MCAD(s)MCSD Self-Paced Training Kit(c) Developing Web Applications With Microsoft Visual Basic. Net and Microsoft V[. .. ]0-315
Lesson 1: Authenticating and Authorizing Users
Authentication is the process of identifying users. Authorization is the process of granting access to those users based on identity. Together, authentication and authorization provide the means to keeping your Web application secure from intruders.
In this lesson, you ll learn how ASP.NET handles anonymous users, and you ll get an overview of the different ways you can identify and authorize users. This information will help you choose an authentication strategy based on the type of application you are creating.
After this lesson, you will be able to
Describe how ASP.NET grants access to users who are not authenticated and how those users appear within Windows security tools
Choose an authentication method based on your application s needs
Add HTML pages to the list of file types that will be included with your application s authentication and authorization settings
Estimated lesson time: 10 minutes
Access by Anonymous Users
Anonymous access is the way most public Web sites work sites containing public information allow anyone to see that information, so they don t authenticate users. ASP.NET Web applications provide anonymous access to resources on the server by impersonation. Impersonation is the process of assigning a user account to an unknown user.
By default, the anonymous access account is named IUSER_machinename. You use that account to control anonymous users access to resources on the server.
To see or change the access privileges to the anonymous access account, use the Windows Computer Management snap-in as described in the following steps:
Log on to the server as the computer administrator.
From the Start menu, choose Administrative Tools, and then choose Computer Management to run the Computer Management console, as shown in Figure 8-1.
Figure 8-1. Viewing users
From the list on the left, choose Local Users And Groups, and then select the Users folder to display the list of authorized users for this computer.
From the user list on the right, double-click the anonymous user account named IUSR_computername. The Computer Management console displays the account s properties, as shown in Figure 8-2.
Figure 8-2. Properties of the anonymous access account
Click the Member Of tab to view the user groups the account belongs to. By default, anonymous users belong to the Guests group, which has limited privileges.
Under the default settings, ASP.NET uses the ASPNET account to run the Web application. This means that if the application attempts to perform any tasks that are not included in the ASPNET account s privileges, a security exception will occur and access will be denied. The account name will also show up in the security event log of the event viewer, as shown in Figure 8-3.
Figure 8-3. The security event log in the Computer Management console
You restrict the access of anonymous users by setting Windows file permissions. To be secure, your server must use the Microsoft Windows NT file system (NTFS). The earlier FAT or FAT32 file systems do not provide file-level security. For more information about setting Windows file permissions, see the Windows security Help topics.
Access by Authenticated Users
As stated earlier, anonymous access is fine for public information. But if your application contains private information or performs restricted tasks such as placing orders, you will want to authenticate and authorize individual users.
There are three major ways to authenticate and authorize users within an ASP.NET Web application:
- Windows authentication
Identifies and authorizes users based on the server s user list. Access to resources on the server is then granted or denied based on the user account s privileges. This works the same way as regular Windows network security.
- Forms authentication
Directs users to a logon Web form that collects user name and password information, and then authenticates the user against a user list or database that the application maintains.
- Passport authentication
Directs new users to a site hosted by Microsoft so that they can register a single user name and password that will authorize their access to multiple Web sites. Existing users are prompted for their Microsoft Passport user name and password, which the application then authenticates from the Passport user list.
Each of these approaches, along with anonymous access, has different advantages. These authentication methods are best suited for different types of Web applications, as summarized in Table 8-1.
Application type | Use this type of authentication | Description |
Public Internet Web application | Anonymous | This is the common access method for most Web sites. No logon is required, and you secure restricted resources using NTFS file permissions. |
Intranet Web application | Windows authentication | Windows authentication authenticates network users through the domain controller. Network users have access to Web application resources as determined by their user privileges on the server. |
Private corporate Web application | Windows authentication | Corporate users can access the Web application using their corporate network user names and passwords. User accounts are administered using the Windows network security tools. |
Commercial Web application | Forms | Applications that need to collect shipping and billing information should implement Forms authentication to gather and store customer information. |
Multiple commercial Web applications | Passport | Passport authentication allows users to sign in once through a central authority. The user s identity is then available to any application using the Passport SDK. Customer information is maintained in a Passport profile, rather than in a local database. |
Windows, Forms, and Passport authentication uses the classes found in the System.Web.Security namespace. To use these classes in your code, you should add an Imports statement (Visual Basic .NET) or a using statement (Visual C#) at the beginning of each module that performs authentication, as shown here:
Visual Basic .NET
Imports System.Web.Security
Visual C#
using System.Web.Security
The following sections describe how to authenticate and authorize users using each of the three techniques.
Using Authentication with HTM and HTML Files
The three ASP.NET authentication modes apply to files that are part of the Web application. That includes Web forms (.aspx), modules (.asax), and other resources that are processed through the Web application s executable. It does not automatically include HTML pages (.htm or .html). Those pages are handled by Internet Information Services (IIS), rather than ASP.NET. If you want to authenticate users who access HTML pages from within your Web application using Windows, Forms, or Passport authentication modes, you must map those files to the ASP.NET executable.
To map .htm and .html files to the ASP.NET executable using the IIS snap-in, follow these steps:
In the IIS snap-in, select the folder containing your Web application, and then choose Properties from the Action menu. IIS displays the Properties dialog box.
Click the Home Directory or Virtual Directory tab, and then click Configuration. IIS displays the Application Configuration dialog box, as shown in Figure 8-4.
Figure 8-4. The Application Configuration dialog box
Click Add. IIS displays the Add/Edit Application Extension Mapping dialog box, as shown in Figure 8-5.
Figure 8-5. The Add/Edit Application Extension Mapping dialog box
Click Browse, and select the aspnet_isapi.dll file. That file is stored in the Windows Microsoft .NET Framework directory; the path will be something like C:\Windows\Microsoft.NET\Framework\versionnumber\aspnet_isapi.dll.
Type .htm in the File Extension box, and click OK.
Repeat steps 3 through 5 for the .html file extension. Click OK to close the IIS dialog boxes when you ve finished.