Microsoft KB Archive/306590

= INFO: ASP.NET Security Overview =

Article ID: 306590

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.0
 * Microsoft ASP.NET 1.1

-



This article was previously published under Q306590



This article refers to the following Microsoft .NET Framework Class Library namespaces:
 * System.Web.Security
 * System.Web.Principal



SUMMARY
This article provides an introduction to ASP.NET security.

For additional ASP.NET overviews, refer to the following Microsoft Knowledge Base article:

305140 INFO: ASP.NET Roadmap



MORE INFORMATION
ASP.NET gives you more control to implement security for your application. ASP.NET security works in conjunction with Microsoft Internet Information Services (IIS) security and includes authentication and authorization services to implement the ASP.NET security model. ASP.NET also includes a role-based security feature that you can implement for both Microsoft Windows and non-Windows user accounts.

This article is divided into the following sections:  Flow of Security with a Request Related Configuration Settings Authentication

Forms AuthenticationWindows AuthenticationPassport AuthenticationDefault Authentication

 Authorization

FileAuthorizationUrlAuthorization

 Role-Based Security

Flow of Security with a Request
The following steps outline the sequence of events when a client makes a request:
 * 1) A client requests an .aspx page that resides on an IIS server.
 * 2) The client's credentials are passed to IIS.
 * 3) IIS authenticates the client and forwards the authenticated token along with the client's request to the ASP.NET worker process.
 * 4) Based on the authenticated token from IIS and the configuration settings for the Web application, ASP.NET decides whether to impersonate a user on the thread that is processing the request. In a distinct difference between Microsoft Active Server Pages (ASP) and ASP.NET, ASP.NET no longer impersonates the authenticated user by default. To enable impersonation, you must set the impersonate attribute of the identity section in the Web.config file to true.

For more information about the security flow, refer to the following topic in the .NET Framework Software Development Kit (SDK) documentation:

ASP.NET Data Flow

http://msdn2.microsoft.com/en-us/library/xa68twcb(vs.71).aspx

For additional information about impersonating in ASP.NET, click the article number below to view the article in the Microsoft Knowledge Base:

306158 INFO: Implementing Impersonation in an ASP.NET Application

back to the top

Related Configuration Settings
IIS maintains security-related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in Extensible Markup Language (XML) configuration files. Although this generally simplifies the deployment of your application from a security standpoint, the security model that your application adopts necessitates the correct configuration of both the IIS metabase and your ASP.NET application through its configuration file (Web.config).

The following configuration sections are related to ASP.NET security:
 * Section

http://msdn2.microsoft.com/en-us/library/532aee0e(vs.71).aspx
 * Section

http://msdn2.microsoft.com/en-us/library/8d82143t(vs.71).aspx
 * Section

http://msdn2.microsoft.com/en-us/library/72wdk8cc(vs.71).aspx
 * <machineKey> Section

http://msdn2.microsoft.com/en-us/library/w8h3skw9(vs.71).aspx

back to the top

Authentication
Authentication is the process by which you obtain identification credentials such as the user's name and password and validate those credentials against some authority.

ASP.NET provides four authentication providers:
 * Forms authentication
 * Windows authentication
 * Passport authentication
 * Default authentication

Forms Authentication
Forms authentication refers to a system in which unauthenticated requests are redirected to a Hypertext Markup Language (HTML) form in which users type their credentials. After the user provides credentials and submits the form, the application authenticates the request, and the system issues an authorization ticket in the form of a cookie. This cookie contains the credentials or a key to reacquire the identity. Subsequent requests from the browser automatically include the cookie.

For more information about Forms authentication, refer to the following topic in the .NET Framework SDK documentation:

The Forms Authentication Provider

http://msdn2.microsoft.com/en-us/library/907hb5w9(vs.71).aspx

For additional information Forms authentication in ASP.NET, click the article number below to view the article in the Microsoft Knowledge Base:

301240 HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using C# .NET

Windows Authentication
In Windows authentication, IIS performs the authentication, and the authenticated token is forwarded to the ASP.NET worker process. The advantage of using Windows authentication is that it requires minimal coding. You may want to use Windows authentication to impersonate the Windows user account that IIS authenticates before you hand off the request to ASP.NET.

For more information about Windows authentication, refer to the following topic in the .NET Framework SDK documentation:

The WindowsAuthenticationModule Provider

http://msdn2.microsoft.com/en-us/library/907hb5w9(vs.71).aspx

Passport Authentication
Passport authentication is a centralized authentication service, which Microsoft provides, that offers a single log on and core profile services for member sites. Typically, Passport authentication is used when you need single log on capability across multiple domains.

