asp.net This article references the following Microsoft. NET Framework Class Library namespace: system.web.security
System.web.principal
The requested security event stream
The following steps briefly describe the sequence of events that occurs when a request is made by the client: 1. The client requests an. aspx page on the IIS server.
2. Pass the client credentials to IIS.
3. IIS authenticates the client and then passes the authenticated token along with the client request to the ASP.net worker process.
4. Depending on the authenticated markup that IIS sends and the configuration settings for the Web application, ASP.net decides whether to impersonate the user on the thread that handles the request. The obvious difference between Microsoft Active Server Pages (ASP) and asp.net is that asp.net no longer impersonate an authenticated user by default. To enable impersonation, you must set the Impersonate property in the identity section to true in the Web.config file.
Related configuration settings
IIS saves security-related configuration settings in the IIS configuration database. However, ASP.net saves security (and other) configuration settings in an Extensible Markup Language (XML) configuration file. Although this generally simplifies deployment of applications from a security perspective, the security model used by the application requires that the IIS configuration database and the ASP.net application be properly configured through its configuration file (Web.config).
The following configuration section is related to the ASP.net security: <authentication> section
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthenticationsection.asp
<authorization> Part
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthorizationsection.asp
<identity> Part
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfidentitysection.asp
<machinekey> Part
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfmachinekeysection.asp
Authentication
Authentication refers to the process of obtaining identity credentials, such as user names and passwords, and verifying those credentials against an authority.
asp.net provides four authentication providers: • Form authentication
Windows Authentication
Passport authentication
• Default Authentication
Form authentication
Form authentication refers to the following systems: Redirecting unauthenticated requests to a Hypertext Markup Language (HTML) form, allowing users to type their credentials. After the user provides credentials and submits the form, the application authenticates the request, and then the system issues the authentication ticket as a Cookie. This Cookie contains the credentials or the key used to regain the identity. Subsequent requests from the browser automatically contain this Cookie.
Windows Authentication
In Windows authentication, IIS performs authentication and passes the authenticated token to the ASP.net worker process. The advantage of using Windows authentication is that it requires the least amount of coding. Before you can pass a request to ASP.net, you may need to use Windows authentication to simulate a Windows user account that IIS authenticates.
Passport Authentication
Passport authentication is a centralized authentication service provided by Microsoft, which provides a single sign-on and core profile service for member sites. Typically, Passport authentication is used when you need a single sign-on feature that spans multiple domains.
Default authentication
Default authentication is used when the WEB application does not require any security features, and this security provider requires anonymous access. In all authentication providers, default authentication provides the highest performance for the application. You can also use this authentication provider when you use your own custom security module.
Authorized
Authorization is the process of verifying that an authenticated user can access a requested resource.
ASP.net provides the following licensing provider: fileauthorization
urlauthorization
Fileauthorization
The FileAuthorizationModule class is file-authorized and is active when using Windows authentication. FileAuthorizationModule is responsible for checking the Windows access Control List (ACL) to determine whether the user should have access rights.
URLAuthorization
The UrlAuthorizationModule class makes Uniform Resource Locator (URL) authorization, which controls authorization based on the URI namespace. The URI namespace may differ greatly from the physical folder and file path used by NTFS permissions.
UrlAuthorizationModule to implement affirmative and negative authorization assertions; that is, you can use this module to selectively allow or deny access to URIs of users, roles (such as manager, tester, and administrator) and predicates (such as Get and POST) Any part of the namespace.
Role-based security
role-based security in asp.net is similar to role-based security used by Microsoft COM + and Microsoft Transaction Server (MTS), but there are significant differences between them. role-based security in ASP.net is not limited to Windows accounts and groups. For example, if you enable Windows authentication and impersonation, the user's identity is the Windows identity (User.Identity.Name = "domain\username"). You can check the identity of members in a particular role and restrict their access to them accordingly. For example:
Visual C #. NET Code
if (User.IsInRole ("BUILTIN\\Administrators"))
Response.Write ("You are a Admin");
else if (User.IsInRole ("Builtin\\users"))
Response.Write ("You are a User");
Else
Response.Write ("Invalid user");
If you are using form authentication, you do not assign roles to authenticated users, and you must perform this task programmatically. To assign a role to an authenticated user, create a new GenericPrincipal object with the OnAuthenticate event for the authentication module (the form authentication module in this example) and assign it the HttpContext user property. This is described in the following code:
Visual C #. NET Code
public void Application_AuthenticateRequest (Object s, EventArgs e)
{
if (HttpContext.Current.User!= null)
{
if (HttpContext.Current.User.Identity.AuthenticationType = "Forms")
{
System.Web.Security.FormsIdentity id = HttpContext.Current.User.Identity;
string[] myroles = new String[3];
myroles[0]= "managers";
myroles[1]= "Testers";
myroles[2]= "Developers";
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal (id,myroles);
}
}
}
To check whether a user is in a specific role and limit its access rights, use the following code (or similar code) in the. aspx page:
Visual C #. NET Code
if (User.IsInRole ("managers"))
Response.Write ("You are a Manager");
else if (User.IsInRole ("testers"))
Response.Write ("You are a Tester");
else if (User.IsInRole ("Developers"))
Response.Write ("You are a Developer");
