MCAD(s)MCSD Self-Paced Training Kit(c) Developing Web Applications With Microsoft Visual Basic. Net and Microsoft V[. .. ]0-315

Lesson 1: Authenticating and Authorizing Users

Authentication is the process of identifying users. Authorization is the process of granting access to those users based on identity. Together, authentication and authorization provide the means to keeping your Web application secure from intruders.

In this lesson, you ll learn how ASP.NET handles anonymous users, and you ll get an overview of the different ways you can identify and authorize users. This information will help you choose an authentication strategy based on the type of application you are creating.

After this lesson, you will be able to

Estimated lesson time: 10 minutes

Access by Anonymous Users

Anonymous access is the way most public Web sites work sites containing public information allow anyone to see that information, so they don t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.

By default, the anonymous access account is named IUSER_machinename. You use that account to control anonymous users access to resources on the server.

To see or change the access privileges to the anonymous access account, use the Windows Computer Management snap-in as described in the following steps:

  1. Log on to the server as the computer administrator.

  2. From the Start menu, choose Administrative Tools, and then choose Computer Management to run the Computer Management console, as shown in Figure 8-1.

    Figure 8-1. Viewing users

  3. From the list on the left, choose Local Users And Groups, and then select the Users folder to display the list of authorized users for this computer.

  4. From the user list on the right, double-click the anonymous user account named IUSR_computername. The Computer Management console displays the account s properties, as shown in Figure 8-2.

    Figure 8-2. Properties of the anonymous access account

  5. Click the Member Of tab to view the user groups the account belongs to. By default, anonymous users belong to the Guests group, which has limited privileges.

Under the default settings, ASP.NET uses the ASPNET account to run the Web application. This means that if the application attempts to perform any tasks that are not included in the ASPNET account s privileges, a security exception will occur and access will be denied. The account name will also show up in the security event log of the event viewer, as shown in Figure 8-3.

Figure 8-3. The security event log in the Computer Management console

You restrict the access of anonymous users by setting Windows file permissions. To be secure, your server must use the Microsoft Windows NT file system (NTFS). The earlier FAT or FAT32 file systems do not provide file-level security. For more information about setting Windows file permissions, see the Windows security Help topics.

Access by Authenticated Users

As stated earlier, anonymous access is fine for public information. But if your application contains private information or performs restricted tasks such as placing orders, you will want to authenticate and authorize individual users.

There are three major ways to authenticate and authorize users within an ASP.NET Web application:

Each of these approaches, along with anonymous access, has different advantages. These authentication methods are best suited for different types of Web applications, as summarized in Table 8-1.

Table 8-1. Web Application Types and Authentication Techniques

Application type

Use this type of authentication

Description

Public Internet Web application

Anonymous

This is the common access method for most Web sites. No logon is required, and you secure restricted resources using NTFS file permissions.

Intranet Web application

Windows authentication

Windows authentication authenticates network users through the domain controller. Network users have access to Web application resources as determined by their user privileges on the server.

Private corporate Web application

Windows authentication

Corporate users can access the Web application using their corporate network user names and passwords. User accounts are administered using the Windows network security tools.

Commercial Web application

Forms

Applications that need to collect shipping and billing information should implement Forms authentication to gather and store customer information.

Multiple commercial Web applications

Passport

Passport authentication allows users to sign in once through a central authority. The user s identity is then available to any application using the Passport SDK. Customer information is maintained in a Passport profile, rather than in a local database.

Windows, Forms, and Passport authentication uses the classes found in the System.Web.Security namespace. To use these classes in your code, you should add an Imports statement (Visual Basic .NET) or a using statement (Visual C#) at the beginning of each module that performs authentication, as shown here:

Visual Basic .NET

Imports System.Web.Security

Visual C#

using System.Web.Security

The following sections describe how to authenticate and authorize users using each of the three techniques.

Using Authentication with HTM and HTML Files

The three ASP.NET authentication modes apply to files that are part of the Web application. That includes Web forms (.aspx), modules (.asax), and other resources that are processed through the Web application s executable. It does not automatically include HTML pages (.htm or .html). Those pages are handled by Internet Information Services (IIS), rather than ASP.NET. If you want to authenticate users who access HTML pages from within your Web application using Windows, Forms, or Passport authentication modes, you must map those files to the ASP.NET executable.

To map .htm and .html files to the ASP.NET executable using the IIS snap-in, follow these steps:

  1. In the IIS snap-in, select the folder containing your Web application, and then choose Properties from the Action menu. IIS displays the Properties dialog box.

  2. Click the Home Directory or Virtual Directory tab, and then click Configuration. IIS displays the Application Configuration dialog box, as shown in Figure 8-4.

    Figure 8-4. The Application Configuration dialog box

  3. Click Add. IIS displays the Add/Edit Application Extension Mapping dialog box, as shown in Figure 8-5.

    Figure 8-5. The Add/Edit Application Extension Mapping dialog box

  4. Click Browse, and select the aspnet_isapi.dll file. That file is stored in the Windows Microsoft .NET Framework directory; the path will be something like C:\Windows\Microsoft.NET\Framework\versionnumber\aspnet_isapi.dll.

  5. Type .htm in the File Extension box, and click OK.

  6. Repeat steps 3 through 5 for the .html file extension. Click OK to close the IIS dialog boxes when you ve finished.

Категории