Chapter 7. Security

IN THIS CHAPTER

• Identity and Principal

• Windows Authentication

• Forms Authentication

• Passport Authentication

• File Authorization

• URL Authorization

• Custom Roles with Forms Authentication

• Pulling It All Together

• Impersonation

• Class Reference

ASP.NET offers a number of ways to secure your Web application. Securing a Web application usually breaks down to two tasks : authentication and authorization.

Authentication is the process of determining who the user is. This is frequently done by requiring users to first indicate who they are by providing a name or e-mail address. Second, users are frequently required to provide some shared secret, which theoretically only they know. The most common example of a shared secret is a password. The combination of the name and shared secret is then compared against some store containing user information. This combination of a username and password is fre-quently referred to as a set of credentials. If the provided credentials match the information in the store, the user is deemed authentic and is allowed access to the application. If the information does not match, the user is typically given another chance to provide valid credentials. ASP.NET includes three implementations of authentication schemes: Windows, Forms, and Passport.

The other task, authorization, is the process of determining what resources users should have access to after they have been authenticated. This process is typically performed by comparing a list of roles applicable to the authenticated user against a list of roles that are required for access to a particular resource. These resources could be Web pages, graphics, or pieces of information from a database. ASP.NET includes two implementations of authorization schemes: file and URL.