For more information about Passport authentication, refer to the following topic in the .NET Framework SDK documentation:

The Passport Authentication Provider

http://msdn2.microsoft.com/en-us/library/f8e50t0f(vs.71).aspx

Default Authentication
Default authentication is used when you do not want any security on your Web application; anonymous access is required for this security provider. Among all authentication providers, Default authentication provides maximum performance for your application. This authentication provider is also used when you use your own custom security module.

back to the top

Authorization
Authorization is the process that verifies if the authenticated user has access to the requested resources.

ASP.NET offers the following authorization providers:
 * FileAuthorization
 * UrlAuthorization

FileAuthorization
The FileAuthorizationModule class performs file authorization and is active when you use Windows authentication. FileAuthorizationModule is responsible for performing checks on Windows Access Control Lists (ACLs) to determine whether a user should have access.

UrlAuthorization
The UrlAuthorizationModule class performs Uniform Resource Locator (URL) authorization, which controls authorization based on the URI namespace. URI namespaces can be quite different from the physical folder and file paths that NTFS permissions use.

UrlAuthorizationModule implements both positive and negative authorization assertions; that is, you can use the module to selectively allow or deny access to arbitrary parts of the URI namespace for users, roles (such as manager, testers, and administrators), and verbs (such as GET and POST).

For more information about authorization in ASP.NET, refer to the following topic in the .NET Framework SDK documentation:

ASP.NET Authorization

http://msdn2.microsoft.com/en-us/library/wce3kxhd(vs.71).aspx

back to the top

Role-Based Security
Role-based security in ASP.NET is similar to the role-based security that Microsoft COM+ and Microsoft Transaction Server (MTS) use, although there are important differences. Role-based security in ASP.NET is not limited to Windows accounts and groups. For example, if Windows authentication and impersonation is enabled, the identity of the user is a Windows identity (User.Identity.Name = &quot;Domain\username&quot;). You can check identities for membership in specific roles and restrict access accordingly. For example:

Visual Basic .NET Code If User.IsInRole(&quot;BUILTIN\Administrators&quot;) Then Response.Write(&quot;You are an Admin&quot;) Else If User.IsInRole(&quot;BUILTIN\Users&quot;) then Response.Write(&quot;You are a User&quot;) Else Response.Write(&quot;Invalid user&quot;) End if Visual C# .NET Code if ( User.IsInRole(&quot;BUILTIN\\Administrators&quot;)) Response.Write(&quot;You are an Admin&quot;); else if (User.IsInRole(&quot;BUILTIN\\Users&quot;)) Response.Write(&quot;You are a User&quot;); else Response.Write(&quot;Invalid user&quot;); If you are using Forms authentication, roles are not assigned to the authenticated user; you must do this programmatically. To assign roles to the authenticated user, use the OnAuthenticate event of the authentication module (which is the Forms authentication module in this example) to create a new GenericPrincipal object and assign it to the User property of the HttpContext. The following code illustrates this:

Visual Basic .NET Code Public Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If (Not(HttpContext.Current.User Is Nothing)) Then If HttpContext.Current.User.Identity.AuthenticationType = &quot;Forms&quot; Then Dim id as System.Web.Security.FormsIdentity = HttpContext.Current.User.Identity Dim myRoles(3) As String myRoles(0)= &quot;managers&quot; myRoles(1)= &quot;testers&quot; myRoles(2)= &quot;developers&quot; HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,myRoles) End If  End If End Sub Visual C# .NET Code public void Application_AuthenticateRequest(Object s, EventArgs e)     { if (HttpContext.Current.User != null) {     if (HttpContext.Current.User.Identity.AuthenticationType == &quot;Forms&quot; ) {        System.Web.Security.FormsIdentity id = HttpContext.Current.User.Identity; String[] myRoles = new String[3]; myRoles[0]= &quot;managers&quot;; myRoles[1]= &quot;testers&quot;; myRoles[2]= &quot;developers&quot;; HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id,myRoles); }  } } To check if the user is in a specific role and restrict access accordingly, use the following code (or similar) in your .aspx pages:

Visual Basic .NET Code If User.IsInRole(&quot;managers&quot;) Then Response.Write(&quot;You are a Manager&quot;) Else If User.IsInRole(&quot;testers&quot;) Then Response.Write(&quot;You are a Tester&quot;) Else If User.IsInRole(&quot;developers&quot;) Then Response.Write(&quot;You are a Developer&quot;) End if Visual C# .NET Code if (User.IsInRole(&quot;managers&quot;)) Response.Write(&quot;You are a Manager&quot;); else if (User.IsInRole(&quot;testers&quot;)) Response.Write(&quot;You are a Tester&quot;); else if (User.IsInRole(&quot;developers&quot;)) Response.Write(&quot;You are a Developer&quot;); For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

306238 HOW TO: Implement Role-Based Security with Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET

For more information on role-based security, refer to the following topic in the .NET Framework SDK documentation:

Role-Based Security

http://msdn2.microsoft.com/en-us/library/52kd59t0(vs.71).aspx

<div class="references_section">