Online Book Reader

Home Category

Programming Microsoft ASP.NET 4 - Dino Esposito [412]

By Root 5618 0
Windows authentication and reserve wider coverage for the most commonly used authentication method—Forms authentication.

Windows Authentication


When using Windows authentication, ASP.NET works in conjunction with IIS. The real authentication is performed by IIS, which uses one of its authentication methods: Basic or Integrated Windows. When IIS has authenticated the user, it passes the security token on to ASP.NET. When in Windows authentication mode, ASP.NET does not perform any further authentication steps and limits its use of the IIS token to authorizing access to the resources.

Typically, you use the Windows authentication method in intranet scenarios when the users of your application have Windows accounts that can be authenticated only by the Web server. Let’s assume that you configured the Web server to work with the Integrated Windows authentication mode and that you disabled anonymous access. The ASP.NET application works in Windows authentication mode. What happens when a user connects to the application? First, IIS authenticates the user (popping up a dialog box if the account of the local user doesn’t match any accounts on the Web server or in the trusted domain) and then hands the security token over to ASP.NET.

Using ACLs to Authorize Access


In most cases, Windows authentication is used in conjunction with file authorization—via the FileAuthorizationModule HTTP module. User-specific pages in the Web application can be protected from unauthorized access by using access control lists (ACLs) on the file. When ASP.NET is about to access a resource, the FileAuthorizationModule HTTP module is called into action. File authorization performs an ACL check on ASP.NET files using the caller’s identity. For example, it will be sure that the user Joe will never be able to access an .aspx page whose ACL doesn’t include an entry for him.

Note, though, that file authorization does not require impersonation at the ASP.NET level and, more importantly, it works regardless of whether the impersonation flag is turned on. Once you’ve set an appropriately configured ACL on an ASP.NET resource, you’re pretty much done. Nobody will be able to access the resource without permission.

Note

Windows authentication also works with URL authorization implemented by the HTTP module named URLAuthorizationModule. This module allows or denies access to URL resources to certain users and roles. (I’ll talk more about URL authorization later while discussing Forms authentication.)

Windows CardSpace


The .NET Framework (starting with 3.0) contains a new technology that can be used with ASP.NET Web sites to authenticate users: Windows CardSpace. Any page that includes the Identity Selector object, uses the identity cards of the connected user to send credentials to the server. Each user can manage her own cards by using the Windows CardSpace applet in Control Panel of any client machines equipped with the .NET Framework 3.0 or later.

The Identity Selector is an tag of type application/x-informationcard. By requesting the value property of this object, you force an enabled browser to bring up the CardSpace applet. The user then picks up the right card to send. The server-side login page will then access the content of the card and make any necessary checks to authorize the request. If it becomes widely accepted, Windows CardSpace could be the perfect tool for authentication over the Internet. For more information, you can start reading the following MSDN article: http://msdn.microsoft.com/en-us/magazine/cc163434.aspx.

Using Forms Authentication


Windows authentication is seldom practical for real-world Internet applications. Windows authentication is based on Windows accounts and NTFS ACL tokens and, as such, assumes that clients are connecting from Windows-equipped machines. Useful and effective in intranet and possibly in some extranet scenarios, Windows authentication is simply unrealistic in more common situations because the Web application users are required to have Windows accounts in the application’s

®Online Book Reader