Secure applications in ASP.net 2.0

Members and Role manager providers--now ASP.net 2.0 contains built-in member and role management services. Since these services are provider-driven (Provider-driven), you can easily change it, or replace it with a custom implementation.

Login Controls--The new login control provides the basic module for a site's authentication and authorization UI, such as a login form, creating a user form, password retrieval, a custom UI for logged-in users, or roles. These controls interoperate with the user and role information defined by the site using the built-in member and role services in ASP.net 2.0.

An important part of most Web applications is to identify users and control access to resources. The operation of detecting the requested entity (entity) identity is authentication (authentication). Typically, for authentication purposes, the user must provide credentials such as account number/password. Once the authenticated identity is valid, it is necessary to detect whether the identity has access to the specified resource, which is the authorization (authorization). Asp. NET, together with IIS, provides authentication and authorization services for your applications.

An important feature of COM objects is that it can control the identity of those running COM object code. When a COM object runs code with the requested entity, it is called impersonation (impersonation). Asp. NET Framework component applications can choose to mimic requests.

Some applications also want to dynamically customize content based on the identity of the request or the role that the requested identity belongs to. Asp. NET Framework component applications can dynamically detect whether the identity of the current request belongs to a role. For example, an application might want to detect whether the current user belongs to the Administrator role to conditionally generate content for an administrator.

ASP.net 2.0 's membership features make it easier for you to create and manage users. Member attributes typically work with another new feature called the Role Manager. The Role Manager provides a low-level structure for creating roles and assigning users to roles. When members, Role Manager features, and form authentication work together, ASP.net 2.0 can provide end-to-end support for creating, authenticating, and authorizing users.

Both members and role managers are designed with a provider based model. The provider extracts physical data stores of attributes from classes and business logic exposed by the attribute. The member and Role Manager attributes are all provided with the Microsoft SQL Server provider. The member attribute also comes with a provider that processes the Active Directory and Active Directory Application Mode (ADAM). The Role Manager feature comes with a provider that leverages Windows Server 2003 licensing management features. You can create a custom provider and configure it to work with the members and role manager attributes. When you use a custom provider, pages that take advantage of the members and Role manager features will continue to work without change.

A login control is a set of custom server controls that provide a common user interface for authentication and authorization transactions. Login controls take advantage of the functionality in the members, Role Manager, and form authentication features.

Certification and authorization

Asp. NET supports the use of basic, Digest, and Windows authentication together with IIS. Asp. NET supports the Microsoft Passport Authentication Service, which supports the single sign-on service and the User Configuration service. Asp. NET also supports a powerful service that uses forms-based authentication. forms-based authentication uses cookies to authenticate users and allows the application to perform its own credential verification process.

We want to realize that ASP. NET authentication service is restricted by the authentication service provided by IIS. For example, to use Basic authentication in an IIS application, you must use the Internet Services Administration tool to configure your application to use Basic authentication.

Asp. NET provides two types of licensing services:

Check ACLs (access control lists) or resource permissions to see if an authenticated user has access to the resource.

URL authorization, which authorizes an identity to use a certain web space.

To illustrate their differences, let's look at an example of an application that allows anonymous users to use Iusr_mymachine account access. When a request for a ASP.net page (such as "/default.aspx") is authenticated, it is checked against the ACL of the file (for example, "c:\inetpub\wwwroot\default.aspx") to see IUSR_ MyMachine account has permission to read this file. If you have permission, you authorize access. If the Web content is on an NTFS volume and the virtual directory is configured to use Windows authentication, the authorization for the file is automatically executed.