Authorization

Previous page
Table of content
Next page

Unless a user has explicit permission to access a resource, such as a particular Web page, a resource file, a directory, and so on, the configuration should deny access by default. ASP.NET provides two configurable gatekeepers that you can use to control access to restricted resources. These are:

  • File Authorization . This gatekeeper is implemented by the ASP.NET FileAuthorizationModule HTTP module.

  • URL Authorization . This gatekeeper is implemented by the ASP.NET UrlAuthorizationModule HTTP module.

File Authorization

Only applications that use Windows authentication and have the following configuration can use this gatekeeper: 

 <authentication mode="Windows"/>

This gatekeeper is automatically effective when you use Windows authentication, and there is no need to impersonate. To configure the gatekeeper, configure Windows ACLs on files and folders. Note that the gatekeeper only controls access to the file types mapped by IIS to the following ASP.NET ISAPI extension: Aspnet_isapi.dll.

URL Authorization

Any application can use this gatekeeper. It is configured using <authorization> elements that control which users and groups of users should have access to the application. The default element from Machine.config is shown below: 

 <authorization>   <!-- allow/deny Attributes:      users="[*?name]"         * - All users         ? - Anonymous users         [name] - Named user      roles="[name]" -->  <allow users="*"/> </authorization>

URL Authorization Notes

Use the following to help you successfully configure URL Authorization:

  • Authorization settings in Web.config usually refer to all of the files in the current directory and all subdirectories, unless a subdirectory contains its own Web.config with an <authorization> element. In this case, the settings in the subdirectory override the parent directory settings.

  • URL authorization only applies to file types that are mapped by IIS to the ASP.NET ISAPI extension: Aspnet_isapi.dll.

  • When your application uses Windows authentication, you are authorizing access to Windows user and group accounts. User names take the form of "authority\WindowsUserName" and role names take the form of "authority\WindowsGroupName", where authority is either a domain name or the local machine name depending on the account type.

    A number of well known accounts are represented with "BUILTIN" strings. For example, the local administrators group is referred to as "BUILTIN\Administrators". The local users group is referred to as "BUILTIN\Users".

    Note  

    With.NET Framework version 1.0, the authority and the group name are case sensitive. The group name must match the group name that appears in Windows exactly.

  • When your application uses Forms authentication, you authorize the custom user and roles maintained in your custom user store. For example, if you use Forms to authenticate users against a database, you authorize against the roles retrieved from the database.

  • You can use the <location> tag to apply authorization settings to an individual file or directory. The following example shows how you can apply authorization to a specific file (page.aspx): 

     <location path="page.aspx" />   <authorization>     <allow users="DomainName\Bob, DomainName\Mary" />     <deny users="*" />   </authorization> </location>


Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Building Web Applications with UML (2nd Edition)
Java for RPG Programmers, 2nd Edition
C++ GUI Programming with Qt 3
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Sap Bw: a Step By Step Guide for Bw 2.0
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy