It’s a continuation in series of ASP.NET Interview Questions and Answers for beginners as well as professional developers. If you haven’t gone through the previous ASP.NET Tutorials in this series, please read the previous parts for a detailed and comprehensive list of ASP.NET Interview Questions here.
- Top 10 ASP.NET Interview Questions for experienced
(Top Questions covering almost all ASP.NET technology area) - ASP.NET Interview Questions – Part 1
(ASP.NET State Management, View State, Session & Controls etc.) - ASP.NET Interview Questions – Part 2
(ASP.NET Interview Questions for Globalization and Localization, Culture & Controls etc.) - ASP.NET Interview Questions – Part 3
(ASP.NET Cache Management, Security) - ASP.NET Interview Questions – Part 4
- ASP.NET Interview Questions – Part 5
(Top 10 ASP.NET AJAX Interview Questions) - ASP.NET Interview Questions – Part 6
(Top 10 ASP.NET Web API Interview Questions)
For a comprehensive list of ASP.NET MVC Interview Questions, follow here.
Security is a huge area of concern, so this part of ASP.NET Interview Questions will continue with Security related Questions. In previous ASP.NET Tutorial i.e. Part 3, we discussed about Authentication and Authorization, different authentication modes in ASP.NET.
ASP.NET Interview Questions List – Part 4
- What is Passport Authentication?
- Can you briefly explain how Passport Authentication works?
- What are the advantages of using Passport Authentication?
- What is Role-based Security?
- What are the different Security Controls in ASP.NET?
- What is Code-Access Security (CAS)?
- What are the key functions of Code Access Security?
- What .NET Tool can be used to Enable/Disable CAS?
- What is Impersonation in ASP.NET?
- How to configure Impersonation in ASP.NET?
As we have discussed previously that there are three types of authentications in ASP.NET i.e.
- Windows Authentication
- Forms Authentication
- Passport Authentication
Windows and Forms Authentications are already explained.
Passport Authentication actually validates against a centralized authentication service i.e. Microsoft Passport Service. We don’t need to implement our own custom authentication mechanism if implementing .NET Passport Single Sign-In (SSI) service.
Can you briefly explain how Passport Authentication works?
As discussed above that Passport Authentication is a central service. It just authenticate (validate the credentials), no authorization (grant or deny access to a site). So, implementing application will check for the Passport Authentication Cookie. In case of unavailability of Passport Cookie, user is redirected to passport Sign-In page. User provides the credentials on Sign-In page, if validated, Authentication Cookie is stored on client machine and redirected to the requested page.
Below picture clearly explains step by step process of Passport authentication in ASP.NET.
What are the advantages of using Passport Authentication?
Advantages of Passport Authentication are:
- We don’t need to care of authentication mechanism our self, Passport SSI does this for us.
- Single login credentials can be used to access multiple sites. User don’t need to remember separate credentials for individual site.
We have discussed about authentication in above questions but another different but related concept is Authorization. Authorization is a process of granting privileges or permissions on resources to an authenticated user. So,
“Role Based Security is a technique we use to implement authorization on the basis of user’s roles within an organization. It’s more granular approach to grant or revoke permissions on resources through user’s roles.“
“Role Based Security is a technique we use to implement authorization on the basis of user’s roles within an organization. It’s more granular approach to grant or revoke permissions on resources through user’s roles.“
An example of granting or revoking permissions in configuration file using windows built-in groups as follows:
<authorization >
<allow roles=”MyDomain1Administrators” / > < !– Allow Admin of this domain — >
<deny users=”*” / > < !– Deny anyone else. — >
</authorization >
<allow roles=”MyDomain1Administrators” / > < !– Allow Admin of this domain — >
<deny users=”*” / > < !– Deny anyone else. — >
</authorization >
ASP.NET provides several security controls which are actually Web Server controls. You can find those in your Visual Studio Toolbox.
Login Control:
In almost every application we need to take user credentials on a typical login page. Login control provides the same standard functionality and reduces the effort for building it from scratch.
Login Control:
In almost every application we need to take user credentials on a typical login page. Login control provides the same standard functionality and reduces the effort for building it from scratch.
LoginName:
After a user successfully logged in to an application, we normally display his/her username to top right or some other place on the page. Now, this functionality is provided by LoginName control.
