Chapter 11. Forms-Based Security

Previous page
Table of content
Next page

Back in the primitive days of personal computing, when each user 's computer stood alone and isolated, security was not such a big deal. Until computers became networked and viruses were let loose as a scourge on the Internet, security for most PCs meant screen-saver passwords and a lock on the office door.

All that has changed. Today's computers are interconnected in myriad ways, on local networks and over the Internet. The pipes of data that connect your machine to the rest of the world are tremendously beneficial, but at the same time potentially harmful , opening your machine to outsiders. Some of those outsiders are malicious or just plain unwelcome. In any case, it is the job of security to let the good stuff in and keep the bad stuff out.

As part of the .NET Framework, ASP.NET 2.0 has a robust security infrastructure. ASP.NET is designed to work with Microsoft Internet Information Server (IIS), Windows 2000/XP/2003, and the NTFS filesystem . Consequently, there is tight integration with the security provided inherently in those environments. If you are on an intranet and are certain that all your clients will be using Windows and Internet Explorer , there are features you can use to make your job as software developer easier. Alternatively, you can implement your security system independent of Windows and NTFS using the new forms-based security controls.

The fundamental role of security in ASP.NET is to restrict access to portions of a web site. It does this through the following methods :



Authentication

Verifying that a client is who he says he is.



Authorization

Determining whether the client has permission to access the resource he is requesting.



Impersonation

ASP.NET assumes the role of the user gaining access, limiting system access to that which is allowed to the user.



Delegation

A more powerful form of impersonation that allows remote resources to be accessed by the web server while it is impersonating the client.

The decision to allow or deny access is based on Windows 2000/XP/2003 and NTFS security features in conjunction with IIS or by verifying credentials against a security database. ASP.NET 2.0 makes creating a security database simple, setting up all the tables you need for authentication and authorization and for personalization and role-based access.

Security in ASP.NET is a two-layered process, as shown in Figure 11-1. All web requests are first handled by IIS. This gives IIS security a chance to accept or reject the request. If the request is accepted by IIS, it will be passed to ASP.NET, where it will be again subjected to a security decision and accepted or rejected. The security systems of IIS and ASP.NET are independent of each other. They can be used independently or in coordination, as will be described later in this chapter.

Figure 11-1. Security overview


Previous page
Table of content
Next page
Programming ASP. NET
Programming ASP.NET 3.5
ISBN: 0596529562
EAN: 2147483647
Year: 2003
Pages: 173
Authors: Jesse Liberty, Dan Maharry, Dan Hurwitz
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Twisted Network Programming Essentials
Ruby Cookbook (Cookbooks (OReilly))
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy