11.1. Authentication and authorization basics

ASP.NET has complete support for both authentication and authorization. We’re going to start by clarifying what authentication and authorization are in the ASP.NET infrastructure. A clear definition will help you understand how to change the default mechanisms to better suite your needs.

The terms authentication and authorization do not represent the same concept. Authentication is the action associated with determining the identity of the user. Authorization is the step necessary to grant a user (who could also be anonymous) access to a requested resource. Both these features are implemented in ASP.NET with HTTP modules (described in chapter 1), using the events AuthenticateRequest and AuthorizeRequest from HttpApplication. ASP.NET provides great flexibility and allows you to fully change the default behavior. You’ll find more information on extending ASP.NET in chapter 14, where we look at some more advanced scenarios.