After a user successfully logged in to an application, we normally display his/her username to top right or some other place on the page. Now, this functionality is provided by LoginName control.
LoginView Control:
LoginView control displays different view for different users. Using AnonymousTemplate and LoggedInTemplate, different information can be presented to different users.
LoginView control displays different view for different users. Using AnonymousTemplate and LoggedInTemplate, different information can be presented to different users.
LoginStatus Control:
LoginStatus control implies whether a user is authenticated or not. For an unathenticated user, it displays a link to login page. On the other hand, for authenticated user, a logout link is displayed.
LoginStatus control implies whether a user is authenticated or not. For an unathenticated user, it displays a link to login page. On the other hand, for authenticated user, a logout link is displayed.
LoginRecovery Control:
Password recovery is another important functionality simplified through PasswordRecovery control. It sends an email with login credentials to registered user email.
Password recovery is another important functionality simplified through PasswordRecovery control. It sends an email with login credentials to registered user email.
In one of above ASP.NET security related interview questions, we discussed about Role Based Security that restrict access to resources on the basis of user’s role. CAS (Code Access Security) is entirely a different concept. It’s .NET CLR’s security system that restrict the code to perform an unwanted task by applying security policies. Using CAS (Code Access Security), we can restrict what our code can do? and also what code can call our code?
As per documentation, key functions of Code Access Security are (straight from MSDN):
- Defines permissions and permission sets that represent the right to access various system resources.
- Enables code to demand that its callers have specific permissions.
- Enables code to demand that its callers possess a digital signature, thus allowing only callers from a particular organization or site to call the protected code.
- Enforces restrictions on code at run time by comparing the granted permissions of every caller on the call stack to the permissions that callers must have.
Code Access Security Tool (Caspol.exe) can be used to turn Code Access Security ON or OFF as follows:
- caspol -security on
- caspol -security off
We can also list all code groups using following command.
Impersonation is an act of a user to pretend itself to be another user. By default, ASP.NET executes application code using the same user account as that of ASP.NET process i.e. Network Service. But with impersonation enabled, it executes code with the windows identity of the user making the request.
For example, if a user ‘user1’ logged in and IIS is setup to run as Network Service. If ‘user1’ call a piece of code on another computer (may be a web service call), the other computer will see the IIS user instead of ‘user1’. But we can enable impersonation to allow ‘user1’ to access the web service using its windows identity instead of Network Service.
By default, impersonation is disabled in ASP.NET. Impersonation can be Enabled/Disabled as follows:
</configuration>
<system.web>
<identity impersonate=”true”/> <! — To disable set impersonate=”false” –>
</system.web>
</configuration>
<system.web>
<identity impersonate=”true”/> <! — To disable set impersonate=”false” –>
</system.web>
</configuration>
Impersonate a specific user account as:
<identity impersonate=”true” userName=”user” password=”pwd” />
Back to top
On completing Part 4 of this ASP.NET Interview Questions and Answers series, we have completed major questions on ASP.NET Security. Hopefully, this series will be beneficial in terms of preparing an ASP.NET Interview.
<<<Previous – Part 3 | Next – Part 5>>>
Other Related Articles:
- MVC 3 Vs MVC 4 Vs MVC 5
- ASP.NET MVC Web API Service step by step
- Solution to browser back button event
- Difference between ASP.NET WebForms and ASP.NET MVC
- What’s new in WCF 4.5
- WCF Tutorial by Example
- Creating your first WCF REST Service
- Practical Guide to ASP.NET Web API
Top 10 Interview Questions and Answers Series:
- Top 10 ASP.NET AJAX Interview Questions
- Top 10 WCF Interview Questions
- Comprehensive Series of WCF Interview Questions
- Top 10 HTML5 Interview Questions
- Top 10 ASP.NET Interview Questions
- Comprehensive Series of ASP.NET Interview Questions
- Top 10 ASP.NET MVC Interview Questions
- Top 10 ASP.NET Web API Interview Questions
I really love reading and following your post as I find them extremely informative and interesting. This post is equally informative as well as interesting . Thank you for information you been putting on making your site such an interesting. I gave something for my information. Interview Preparation