Monday, 21 April 2014

Asp.net Interview questions -Part 4

Part -4

Security is a huge area of concern, so this part of ASP.NET Interview Questions will continue with Security related Questions. In previous ASP.NET Tutorial i.e. Part 3, we discussed about Authentication and Authorization, different authentication modes in ASP.NET.

What is Passport Authentication?

As we have discussed previously that there are three types of authentications in ASP.NET i.e.
  • Windows Authentication
  • Forms Authentication
  • Passport Authentication
Windows and Forms Authentications are already explained.
Passport Authentication actually validates against a centralized authentication service i.e. Microsoft Passport Service. We don't need to implement our own custom authentication mechanism if implementing .NET Passport Single Sign-In (SSI) service.

Can you briefly explain how Passport Authentication works?

As discussed above that Passport Authentication is a central service. It just authenticate (validate the credentials), no authorization (grant or deny access to a site). So, implementing application will check for the Passport Authentication Cookie. In case of unavailability of Passport Cookie, user is redirected to passport Sign-In page. User provides the credentials on Sign-In page, if validated,  Authentication Cookie is stored on client machine and redirected to the requested page. 

What are the advantages of using Passport Authentication?

Advantages of Passport Authentication are:
  • We don't need to care of authentication mechanism our self, Passport SSI does this for us.
  • Single login credentials can be used to access multiple sites. User don't need to remember separate credentials for individual site.

What is Role-based Security?

We have discussed about authentication in above questions but another different but related concept is Authorization. Authorization is a process of granting privileges or permissions on resources to an authenticated user. So,
 "Role Based Security is a technique we use to implement authorization on the basis of user's roles within an   organization. It's more granular approach to grant or revoke permissions on resources through user's roles."

An example of granting or revoking permissions in configuration file using windows built-in groups as follows:
 <authorization >
     <allow roles=”MyDomain1\Administrators” / >   < !– Allow Admin of this domain — >
     <deny users=”*”  / >                                          < !– Deny anyone else. — >
 </authorization >

What are the different Security Controls in ASP.NET?

ASP.NET provides several security controls which are actually Web Server controls. You can find those in your Visual Studio Toolbox.

Login Control:
In almost every application we need to take user credentials on a typical login page. Login control provides the same standard functionality and reduces the effort for building it from scratch.

LoginName:
After a user successfully logged in to an application, we normally display his/her username to top right or some other place on the page. Now, this functionality is provided by LoginName control.

LoginView Control:
LoginView control displays different view for different users. Using AnonymousTemplate and LoggedInTemplate, different information can be presented to different users.

LoginStatus Control:
LoginStatus control implies whether a user is authenticated or not. For an unathenticated user, it displays a link to login page. On the other hand, for authenticated user, a logout link is displayed.

LoginRecovery Control:
Password recovery is another important functionality simplified through PasswordRecovery control. It sends an email with login credentials to registered user email.

What is Code-Access Security (CAS)?

In one of above ASP.NET security related interview questions, we discussed about Role Based Security that restrict access to resources on the basis of user's role. CAS (Code Access Security) is entirely a different concept. It's .NET CLR's security system that restrict the code to perform an unwanted task by applying security policies. Using CAS (Code Access Security), we can restrict what our code can do? and also what code can call our code?

What are the key functions of Code Access Security?

As per documentation, key functions of Code Access Security are (straight from MSDN):
  • Defines permissions and permission sets that represent the right to access various system resources.
  • Enables code to demand that its callers have specific permissions.
  • Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code.
  • Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have.

What .NET Tool can be used to Enable/Disable CAS?

Code Access Security Tool (Caspol.exe) can be used to turn Code Access Security ON or OFF as follows:
  • caspol -security on
  • caspol -security off
We can also list all code groups using following command.
  • caspol -listgroups

What is Impersonation in ASP.NET?

Impersonation is an act of a user to pretend itself to be another user. By default, ASP.NET executes application code using the same user account as that of ASP.NET process i.e. Network Service. But with impersonation enabled, it executes code with the windows identity of the user making the request. 
For example, if a user 'user1' logged in and IIS is setup to run as Network Service. If 'user1' call a piece of code on another computer (may be a web service call), the other computer will see the IIS user instead of 'user1'. But we can enable impersonation to allow 'user1' to access the web service using its windows identity instead of Network Service.

How to configure Impersonation in ASP.NET?

By default, impersonation is disabled in ASP.NET. Impersonation can be Enabled/Disabled as follows:
 </configuration>
      <system.web>
          <identity impersonate="true"/> <! -- To disable set impersonate="false" -->
       </system.web>
 </configuration>

Impersonate a specific user account as:
 <identity impersonate="true" userName="user" password="pwd" />

On completing Part 4 of this ASP.NET Interview Questions and Answers series, we have completed major questions on ASP.NET Security. Hopefully, this series will be beneficial in terms of preparing an ASP.NET Interview.

No comments:

Post a Comment