INFO: ASP.NET Security Overview (306590)

MORE INFORMATION

ASP.NET gives you more control to implement security for your application. ASP.NET security works in conjunction with Microsoft Internet Information Services (IIS) security and includes authentication and authorization services to implement the ASP.NET security model. ASP.NET also includes a role-based security feature that you can implement for both Microsoft Windows and non-Windows user accounts.

This article is divided into the following sections:

• Flow of Security with a Request
• Related Configuration Settings
• Authentication

  Forms AuthenticationWindows AuthenticationPassport AuthenticationDefault Authentication

• Authorization

  FileAuthorizationUrlAuthorization

• Role-Based Security

Flow of Security with a Request

The following steps outline the sequence of events when a client makes a request:

1. A client requests an .aspx page that resides on an IIS server.
2. The client's credentials are passed to IIS.
3. IIS authenticates the client and forwards the authenticated token along with the client's request to the ASP.NET worker process.
4. Based on the authenticated token from IIS and the configuration settings for the Web application, ASP.NET decides whether to impersonate a user on the thread that is processing the request. In a distinct difference between Microsoft Active Server Pages (ASP) and ASP.NET, ASP.NET no longer impersonates the authenticated user by default. To enable impersonation, you must set the impersonate attribute of the identity section in the Web.config file to true.

For more information about the security flow, refer to the following topic in the .NET Framework Software Development Kit (SDK) documentation: For additional information about impersonating in ASP.NET, click the article number below to view the article in the Microsoft Knowledge Base: back to the top

Related Configuration Settings

IIS maintains security-related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in Extensible Markup Language (XML) configuration files. Although this generally simplifies the deployment of your application from a security standpoint, the security model that your application adopts necessitates the correct configuration of both the IIS metabase and your ASP.NET application through its configuration file (Web.config).

The following configuration sections are related to ASP.NET security:

• <authentication> Section
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthenticationsection.asp
• <authorization> Section
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthorizationsection.asp
• <identity> Section
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfidentitysection.asp
• <machineKey> Section
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfmachinekeysection.asp

back to the top

Authentication

Authentication is the process by which you obtain identification credentials such as the user's name and password and validate those credentials against some authority.

ASP.NET provides four authentication providers:

• Forms authentication
• Windows authentication
• Passport authentication
• Default authentication

Forms Authentication

Forms authentication refers to a system in which unauthenticated requests are redirected to a Hypertext Markup Language (HTML) form in which users type their credentials. After the user provides credentials and submits the form, the application authenticates the request, and the system issues an authorization ticket in the form of a cookie. This cookie contains the credentials or a key to reacquire the identity. Subsequent requests from the browser automatically include the cookie.

For more information about Forms authentication, refer to the following topic in the .NET Framework SDK documentation: For additional information Forms authentication in ASP.NET, click the article number below to view the article in the Microsoft Knowledge Base:

Windows Authentication

In Windows authentication, IIS performs the authentication, and the authenticated token is forwarded to the ASP.NET worker process. The advantage of using Windows authentication is that it requires minimal coding. You may want to use Windows authentication to impersonate the Windows user account that IIS authenticates before you hand off the request to ASP.NET.

For more information about Windows authentication, refer to the following topic in the .NET Framework SDK documentation:

Passport Authentication

Passport authentication is a centralized authentication service, which Microsoft provides, that offers a single log on and core profile services for member sites. Typically, Passport authentication is used when you need single log on capability across multiple domains.

For more information about Passport authentication, refer to the following topic in the .NET Framework SDK documentation:

Default Authentication

Default authentication is used when you do not want any security on your Web application; anonymous access is required for this security provider. Among all authentication providers, Default authentication provides maximum performance for your application. This authentication provider is also used when you use your own custom security module.

back to the top

Authorization

Authorization is the process that verifies if the authenticated user has access to the requested resources.

ASP.NET offers the following authorization providers:

• FileAuthorization
• UrlAuthorization

FileAuthorization

The FileAuthorizationModule class performs file authorization and is active when you use Windows authentication. FileAuthorizationModule is responsible for performing checks on Windows Access Control Lists (ACLs) to determine whether a user should have access.

UrlAuthorization

The UrlAuthorizationModule class performs Uniform Resource Locator (URL) authorization, which controls authorization based on the URI namespace. URI namespaces can be quite different from the physical folder and file paths that NTFS permissions use.

UrlAuthorizationModule implements both positive and negative authorization assertions; that is, you can use the module to selectively allow or deny access to arbitrary parts of the URI namespace for users, roles (such as manager, testers, and administrators), and verbs (such as GET and POST).

For more information about authorization in ASP.NET, refer to the following topic in the .NET Framework SDK documentation: back to the top

Role-Based Security

Role-based security in ASP.NET is similar to the role-based security that Microsoft COM+ and Microsoft Transaction Server (MTS) use, although there are important differences. Role-based security in ASP.NET is not limited to Windows accounts and groups. For example, if Windows authentication and impersonation is enabled, the identity of the user is a Windows identity (User.Identity.Name = "Domain\username"). You can check identities for membership in specific roles and restrict access accordingly. For example:

Visual Basic .NET Code

If User.IsInRole("BUILTIN\Administrators") Then
   Response.Write("You are an Admin")
Else If User.IsInRole("BUILTIN\Users") then
   Response.Write("You are a User")
Else
   Response.Write("Invalid user")
End if
				

Visual C# .NET Code

if ( User.IsInRole("BUILTIN\\Administrators"))
   Response.Write("You are an Admin");
else if (User.IsInRole("BUILTIN\\Users"))
   Response.Write("You are a User");
else
   Response.Write("Invalid user");
				

If you are using Forms authentication, roles are not assigned to the authenticated user; you must do this programmatically. To assign roles to the authenticated user, use the OnAuthenticate event of the authentication module (which is the Forms authentication module in this example) to create a new GenericPrincipal object and assign it to the User property of the HttpContext. The following code illustrates this:

Visual Basic .NET Code

Public Sub Application_AuthenticateRequest(s As Object, e As EventArgs)
   If (Not(HttpContext.Current.User Is Nothing)) Then
      If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then
         Dim id as System.Web.Security.FormsIdentity = HttpContext.Current.User.Identity
         Dim myRoles(3) As String
         myRoles(0)= "managers"
         myRoles(1)= "testers"
         myRoles(2)= "developers"
         HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,myRoles) 
      End If
   End If
End Sub
				

Visual C# .NET Code

public void Application_AuthenticateRequest(Object s, EventArgs e)      
{
   if (HttpContext.Current.User != null)
   {
      if (HttpContext.Current.User.Identity.AuthenticationType == "Forms" ) 
      {
         System.Web.Security.FormsIdentity id = HttpContext.Current.User.Identity;
         String[] myRoles = new String[3];
         myRoles[0]= "managers";
         myRoles[1]= "testers";
         myRoles[2]= "developers";
         HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,myRoles);
      }
   }
} 
				

To check if the user is in a specific role and restrict access accordingly, use the following code (or similar) in your .aspx pages:

Visual Basic .NET Code

If User.IsInRole("managers") Then
   Response.Write("You are a Manager")
Else If  User.IsInRole("testers") Then
   Response.Write("You are a Tester")
Else If User.IsInRole("developers") Then
   Response.Write("You are a Developer")
End if
				

Visual C# .NET Code

if (User.IsInRole("managers"))
   Response.Write("You are a Manager");
else if (User.IsInRole("testers"))
   Response.Write("You are a Tester");
else if (User.IsInRole("developers"))
   Response.Write("You are a Developer");
				

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: For more information on role-based security, refer to the following topic in the .NET Framework SDK documentation: