • Individual User Accounts 
  • Organizational Accounts 
  • Windows Authentication

Windows based authentication:

In this mode, the users are authenticated on their Windows username and password. This method is least recommended in an internet scenario. In an internet scenario, we should always use "Forms based authentication".

Forms based authentication:

In this type of authentication, the user will explicitly have to provide his credentials and these credentials, once verified by the server, will let the user to log in.

Windows authentication

If your application is targeted for use inside an organization, and users accessing the application have existing user accounts within the local user database of the Web server or Active Directory, you should authenticate users with Windows authentication.

Forms authentication

By default, Form authentication is used. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.

Passport authentication

You can also authenticate users using a service from Microsoft called Passport. Passport is a centralized directory of user information that Web sites can use, in exchange for a fee, to authenticate users. Users can choose to allow the Web site access to personal information stored on Passport, such as the users' addresses, ages, and interests.

Anonymous access

You can explicitly disable authentication for your application if you know that it will be used only by anonymous users.