I have an ASP.Net application which renders sensitive information. The application needs users to log on before viewing the main page of the application. The authentication is done via a web service.
This is simple enough however the hardware design is multi-tiered. 1) Web Server for logon 2) Application server for main application 3) Database
Would one need to write a seperate ASP.net application on Tier 1 which handles the security or could the application stay as a whole somehow?
If a seperate application is needed how would one pass information that is gathered during authentication to Tier 2? I'm not sure session variables would work as the information is on another server?
The Tier 2 to Tier 3 communication is simple enough, its just the security model that I'm stuck on.
There obviously has to be some sort of packet detection so that when a user makes a request Tier 1 has to validate it and if validated pass it onto Tier 2. I'm not sure how that is done?
I decided on Web Server, Application Server with a Web Service and a Database Server. I also went with a security Web Service.