How ASP.NET Security Works

How ASP.NET Security Works
Essentially, securing an ASP.NET Web application entails controlling access to its resources.

The ASP.NET security framework accomplishes this by working in conjunction with the various security subsystems present in the machine where ASP.NET is installed. This includes security provided by the operating system ( NTFS file access permissions ) as well as security provided by IIS ( host or IP address authorization ).

And since ASP.NET is built on the Microsoft .NET Framework, the ASP.NET application developer also has access to all of the built-in security features of the .NET Framework, such as code access security and role-based user-access security.

It is imperative to understand how the various security subsystems interact, to be able to secure your ASP.NET application effectively.

Basically, to enable security for an ASP.NET application, you need to configure the application to implement, at the very least, the two fundamental functionalities described in the following table.

Security function---Authentication
Description ---- The process of obtaining identification credentials from a user ( such as name and password ), and validating those credentials against some authority.

Security function---Authorization
Description ---- The process of controlling access to resources based on the authenticated identification credentials ( such as role ).

ASP.NET implements authentication through authentication providers, the modules that contain the code to authenticate user credentials. ASP.NET includes the following authentication providers.

ASP.NET Authentication Provider
Windows Authentication
Description--- Provider ASP.NET uses Windows authentication in conjunction with IIS authentication. Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access.

ASP.NET Authentication Provider
Forms Authentication
Description----Provider A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the form in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method the application developer specifies.

ASP.NET Authentication Provider
Passport Authentication
Description----Provider Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.

To enable authentication for an ASP.NET application, you need to create an authentication section entry in the application root configuration file. The general syntax for the authentication section is as follows:



mode = " [ Windows | Forms | Passport | None ] ">



The mode is set to one of the authentication methods: Windows, Forms, Passport, or None. The default is Windows.

The authentication mode cannot be set at a level below the application root directory. Like all other configuration settings, all subdirectories within the application boundary inherit the authentication mode, unless explicitly overriden in a child configuration file.