Purpose of Windows Authentication

[eramgarden]

I was reading:

http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx

And it has:
If your application requires no special protection—if all of its pages can be freely browsed by anyone and none are personalized for individual users—you needn't bother with application-level security. Just grant Everyone access to the application's files and be done with it.

We first wanted to use Forms Authentication, them decided on Windows authentication as users dont want to keep logging in. Users can access all the pages. No restirctions. This an application for clients.

My question is: If users can access all pages and there's no restiction, then I dont need Windows Authentication OR any kind of authentication? Just have users double click on the link and enter the app?? Windwos Authentication is used to not only authenticate BUT also to control access to resources?

 

[PlausiblyDamp]

When dealing with security and restricting access you have two main concepts - Authentication and Authorisation.

Windows Authentication and Forms Authentication are merely two ways of achieving the 1st part - authenticating a user. This is simply getting a user to prove their identity, regardless of the mechanism used the end result is the same - we know who the user is.

When it comes to securing the content a user needs to have been authenticated, however we then Authorise the user against particular resources and decide who can access what.

If you have no security as such and the site can be accessed by anyone then there is no need to implement any security.

If you need to track users individually e.g. for auditing purposes, but do not have any particular restrictions on what they can access then you would only need to implement some form of Authentication and only allow access to users who have authenticated; however once somebody has authenticated they can access anything on the site itself.

 

[eramgarden]

Thanks. Makes sense.