This section provides an overview of the ASP.NET infrastructure and subsystem relationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS deciphers and optionally authenticates the request. If Allow Anonymous is set to true, no authentication occurs. IIS also finds the requested resource (such as an ASP.NET application), and, if the client is authorized, returns the appropriate resource.
In addition to the built-in ASP.NET security features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see Key Security Concepts.
Integrating with IIS
When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Microsoft Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0 through 6.0: basic, digest, and ** Integrated Windows ** Authentication (NTLM or Kerberos). You can select the type of authentication to use in IIS administrative services. For more information on IIS authentication, see the IIS documentation.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.
|ASP.NET authentication provider||Description|
|Forms authentication||A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues an authentication ticket in a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method the application developer specifies.|
|Passport authentication||Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.|
Using ASP.NET Configuration Files
ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security, see Hierarchical Configuration Architecture.
The security section of a Web.config file is organized as follows.
<authentication mode="[Windows|Forms|Passport|None]"> <forms name="[name]" loginUrl="[url]" protection="[All|None|Encryption|Validation]" path="[path]" timeout="[minutes]" requireSSL="[true|false]" slidingExpiration="[true|false]"> <credentials passwordFormat="[Clear|MD5|SHA1]"> <user name="[UserName]" password="[password]"/> </credentials> </forms> <passport redirectUrl="internal"/> </authentication> <authorization> <allow users="[comma separated list of users]" roles="[comma separated list of roles]"/> <deny users="[comma separated list of users]" roles="[comma separated list of roles]"/> </authorization> <identity impersonate ="[true|false]" userName="[domain\user_name]" password="[user_password]"/> <trust level="[Full|High|Medium|Low|Minimal]" originUrl=""/> <securityPolicy> <trustLevel name="Full" policyFile="internal"/> <trustLevel name="High" policyFile="web_hightrust.config"/> <trustLevel name="Medium" policyFile="web_mediumtrust.config"/> <trustLevel name="Low" policyFile="web_lowtrust.config"/> <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/> </securityPolicy>
The default settings for these elements are shown in the following table.
|<allow roles= >||No default value.|
|<authentication mode="Windows">||The authentication mode cannot be set at a level below the application root directory.|
|<credentials passwordFormat="SHA1">||The hashing algorithm to be used on passwords.|
|<forms loginUrl="logon.aspx">||If you set the mode to Forms, and if the request does not have a valid ticket (cookie), this is the URL to which the request is directed for a forms-based logon.|
|<forms name=".ASPXAUTH">||Default cookie name.|
|<forms timeout="30">||Time-out in minutes. 30 minutes is the default.|
|<forms requireSSL="false">||Specifies that an SSL connection is not required to transmit the authentication cookie.|
|<forms slidingExpiration="true">||Specifies that sliding expiration is enabled.|
|<identity impersonate="true" >||Impersonation is enabled by default.|
|<passport redirectUrl="internal">||If you set the mode to Passport, and if the requested page requires authentication (anonymous users are denied access) but the user has not logged on with Passport, then the user will be redirected to this URL.|
|<trust level="Full" originUrl="" />||Default level is Full.|
|<trustLevel name="Full" policyFile="internal"/>||Default policy file for Full trust level.|
|<trustLevel name="High" policyFile="web_hightrust.config"/>||Default policy file for High trust level.|
|<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>||Default policy file for Medium trust level.|
|<trustLevel name="Low" policyFile="web_lowtrust.config"/>||Default policy file for Low trust level.|
|<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>||Default policy file for Minimal trust level.|
There are three major subsections to a Web.config file: authentication, authorization, and identity. The values for each of the security elements are usually set by overriding a section of the computer-level configuration file with a similar section in an application configuration file placed in the application root directory. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.
Note ASP.NET configuration only applies to ASP.NET resources (those registered to be handled by Aspnet_isapi.dll). Unfortunately, ASP.NET configuration cannot provide authorization for non-Aspnet_isapi.dll resources, so TXT, HTML, GIF, JPEG, ASP, and other types of files are still accessible by all users, subject to IIS permissions. For example, even though the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place.
You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.
You can use the <location></location> tags to specify a particular file or directory to which settings should apply. For more information about how to use the <location> tag, see Hierarchical Configuration Architecture and Configuration <Location> Settings.
For more details about ASP.NET configuration in general, see ASP.NET Configuration.
ASP.NET Web Application Security | Key Security Concepts | FormsAuthentication Events | Passport Authentication Provider | Hierarchical Configuration Architecture | Configuration <Location> Settings | ASP.NET Configuration