You learned about a lot of security topics today. In ASP.NET, security is implemented in three stages. First there's authentication, which ensures that users are who they say they are. Authorization controls access to resources. And impersonation allows ASP.NET to use Windows access control lists (ACLs) to control access. Authentication is implemented in three different ways: Windows, Forms, and Passport. Windows authentication relies on IIS to authenticate users, and it can be accomplished using three separate methods: basic, digest, and integrated Windows (also known as NTLM). The basic method simply sends user credentials across the network unencrypted, whereas the digest method encrypts the credentials first. Integrated Windows authentication relies on both server and client containing the Windows operating system, and sends Windows logon information across the network, without asking for credentials from the user. Forms authentication allows developers to build custom authentication mechanisms, with help from the built-in FormsAuthentication object. Passport authentication is a centralized authentication service provided by Microsoft that requires subscription and a fee. Authorization is implemented in two different ways: via files, and via URLs. The former relies on Windows access control lists to determine user permissions on a per-file and directory level. URL authorization maps users and roles to directories specified in the requested URL. The deny and allow elements in web.config control which users have access to which resources. The location element provides additional granularity in controlling access. Impersonation allows ASP.NET to take on the identity of its users. This allows it to use Windows ACLs to control access, thereby letting you implement security with a minimal amount of coding. |