This section provides an overview of the ASP.NET security infrastructure. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates the request if required and then locates the requested resource (such as an ASP.NET application). If the client is authorized, the resource is made available.
When an ASP.NET application is running, it can use built-in ASP.NET security features. In addition, an ASP.NET application can use the security features of the .NET Framework. For more information, see
Integrating ASP.NET Authentication with IIS
In addition to relying on the authentication capabilities of IIS, you can perform authentication in ASP.NET. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS assumes that a set of credentials maps to a Microsoft Windows NT account and that it should use those credentials to authenticate a user. There are three different kinds of authentication available in IIS 5.0 and IIS 6.0: basic, digest, and Windows Integrated Security (NTLM or Kerberos). You can select the type of authentication to use in IIS administrative services. For more information on IIS authentication, see the IIS documentation.
If users request a URL that maps to an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the additional types of authentication described in the following table.
- Forms authentication
-
A system by which unauthenticated requests are redirected to an ASP.NET Web page that you create. The user provides credentials and submits the page. If your application authenticates the request, the system issues an authentication ticket in a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests include an authentication ticket with the request.
Note ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.
- Passport authentication
-
A centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.
ASP.NET Configuration File Security Settings
ASP.NET security settings are configured in the Machine.config and Web.config files. As with other configuration information, base settings and default settings are established in the Machine.config file in the Config subdirectory of the current .NET Framework installation. You can establish site-specific and application-specific settings (including overriding settings from the Machine.config file) in Web.config files in the Web site root and application root directories. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. To see an example of the way in which the hierarchical configuration system works for security, see
There are three major subsections to a Web.config file: the
Note |
---|
ASP.NET configuration applies only to ASP.NET resources, namely those registered to be handled in IIS by the Aspnet_isapi.dll extension. ASP.NET configuration cannot provide authorization for resources not processed by ASP.NET. Therefore, .txt, .htm, .html, .gif, .jpg, .jpeg, .asp, and other types of files are accessible by all users (subject to IIS permissions). For example, even though the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place. You can put these types of files under ASP.NET security by explicitly mapping such file name extensions to the Aspnet_isapi.dll extension using the IIS administration tool. However, processing these types of files through ASP.NET can affect the performance of the Web site. |
You can use the
The following example shows the syntax of the security sections of a configuration file:
В | Copy Code |
---|---|
<authentication mode="[Windows|Forms|Passport|None]"> <forms name="name" loginUrl="url" protection="[All|None|Encryption|Validation]" path="path" timeout="minutes" requireSSL="[true|false]" slidingExpiration="[true|false]"> <credentials passwordFormat="[Clear|MD5|SHA1]"> <user name="username" password="password"/> </credentials> </forms> <passport redirectUrl="internal" /> </authentication> <authorization> <allow users="comma-separated list of users" roles="comma-separated list of roles" /> <deny users="comma-separated list of users" roles="comma-separated list of roles" /> </authorization> <identity impersonate ="[true|false]" userName="domain\username" password="password" /> <trust level="[Full|High|Medium|Low|Minimal]" originUrl=""/> <securityPolicy> <trustLevel name="Full" policyFile="internal"/> <trustLevel name="High" policyFile="web_hightrust.config"/> <trustLevel name="Medium" policyFile="web_mediumtrust.config"/> <trustLevel name="Low" policyFile="web_lowtrust.config"/> <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/> </securityPolicy> |
The default settings for these elements are shown in the following table.
Default value | Description |
---|---|
|
An empty string indicating that all roles are allowed by default. |
|
An empty string indicating that all users are allowed access (no authentication is required). |
|
The authentication type that determines the source of the current |
|
The hashing algorithm used on passwords. The default is |
|
An empty string indicating that no roles are denied by default. |
|
An empty string indicating that no users are denied by default. |
|
The URL to which the request is directed if you set the authentication mode to Forms and if the request does not have a valid authentication ticket. |
|
The name under which the forms authentication cookie is stored on the user's computer. |
|
The path to which forms authentication applies. The default is all paths from the application root down. |
|
The security applied to the forms authentication ticket. Values include: All, None, Encryption, and Validation. |
|
The timeout in minutes before the forms authentication ticket expires and users must re-authenticate. |
|
A Boolean value indicating whether an SSL connection is required to transmit the authentication cookie. |
|
A Boolean value indicating whether sliding expiration is enabled. For more information, see the |
|
A Boolean value indicating whether impersonation is disabled. For more information, see ASP.NET Impersonation. |
|
An empty string indicating that no user identity is specified by default. |
|
An empty string indicating that no password for the user identity is specified by default. |
|
The URL to which the request is directed if you set the authentication mode to Passport and if the requested page requires authentication (anonymous users are denied access) but the user has not logged on with Passport. |
|
The security policy that will be applied to the application. |
|
The default policy file for Full trust level. |
|
The default policy file for High trust level. |
|
The default policy file for Medium trust level. |
|
The default policy file for Low trust level. |
|
The default policy file for Minimal trust level. |
See Also
Concepts
Passport Authentication ProviderOther Resources
ASP.NET Web Site SecurityForms Authentication Provider