Elements of Enterprise-Grade Web Frameworks – Part 6: Integrated User Authentication

SecurityUser authentication is one aspect of enterprise-grade web apps that many frameworks get right.  From ASP.NET, to Node.js, to Rails, most well-developed application stacks have a solution for user authentication.

There are five primary components to a user module – user creation, user login, site security, profile management, and user management.  The process starts with the “Sign-Up” page, where users create their accounts, enter relevant information, and choose a password.  This can incorporate an email verification phase, where the user needs to click on a link from an email address to make sure that their email account is valid.

Next, the login page allows the user to enter the site, or recover their password if it has been lost.  Once logged in, site authentication makes sure that the rest of the website is secure, so that the user’s password is required to access all protected areas.  Profile management enables a user to change their email address, password, or other pertinent information, while user management allows a site administrator to delete the account or manually make changes to certain users.

There are various alternative scenarios for user authentication – from using Facebook to log in to a website, to using Windows NTLM or Kerberos to authenticate against a Windows Domain.  An authentication system must be flexible enough to allow users to work with a default configuration, or make customizations so that it can be tweaked to their specific needs.

Out of the web development frameworks, ASP.NET has the most mature user authentication stack.  In addition to automated user management, the platform leverages IIS to enable a variety of authentications methods, from ASP.NET forms, to Plain Authentication, to Domain Authentication.  The .NET framework also comes with a user management system that satisfies many of the above requirements, and can be easily customized using the Identity class.

Rails, Node.js, and Django also provide solid tools for authentication, enabling a variety of different authentication scenarios using Gems or Packages.  Although it’s theoretically easier to add support for external authentication such as Facebook, in practice it can be a challenge due to integration problems with the package managers.  Node.js is the most streamlined out of the three, although it can require maintenance to keep the system up-to-date.

Finally, PHP lacks authentication functionality altogether, and requires custom development to enable a user login.  If PHP is running on Apache, however, “.htaccess” files can be used to secure a folder using plain authentication.

By taking advantage of the pre-built modules for user authentication, developers can simplify project development.  Join us in the next article of this series, where we take user authentication to the next level, with roles and fine-grained access control.

Written by Andrew Palczewski

About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+

RSS Twitter LinkedIn Facebook Email

Leave a Reply

Your email address will not be published. Required fields are marked *