Security»Authentication and Authorizati…
  • RSS Feed

Last modified on 1/27/2010 7:59 AM by User.

Tags:

Authentication and Authorization

Following are characteristics of both Authentication and Access Control

Authentication 

  • Authentication required before access is allowed.
  • Username case insensitive.  Password case sensitive.
  • Login failure does not indicate whether username or password was invalid.
  • Configurable failed authentication attempts locks user out.  Administrator must unlock.
  • Password strength/complexity rules can be changed by the administrator.
  • Administrator can enforce password change at a regular interval.
  • Passwords are stored in an encrypted format in the database.
  • Client Healthcare System is responsible for enforcing that password is not passed in plain text by use of SSL.
  • All login attempts are recorded in log with event, time, description, and action taken.

Authorization (Access Control)

  • Only administrators can assign privileges or access.
  • System allows changing or removing permissions from user without deleting user.
  • Allows granting only permissions needed for a user to fullfil a role.
  • Admin, the only generic account, can be disabled.

Implementation
ASP.Net Forms Authentication is used for authentication/access control to DiaWEB.   More information on this technology can be found here.

Each DiaWEB users has two accounts, one belongs to the DiaWEB Application and one belongs to ASP.Net Forms authentication. While the DiaWEB user account holds all of the historical information of the users access, the ASP.Net user is used for authentication and access control.  The two accounts are programatically associated with each other on user creation.  If for any reason a user is deleted, the ASP.Net user account and login are removed from the database and are free for reuse, but the DiaWEB user account remains in the system for historical use.

Access control using ASP.Net Forms authentication is typcially based on tracking the user ticket through the site and restricting access based on the assigned access rights at a directory level.  However, as this product is built using ASP.Net MVC, which maps all application functionality through a controllers directory, this model has been modified to restricting access to controllers rather than directories.  So using the ASP.Net Forms user ticket, the user access rights are assigned to the appropriate controllers and controller functions.  By restricting which controllers and controller functions a user is allowed to access, we can successfully limit a users access to the application.