ASP. NET Authentication Service

Authentication and authorization

ASP. NET and IIS are used together to support authentication, and basic, brief, and Windows authentication are used. ASP. NET supports the Microsoft Passport Authentication Service, which provides a single Logon Service and support for the user configuration file service. ASP. NET also provides reliable services for applications that require form-based authentication. Form-based authentication uses cookies to authenticate the user's identity and allows applications to perform their own creden.

It is important to realize that the ASP. NET authentication service depends on the Identity Authentication Service provided by IIS. For example, to use Basic Authentication in an IIS application, you must use the Internet service manager tool to configure the use of basic authentication for the application.

ASP. NET provides two types of authorization services:

Check based on ACL or resource permissions to determine whether authenticated user accounts can access resources.

URL Authorization, which authorizes the identity of each part of the Web space.

To illustrate the differences, consider this solution in which the application is configured to allow anonymous access using the IUSR_MYMACHINE account. When authorizing ASP. NET page, such as "/default. after the request, check the file according to the ACL, such as "c: \ inetpub \ wwwroot \ default. to determine whether the IUSR_MYMACHINE account has the permission to read the file. If yes, access is authorized. File authorization is automatically executed.

For URL Authorization, anonymous users are checked based on the configuration data calculated for ASP. NET applications. If the URL of the access request is allowed, the request is authorized. In this case, ASP. NET checks whether anonymous users have access to/Default. aspx Based on the URL itself rather than the final file parsed by the URL ).

It may seem very small, but it enables applications to use form-based or passport-based authentication where users do not correspond to computers or domain accounts) this authentication scheme. In addition, it enables virtual resource authorization, which does not have physical files as the basis. For example, an application can map all requests of a file ending with. stk to a processing program, which provides common quotation marks based on the variables in the query string. In this case, there is no physical. stk on which the ACL check is performed. Therefore, URL Authorization is used to control access to virtual resources.

The execution of file authorization is always based on an authenticated account provided by IIS. If anonymous access is allowed, the account is configured as an anonymous account. Otherwise, it uses an NT account. This is exactly the same as ASP.

On the "Resource Manager" property page, use the "Security" tab to set the File ACL for the specified file or directory. URL Authorization is configured as ASP.. NET Framework application, which has a complete description of authorized users and roles.

To activate the ASP. NET authentication service, you must configure the <authentication> element in the application configuration file. This element can have any value listed in the following table.

Value description

No ASP. NET authentication service is active. Note that the IIS Authentication Service can still exist.

The Windows ASP. NET authentication service attaches WindowsPrincipal System. Security. Principal. WindowsPrincipal) to the current request to enable authorization to NT users or groups.

Form ASP. NET Authentication Service manages cookies and redirects unauthenticated users to the logon page. It is usually used with the IIS option to allow anonymous access to the application.

The passport ASP. NET Authentication Service provides a convenient packaging for services provided by passport sdks that must be installed on computers.

For example, the following configuration file enables form-based Cookie authentication for the application:

 
 

  
  
<configuration> 
  
  
<system.web> 
  
  
<authentication mode="Forms"/> 
  
  
</system.web> 
  
  
</configuration> 
 
 

1. Analysis on ASP. NET Web Security
2. Session State of ASP. NET
3. Analysis on the attribute ASP. NET of IsPostBack
4. ASP. NET architecture and security mechanism
5. Overview ASP. NET Crystal Reports