Chapter 14: Securing ASP.NET Applications

Overview

Most of the pages that you create for a public web site are designed to be accessible to any visitor, so the default settings for ASP.NET pages are ideal “ anyone can access the pages from anywhere on the network or the Internet. However, there will always be some pages that you don't want to be publicly available. For example, you might want to limit access to a complete site to users who have paid a subscription, or to limit access to administration pages to specific users only.

In previous versions of ASP, securing your pages was generally done in one of two ways. You could create a custom security system that allowed users to login to your site or application (or a specific part of it). Alternatively, you could rely on the security features of IIS and Windows itself to control which users could access specific pages, folders, or resources.

In ASP.NET, pages run under the .NET Framework, and this introduces new concepts in managing security, while still retaining existing security features. In this chapter, we'll overview all the features that control user access and then concentrate on the specific techniques designed for use with ASP.NET. The main topics in this chapter are:

• An overview of the security model within Windows and IIS.

• An overview of the new security features in ASP.NET.

• The different types of access control that you can implement with ASP.NET.

• A detailed look at how to apply the ASP.NET security and access control features.