Validation of users and roles in

Source: Internet
Author: User
Tags builtin config configuration settings httpcontext iis requires resource ntfs permissions This article references the following Microsoft. NET Framework Class Library namespace:

The requested security event stream
The following steps briefly describe the sequence of events that occurs when a request is made by the client: 1. The client requests an. aspx page on the IIS server.
2. Pass the client credentials to IIS.
3. IIS authenticates the client and then passes the authenticated token along with the client request to the worker process.
4. Depending on the authenticated markup that IIS sends and the configuration settings for the Web application, decides whether to impersonate the user on the thread that handles the request. The obvious difference between Microsoft Active Server Pages (ASP) and is that no longer impersonate an authenticated user by default. To enable impersonation, you must set the Impersonate property in the identity section to true in the Web.config file.

Related configuration settings
IIS saves security-related configuration settings in the IIS configuration database. However, saves security (and other) configuration settings in an Extensible Markup Language (XML) configuration file. Although this generally simplifies deployment of applications from a security perspective, the security model used by the application requires that the IIS configuration database and the application be properly configured through its configuration file (Web.config).

The following configuration section is related to the security: <authentication> section
<authorization> Part
<identity> Part
<machinekey> Part

Authentication refers to the process of obtaining identity credentials, such as user names and passwords, and verifying those credentials against an authority. provides four authentication providers: • Form authentication
Windows Authentication
Passport authentication
• Default Authentication

Form authentication
Form authentication refers to the following systems: Redirecting unauthenticated requests to a Hypertext Markup Language (HTML) form, allowing users to type their credentials. After the user provides credentials and submits the form, the application authenticates the request, and then the system issues the authentication ticket as a Cookie. This Cookie contains the credentials or the key used to regain the identity. Subsequent requests from the browser automatically contain this Cookie.

Windows Authentication
In Windows authentication, IIS performs authentication and passes the authenticated token to the worker process. The advantage of using Windows authentication is that it requires the least amount of coding. Before you can pass a request to, you may need to use Windows authentication to simulate a Windows user account that IIS authenticates.

Passport Authentication
Passport authentication is a centralized authentication service provided by Microsoft, which provides a single sign-on and core profile service for member sites. Typically, Passport authentication is used when you need a single sign-on feature that spans multiple domains.

Default authentication
Default authentication is used when the WEB application does not require any security features, and this security provider requires anonymous access. In all authentication providers, default authentication provides the highest performance for the application. You can also use this authentication provider when you use your own custom security module.

Authorization is the process of verifying that an authenticated user can access a requested resource. provides the following licensing provider: fileauthorization

The FileAuthorizationModule class is file-authorized and is active when using Windows authentication. FileAuthorizationModule is responsible for checking the Windows access Control List (ACL) to determine whether the user should have access rights.
The UrlAuthorizationModule class makes Uniform Resource Locator (URL) authorization, which controls authorization based on the URI namespace. The URI namespace may differ greatly from the physical folder and file path used by NTFS permissions.

UrlAuthorizationModule to implement affirmative and negative authorization assertions; that is, you can use this module to selectively allow or deny access to URIs of users, roles (such as manager, tester, and administrator) and predicates (such as Get and POST) Any part of the namespace.

Role-based security
role-based security in is similar to role-based security used by Microsoft COM + and Microsoft Transaction Server (MTS), but there are significant differences between them. role-based security in is not limited to Windows accounts and groups. For example, if you enable Windows authentication and impersonation, the user's identity is the Windows identity (User.Identity.Name = "domain\username"). You can check the identity of members in a particular role and restrict their access to them accordingly. For example:

Visual C #. NET Code
if (User.IsInRole ("BUILTIN\\Administrators"))
Response.Write ("You are a Admin");
else if (User.IsInRole ("Builtin\\users"))
Response.Write ("You are a User");
Response.Write ("Invalid user");

If you are using form authentication, you do not assign roles to authenticated users, and you must perform this task programmatically. To assign a role to an authenticated user, create a new GenericPrincipal object with the OnAuthenticate event for the authentication module (the form authentication module in this example) and assign it the HttpContext user property. This is described in the following code:

Visual C #. NET Code
public void Application_AuthenticateRequest (Object s, EventArgs e)
if (HttpContext.Current.User!= null)
if (HttpContext.Current.User.Identity.AuthenticationType = "Forms")
System.Web.Security.FormsIdentity id = HttpContext.Current.User.Identity;
string[] myroles = new String[3];
myroles[0]= "managers";
myroles[1]= "Testers";
myroles[2]= "Developers";
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal (id,myroles);

To check whether a user is in a specific role and limit its access rights, use the following code (or similar code) in the. aspx page:

Visual C #. NET Code
if (User.IsInRole ("managers"))
Response.Write ("You are a Manager");
else if (User.IsInRole ("testers"))
Response.Write ("You are a Tester");
else if (User.IsInRole ("Developers"))
Response.Write ("You are a Developer");

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.