Configuring Security

When you're developing ASP.NET applications, the two aspects of security you need to configure are authentication and authorization. Authentication is the process of obtaining credentials from a user and verifying his identity. After an identity has been authenticated, it can be authorized to use various resources. Authorization refers to granting rights based on that identity.

Configuring Authentication

ASP.NET provides flexible alternatives for authentication. You can perform authentication yourself in code or delegate authentication to other authorities. Settings in the web.config file control the method of authentication used for any given request.

IIS and ASP.NET Authentication

An ASP.NET application has two separate authentication layers . All requests flow through IIS before they're handed to ASP.NET, and IIS can decide to deny access before the ASP.NET process even knows about the request. Here's how the process works:

1. IIS first checks to ensure that the incoming request comes from an IP address that is allowed access to the domain. If it does not, the request is denied .

2. Next, IIS performs its own user authentication, if it's configured to do so. By default, IIS allows anonymous access, so requests are automatically authenticated.

3. If the request is passed to ASP.NET with an authenticated user, ASP.NET checks to see whether impersonation is enabled. If impersonation is enabled, ASP.NET acts as though it were the authenticated user. If not, ASP.NET acts with its own configured account.

4. Finally, the identity from step 3 is used to request resources from the operating system. If all the necessary resources can be obtained, the user's request is granted; otherwise , it is denied.

Configuring Windows Authentication

The Windows authentication provider allows you to authenticate users based on their Windows accounts. To enable Windows authentication, you use the following entry in the web.config file for the application:

 <authentication mode="Windows" /> 

This provider uses IIS to perform the actual authentication and then passes the authenticated identity to your code. IIS offers four authentication methods :

• Anonymous If you select anonymous authentication, IIS does not perform any authentication and anyone is allowed access to the ASP.NET application.

• Basic If you select basic authentication, users must provide a Windows username and password to connect. However, this information is sent across the network in clear text, making basic authentication dangerously insecure on the Internet. However, one advantage of basic authentication is that it's supported by most Web servers, proxy servers, and Web browsers.

• Digest If you select digest authentication, users must still provide a Windows username and password to connect. However, the password is hashed (scrambled) before being sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that Windows accounts be stored in Active Directory.

• Integrated If you select Windows integrated authentication, passwords never cross the network. Users must still have a Windows username and password, but either the Kerberos or challenge/response protocols are used to authenticate the user. Windows integrated authentication requires that all users be running Internet Explorer 3.01 or later.

Passport Authentication

The Microsoft .NET Passport is an online service (www.passport.net) that enables users to use a single email address and a password to sign in to any .NET Passportparticipating Web site or service. Users can create free Passport accounts by registering at any .NET Passportparticipating Web site or by using the Windows XP/2003 .NET Passport Registration Wizard.

Passport uses an encrypted cookie mechanism to indicate authenticated users. If users have already signed in to Passport when they visit your site, they are considered authenticated by ASP.NET. Otherwise, they are redirected to the Passport servers to log in. To enable Passport authentication, you use the following entry in the web.config file for the application:

 <authentication mode="Passport" /> 

More information on using .NET Passport with your application can be found at www.microsoft.com/net/services/passport.

Forms Authentication

Forms authentication provides a way to handle authentication using your own custom logic in an ASP.NET application. With forms authentication, the logic of the application is as follows :

1. When a user requests a page from the application, ASP.NET checks for the presence of a special session cookie.

2. If the cookie is present, the request is processed . Otherwise, ASP.NET redirects the user to a Web form you provide.

3. You can carry out whatever authentication checks you want in your form. When the user is authenticated, you indicate this to ASP.NET, which creates the special session cookie to handle subsequent requests.

The following steps show how to implement forms authentication in an ASP.NET Web application:

1. Open Visual Studio .NET and create a new blank solution named 315C16 at c:\inetpub\ wwwroot \ExamCram . (You might need to change the directory based on your configuration.)

2. Add a new Visual C# ASP.NET Web Application project at the following location: http://localhost/ExamCram/315C16/Example16_1 .

3. Add a new Web form ( frmLogin ) to the application. Place a Label control that displays a message asking the user whether she wants to log in, two RadioButton controls ( rbYes and rbNo with a GroupName of LogIn ), and a Button control ( btnSubmit ) on the form.

4. Switch to Code view and add the following using directive:

    using System.Web.Security; 

5. Add this code to handle the Button control's Click event:

    private void btnSubmit_Click(object sender, System.EventArgs e) {     if(rbYes.Checked)         FormsAuthentication.RedirectFromLoginPage("Admin", false); } 

6. Edit the web.config file to replace both the <authentication> and <authorization> elements as follows:

    <authentication mode="Forms">    <forms loginUrl="frmLogin.aspx" name="315C16" timeout="1" /> </authentication> <authorization>     <deny users="?" /> </authorization> 

7. Set WebForm1.aspx as the start page and run the application. Instead of WebForm1 , the browser displays the custom login form. To proceed further, you must select the Yes radio button and click the Submit button.

