CMS Authentication and Authorization Process

As we have already seen, CMS processing involves several layers, as follows:

  • Browser

  • IIS and ISAPI filters

  • Worker process (ASP.NET worker process aspnet_wp.exe in IIS 5/Windows 2000, or Web worker process w3wp.exe in IIS 6/Windows 2003)

  • CMS Web application and Publishing API objects

  • CMS content server and the Content Repository database

A diagram showing the logical architecture of CMS page processing is shown in Figure 19-1.

Figure 19-1. Logical architecture of CMS page processing


NOTE: For a detailed discussion of CMS page processing in different modes, refer to Chapter 11.

As a CMS request passes through multiple layers on the server side, it is authenticated and authorized. Authentication and authorization of a CMS request consists of multiple steps and involves several technologies; it makes use of IIS and ASP.NET security mechanisms. The logical sequence of steps involved in CMS authentication and authorization is shown in Figure 19-2.

Figure 19-2. IIS and ASP.NET security mechanisms used in CMS authentication and authorization


A browser has a role to play as well. Within the CMS Web application, the authentication state information is stored in a CMS authentication cookie; if cookies are disabled or not supported in the browser, the CMS application may not function properly.

We will look into each layer, starting with reviewing IIS security because the CMS application may rely on IIS for initial authentication of the user. We will then concentrate on the ASP.NET settings for authentication, impersonation, and authorization, and how their use affects the CMS Web application. Then, we will focus on CMS user authentication and authorization, and discuss the configuration required for Windows authentication and forms-based authentication in the CMS Web application.

Authentication and Authorization

Authentication is the process of discovering and verifying the identity of a user that the user actually is who they claim to be. An authenticated user is typically assigned a token that contains the user's current identity. Authentication only indicates that the user's identity has been verified and does not provide any resource access.

Authorization is the process of determining a user's ability to access specific resources; an authorized user has permissions to a resource. When a user requests access to this resource, the identity of the user is checked against a list of allowed users. Authorization cannot take place without the identity of the user and must follow authentication.

Microsoft Content Management Server 2002. A Complete Guide
Microsoft Content Management Server 2002: A Complete Guide
ISBN: 0321194446
EAN: 2147483647
Year: 2003
Pages: 298 © 2008-2017.
If you may any questions please contact us: