for RuBoard |
ASP.NET still requires Internet Information Server (IIS) to handle Web requests . ASP.NET is layered on top of IIS using an ISAPI filter just like ASP.old. What this means is that ASP.NET participates in the IIS security model.
Before ASP.NET is even called on to execute a page, IIS must be satisfied that the user has permission to request the page. This permission check is done using any of the standard mechanisms built in to IIS, including Basic Authentication, Digest Authentication, or Integrated Windows Authentication.
When the user first requests a page that requires authentication, IIS initially returns an HTTP 1.1 401 Access Denied error to the browser. Included in the response is the WWW-Authenticate header, which indicates that the browser should collect user credentials and include them with the next request. After Internet Information Server receives the credentials, they are authenticated against the account database and, if they match, the page is executed.
ASP.NET allows the developer to further interact with these built-in Windows-based authentication mechanisms through the use of the WindowsPrincipal and WindowsIdentity classes mentioned earlier.
By default, when you create a Web Application using Visual Studio .NET or even using the Internet Services Manager, anonymous access is enabled by default for the Web site. To force IIS to authenticate all requests aimed at a directory, you must disable anonymous authentication. This will cause IIS to authenticate the user against the Windows account database.
To force ASP.NET to do its part, you must change an entry in the application's web.config file. Specifically, the authentication section must be set to Windows as follows :
<authentication mode="Windows" />
With this setting in place, ASP.NET will create a WindowsPrincipal object for each authenticated request that it receives and will populate it with a WindowsIdentity. The groups that the user belongs to will also be loaded into the principal, allowing IsInRole() to test for role membership. The username that is placed into the WindowsIdentity will be of the form DOMAIN\UserName. The groups that IsInRole() checks for are of the form DOMAIN\ Group , with the exception of built-in groups such as Administrator. Built-in groups are of the form BUILTIN\Administrator, or alternatively, you can use the WindowsBuiltInRole enumeration.
Listings 7.1 and 7.2 show a page that is executed after the user is authenticated. It uses the WindowsPrincipal object to
Check whether the user is authenticated
Get the username
Get the authentication method
Check whether the user is an administrator
using System; using System.Collections; using System.ComponentModel; using System.Data; using System.Drawing; using System.Web; using System.Web.SessionState; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.HtmlControls; using System.Security.Principal; namespace Windows.Administrator { /// <summary> /// Summary description for CDefault. /// </summary> public class CDefault : System.Web.UI.Page { protected System.Web.UI.WebControls.Label lblIsAuthenticated; protected System.Web.UI.WebControls.Label lblAuthenticationType; protected System.Web.UI.WebControls.Label lblUserName; protected System.Web.UI.WebControls.Label lblAdministrator; public CDefault() { Page.Init += new System.EventHandler(Page_Init); } private void Page_Load(object sender, System.EventArgs e) { WindowsPrincipal wp = (WindowsPrincipal) HttpContext.Current.User; // Check if the user is authenticated lblIsAuthenticated.Text = wp.Identity.IsAuthenticated.ToString(); // Output the authentication type lblAuthenticationType.Text = wp.Identity.AuthenticationType.ToString(); // Output the user name lblUserName.Text = wp.Identity.Name; // Is the user an administrator? lblAdministrator.Text = wp.IsInRole(WindowsBuiltInRole.Administrator).ToString(); } private void Page_Init(object sender, EventArgs e) { // // CODEGEN: This call is required by the ASP.NET Web Form Designer. // InitializeComponent(); } #region Web Form Designer generated code /// <summary> /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// </summary> private void InitializeComponent() { this.Load += new System.EventHandler(this.Page_Load); } #endregion } }
<%@ Page language="c#" Codebehind="Default.aspx.cs" AutoEventWireup="false" Inherits="Windows.Administrator.CDefault" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <meta name="GENERATOR" Content="Microsoft Visual Studio 7.0"> <meta name="CODE_LANGUAGE" Content="C#"> <meta name="vs_defaultClientScript" content="JavaScript (ECMAScript)"> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/ intellisense/ie5"> </HEAD> <body> <form id="CDefault" method="post" runat="server"> <P> I am an Administrator </P> <P> IsAuthenticated: <asp:Label id="lblIsAuthenticated" runat="server"></asp:Label> </P> <P> Authentication Type: <asp:Label id="lblAuthenticationType" runat="server"></asp:Label> </P> <P> User Name: <asp:Label id="lblUserName" runat="server"></asp:Label> </P> <P> Administrator? <asp:Label id="lblAdministrator" runat="server"></asp:Label> </P> </form> </body> </HTML>
for RuBoard |