Of course, in a real application, you'd likely implement a more sophisticated authentication scheme than just making users select a radio button. You might, for example, store usernames and IP addresses in a database and allow only users who connect from their registered IP addresses. Or you might develop a Web service that allows authenticating users over the Internet.

By default, in the web.config file, the <authorization> element contains <allow users="*" /> .

With that authorization setting, ASP.NET allows all userseven unauthenticated usersaccess to application resources. The * wildcard matches any user. For the previous example, I changed this to a deny element, like so:

 <deny users="?" /> 

The ? wildcard matches only unauthenticated users. The net effect is to allow authenticated users access to all resources, while denying unauthenticated users access to any resources.

The <forms> element contains the URL of the form to use for login authentication, the name of the cookie to use, and a timeout that controls how long a user can work with the application before being directed back to the login page. (The previous example sets this to the very low value of 1 minute for testing.)

When the user is authenticated, the form calls the RedirectFromLoginPage() method of the FormsAuthentication object. The two parameters to this method are the name of the authenticated user and a Boolean value that controls whether to save a permanent (cross-session) cookie. If the second parameter is false , the cookie is stored in memory and only for the length of the browser session.

To disable authentication for an application, you add the following element to its configuration file: <authentication mode="None" />

Configuring Authorization

After your application has authenticated users, you can authorize their access to resources.

Implementing Impersonation

ASP.NET impersonation is controlled by entries in the applicable web.config file. The default setting is no impersonation, but you can explicitly specify this setting by including this element in the file:

 <identity impersonate="false"/> 

With this setting, ASP.NET does not perform user impersonation. What does that mean? It means that ASP.NET always runs with its own privileges. By default, ASP.NET runs as an unprivileged account named machine , but you can change this by making a setting in the <processModel> element of machine.config . This setting can be changed only in machine.config , so any change applies to every site on the server when the ASP.NET worker process is restarted. To use a high-privilege system account instead of a low-privilege account, set the userName attribute of the <processModel> element to "SYSTEM" .

The second possible setting is to turn on impersonation, like so:

 <identity impersonate="true"/> 

In this case, ASP.NET takes on the identity passed to it by IIS. If you're allowing anonymous access in IIS, ASP.NET impersonates the IUSR_ComputerName account that IIS itself uses. If you're not allowing anonymous access, ASP.NET takes on the credentials of the authenticated user and makes requests for resources as if it were that user.

Finally, you can specify a particular identity to use for all authenticated requests, as shown here:

 <identity impersonate="true" userName="DOMAIN\username" password="password"/> 

With this setting, all requests are made as the specified user ( assuming that the password is correct in the configuration file).

Using Role-based Authorization

You can also use Windows's own security mechanisms to authorize access to resources after you've authenticated a user. For example, you can give a Windows account permissions to log on to a SQL Server or open a particular file. These permissions can be granted to the ASP.NET user (if you're not using impersonation) or to individual domain users or groups (if you are using impersonation).

But you can also control access to resources directly in your .NET code using role-based security. Role-based security revolves around two interfaces: IIdentity and IPrincipal . For applications that use Windows accounts in role-based security, these interfaces are implemented by the WindowsIdentity and WindowsPrincipal objects, respectively.

The WindowsIdentity object represents the Windows user who is running the current code. The properties of this object allow you to retrieve information such as the username and his authentication method.

One way to manage role-based security is to use the IsInRole() method of the WindowsPrincipal object to determine whether the current user is in a specific Windows group. The results of this method call can be used to modify your application's user interface or perform other tasks . For example, the following code segment verifies the role membership in the administrators group :

 // Tell the CLR to use Windows security AppDomain.CurrentDomain.SetPrincipalPolicy            (PrincipalPolicy.WindowsPrincipal); // Get the current principal object WindowsPrincipal prin = (WindowsPrincipal)Thread.CurrentPrincipal; // Determine whether the user is an admin Boolean admin = prin.IsInRole(WindowsBuiltInRole.Administrator); // Display the results on the UI if(admin)    lblMembership.Text = "You are in the Administrators group"; else    lblMembership.Text = "You are not in the Administrators group"; 

The three available overloaded forms of the IsInRole() method are as follows:

• IsInRole ( WindowsBuiltInRole ) Uses one of the WindowsBuiltInRole constants to check for membership in the standard Windows groups.

• IsInRole ( String ) Checks for membership in a group with the specified name.

• IsInRole ( Integer ) Checks for membership in a group by using the specified role identifier (RID). RIDs are assigned by the operating system and provide a language-independent way to identify groups.