How to perform asp.net Web security verification

Authentication and authorization

asp.net is used with IIS to support authentication and uses basic, concise, and Windows authentication. asp.net supports the Microsoft Passport Authentication Service, which provides a single sign-on service and support for user profile services. ASP.net also provides a reliable service for applications that want to use forms-based authentication. forms-based authentication uses cookies to authenticate the user and to allow the application to perform its own credential validation.

It is important to recognize that the ASP.net authentication service depends on the authentication service provided by IIS. For example, to use Basic authentication in an IIS application, you must use the Internet Services Manager tool to configure the use of Basic authentication for your application.

asp.net provides two types of licensing services:

Checks based on ACL or resource permissions to determine whether the authenticated user account can access the resource.

URL authorization, which authorizes the identification of parts of the Web space.

To illustrate the difference, consider a scenario in which the application is configured to allow anonymous access using the Iusr_mymachine account. After you authorize a request to an ASP.net page (such as "/default.aspx"), check the file against the ACL (for example, "c:inetpubwwwrootdefault.aspx") to determine if the Iusr_mymachine account has permission to read the file. If so, access is authorized. File authorization is automatically performed.

For URL authorization, anonymous users are checked against the configuration data that is computed for the ASP.net application. If the requested URL is allowed to be accessed, the request is authorized. In this case, ASP.net checks to see if the anonymous user has access to/default.aspx (that is, the file is based on the URL itself rather than the URL that the URLs ultimately resolve to).

may look small, but it enables an application to use authentication schemes such as forms-based authentication or Passport authentication (where users do not correspond to computer or domain accounts in this authentication). In addition, it enables authorization for virtual resources that are not based on physical files. For example, an application might choose to map all requests for files ending with. Stk to a handler that provides common quotes based on variables that exist in the query string. In this case, there is no physical. Stk on which the ACL check is performed, so URL authorization is used to control access to virtual resources.

File authorization execution is always based on an authenticated account provided by IIS. If anonymous access is allowed, the account is a configured anonymous account. Otherwise, it uses an NT account. This is exactly how the ASP works.

Use the Security tab in the Explorer property page to set file ACLs for a given file or directory. URL authorization is configured as part of the ASP.net framework application and is fully described in the authorized users and roles.

To activate the ASP.net authentication service, you must configure the <authentication> element in the application's configuration file. The element can have any of the values listed in the following table.

Value description

No ASP.net authentication service is active. Note that the IIS authentication service can still exist.

The Windows asp.net authentication Service attaches WindowsPrincipal (System.Security.Principal.WindowsPrincipal) to the current request to enable authorization for NT users or groups.

The form asp.net authentication Service manages cookies and redirects unauthenticated users to the login page. It is typically used with the IIS option to allow anonymous access to the application.

Passport ASP.net authentication Service provides a convenient package for the service provided by the Passport SDK (which must be installed on the computer).

For example, the following configuration file enables Forms-based (Cookie) authentication for an application:

<configuration>
<system.web>
<authentication mode= "Forms"/>
</system.web>
</configuration>