Authentication and Authorization

Previous page
Table of content
Next page

To secure the Website, authentication is used to verify that the user has a valid logon, while authorization checks whether the user who was authenticated is allowed to use the resource.

ASP.NET offers Windows and Forms authentication. The most often used authentication technique for Web applications is Forms authentication, which will be covered here. ASP.NET 2.0 also has some great new features for Forms authentication. Windows authentication makes use of Windows accounts and IIS to authenticate the users.

ASP.NET 2.0 has many new classes for user authentication. Figure 18-12 shows the structure of the new architecture. With ASP.NET many new security controls such as a Login or PasswordRecovery are available. These controls make use of the Membership API. With the Membership API, it is possible to create and delete users, validate logon information, or get information about currently logged-in users. The Membership API itself makes use of a membership provider. With ASP.NET 2.0 different providers exist to access users in an Access database, the SQL Server database, or the Active Directory. It is also possible to create a custom provider that accesses an XML file or any custom store.

image from book Figure 18-12

Authentication Configuration

In this chapter Forms authentication with a Membership provider will be demonstrated. In the following Try It Out, you configure security for the Web application and assign different access lists to different folders.

Try It Out – Security Configuration

image from book

  1. Open the previously created Web application EventRegistrationWeb using Visual Studio 2005.

  2. Create a new folder Intro by selecting the Web directory in the Solution Explorer, and selecting the menu Website New Folder. Name the folder Intro. This folder will be configured to be accessed by all users, while the main folder is only accessible by authenticated users.

  3. Start the ASP.NET Web Application Administration by selecting the Visual Studio 2005 menu Website ASP.NET Configuration.

  4. Select the Security tab, as shown in Figure 18-13.

    image from book
    Figure 18-13

  5. Click the link to the Security Setup Wizard. In the Welcome Screen click the Next button. From step 2 of the wizard, select the access method From the Internet, as shown in Figure 18-14.

    image from book
    Figure 18-14

  6. Clicking the Next button takes you to step 3, with information about the configured provider (see Figure 18-15). The default provider is SQL Server Express, where the user accounts are stored in a SQL Server database. This configuration cannot be changed in the Wizard mode, but you can change it afterward.

    image from book
    Figure 18-15

  7. Click the Next button two times, which takes you to step 5, where you add new users. Create a new account, as shown in Figure 18-16.

    image from book
    Figure 18-16

  8. After one user is successfully created, click the Next button for step 6 of the Wizard (see Figure 18-17). Here, you can configure which users are allowed or denied to use the Website or specific directories. Add a rule to deny anonymous users. Next, select the directory Intro and add a rule to allow anonymous users. Then click the Next button and finally the Finish button. Figure 18-18 shows the result of the Security tab after the Security Setup Wizard is finished.

    image from book
    Figure 18-17

    image from book
    Figure 18-18

How It Works

After you complete the security configuration, a new Access database is created. Having refreshed the files in the Solution Explorer, you can see a new directory named Application_Data, which contains the Access database AspNetDB.mdb. This database contains tables that are used by the Access Membership provider.

Now, along with the Web application, you will also see the configuration file web.config. This file contains the configuration for Forms authentication because authentication across the Internet was selected, and the <authorization> section denies access to anonymous users. If the Membership provider is changed, the new provider would be listed in the configuration file. Because the Access provider is the default provider that is already defined with the machine configuration file, there is no need for it to be listed here. 

 <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <deny users="?" /> </authorization> <authentication mode="Forms" /> </system.web> </configuration>

Within the subfolder Intro, you can see another configuration file, web.config. The authentication section is missing from this configuration file, because the authentication configuration is taken from the parent directory. However, the authorization section is different. Here anonymous users are allowed with <allow users="?" />. 

 <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </configuration>
image from book



Previous page
Table of content
Next page
Beginning Visual C# 2005
Beginning Visual C#supAND#174;/sup 2005
ISBN: B000N7ETVG
EAN: N/A
Year: 2005
Pages: 278
Authors: Karli Watson; Christian Nagel; Jacob Hammer Pedersen; Jon D. Reid; Morgan Skinner; Eric White
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Managing Enterprise Systems with the Windows Script Host
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Web Systems Design and Online Consumer Behavior
Junos Cookbook (Cookbooks (OReilly))
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy