How do authentication, authorization, and impersonation work together in an ASP.NET web application

All anonymous users, by default, can access any ASP.NET web page, but when they request a web page that doesn’t permit anonymous access, several steps take place:

1. The request is sent to the web server. At this time user identity is not known and the user is asked to log in. In this case you can use a custom web page or a browser based dialog box. The specific details of the login process depend on the type of authentication you’re using.

2. The user provides his/her credentials, which are then verified:

– by your application in the case of forms authentication

– automatically by IIS in the case of Windows authentication

3. If the user credentials are valid, the user is granted access to the web page. If his/her credentials are not valid, then the user is prompted to log in again, or he/she is redirected to a web page with an “Access denied” message.

Requesting a web page that requires authentication

Requesting a web page that requires authentication

When a user requests a secure web page that allows only specific users or users in specific roles, the process is similar, but it has an extra step.

1. The request is sent to the web server. At this time user identity is not known and the user is asked to log in. In this case you can use a custom web page or a browser based dialog box. The specific details of the login process depend on the type of authentication you’re using.

2. The user provides his or her credentials, which are verified with the application. This is the authentication stage.

3. The authenticated user’s credentials or roles are compared to the list of allowed users or roles. If the user is in the list, then the user is granted access to the resource; otherwise, access is denied.

4. Users who have access denied are either prompted to log in again, or they are redirected to a web page with an “Access denied” message.

Requesting a web page that requires authentication and authorization

Requesting a web page that requires authentication and authorization