Security Configuration

Together, the .NET Framework and IIS manage ASP.NET security. The ASP.NET configuration file, web.config , contains a hierarchical structure of global data, of which security information is a part (see Chapter 12, "XML and SOAP"). Listing 15.1 shows an example of the security section of the web.config file.

Listing 15.1 A Sample Security Section of web.config

 01: <authentication mode="  [Windows/Forms/Passport/None]  "> 02:  <forms name="  [name]  " loginUrl="  [url]  " > 03:   <credentials passwordFormat="  [Clear, SHA1, MD5]  "> 04:    <user name="  [UserName]  " password="  [password]  "/> 05:   </credentials> 06:  </forms> 07:  <passport redirectUrl="internal" /> 08: </authentication> 09: 10: <authorization> 11:  <allow users="  [comma separated list of users]  " 12:    roles="  [comma separated list of roles]  "/> 13:  <deny  users="  [comma separated list of users]  " 14:    roles="  [comma separated list of roles]  "/> 15: </authorization> 16: 17:  <identity impersonate ="  [true/false]  "/> 

Listing 15.1 is not a usable security hierarchy, but it does demonstrate the possible values for security. Following is a description of each of the security settings.

• Line 1: authentication mode

  This determines the type of authentication used for the ASP.NET application. Windows is the default value. Other values are Forms , Passport , and None .

• Line 2: forms

  When the authentication mode is set to Forms , this element defines the cookie used by the client. The name is the identifier given to the cookie. ASP.NET will look for this cookie when authenticating a user. The loginUrl is the redirection path to send unauthenticated users to. This is a forms-based page where users can supply their credentials, such as their username and password.

• Line 3: credentials passwordFormat

  Usernames and passwords can be listed in the <credentials> section of the web.config file. The passwordFormat attribute is used to define the hashing algorithm used on the passwords. Three passwordFormat values are available:

  MD5 Passwords are stored using an MD5 hash digest. When credentials are validated , the user password will be hashed using the MD5 algorithm and compared for equality with this value. The clear text password is never stored or compared when using this value. Use this algorithm for best speed as compared to SHA1 .

  SHA1 Passwords are stored using the SHA1 hash digest. When credentials are validated, the user password will be hashed using the SHA1 algorithm and compared for equality with this value. The clear text password is never stored or compared when using this value. Use this algorithm for best security.

  Clear Passwords are stored in clear text. The user password is compared directly against this value without further transformation.

• Line 4: username and password

  Usernames and passwords can be defined in the web.config file. Each user is defined with a new <user> child element of the <credentials> element. Users can also be defined in a separate data source, such as a database table.

• Line 7: passport redirectUrl

  When the authentication mode is set to Passport , this element defines the redirect URL that an unauthenticated user is sent to when requesting a restricted resource.

• Line 10: authorization

  The authorization element contains optional values for defining which users or roles are granted access to a resource.

• Lines 11 and 12: allow users and roles

  The < allow> element defines which users may be granted access to a particular resource or set of resources. The default value is "*" (all users). You can also define a set of usernames, separated by commas, with the users attribute. The roles attribute enables you to define a set of roles, separated by commas, which may be given access to the requested resource.

• Lines 13 and 14: deny users and roles

  The <deny> element works the same as the <allow> element. To deny all users, set the users attribute to "*" . To deny only unauthenticated users, set the users attribute to "?" .

• Line 17: identity

  The <identity> element contains a boolean value for enabling impersonation. Impersonation enables the ASP.NET process to execute with the identity of a given user.