ASP.NET Web Application Security
Most Web sites need to selectively restrict access to some portions of the site. You can think of a Web site as somewhat analogous to an art gallery. The gallery is open for the public to come in and browse, but there are certain parts of the facility, such as the business offices, that are accessible only to people with certain credentials, such as employees. When a Web site stores its customers' credit card information in a database, for example, access to the database must be restricted. ASP.NET security features help you address this and many other security issues.
ASP.NET, in conjunction with Microsoft Internet Information Services (IIS), can authenticate user credentials such as names and passwords using any of the following authentication methods:
- Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
- Microsoft Passport authentication
- Forms authentication
- Client Certificate authentication
ASP.NET controls access to site information by comparing authenticated credentials, or representations of them, to NTFS file system permissions or to an XML file that lists authorized users, authorized roles (groups), or authorized HTTP verbs.
This section and the following sections describe the specifics of ASP.NET security. For more information about the types of security attacks Web sites experience and how you can help protect your site from attack, see Security Considerations for ASP.NET Web Applications.
In This Section
- How ASP.NET Security Works
Provides an overview of ASP.NET security.
- ASP.NET Architecture
Provides an overview of ASP.NET infrastructure and subsystem relationships, as related to security.
- ASP.NET Data Flow
Describes the security data flow for two common scenarios.
- ASP.NET Authentication
Describes ASP.NET authentication providers.
- ASP.NET Authorization
Describes two fundamental ways to authorize access to a resource.
- ASP.NET Impersonation
Describes how and when to use ASP.NET Impersonation.
- Designing Secure ASP.NET Applications
Describes how to create ASP.NET applications with incorporated security.
- ASP.NET Application Security in Hosted Environments
Describes ASP.NET security features for multi-application Web servers.
- System.Web.Security Namespace
Describes the classes you need for ASP.NET security features.
- Security Considerations for ASP.NET Web Applications
Describes common types of Web site security attacks and how to help prevent them.
- Securing Applications
Describes general .NET Framework security concepts, services, and best practices.