An overview of authentication security features in ASP. NET
Narcisio Tumushabe , TAN Guan-zheng
Abstract : This article discusses the authentication feature of the ASP. NET to support security when designing a server application. Both Microsoft Internet Information Services ( IIS) and ASP. NET provide security models that will allow web developers to authenticate the your users appropriately and obtain the correct security context within the application. Three levels of authentication covered are the Formsbased , passport and windows authentications. The article literature is limited to these three areas.
Key words : Forms2based; passport ; windows authentication
CLC number : TP 393108 Document code : A Article ID : 1000 - 1646 (2003) 03 - 0250 - 05
Security is one of the primary concerns forboth developers and application architect s. As there are lot s of different types of websites with varying security needs , the developers need to know how the security works and choose the appropriate security model for their applications. Some websites collect no information from the users and publish the information that is available widely such as search engine. There are other sites that may need to collect sensitive information f rom their users like credit card numbers. These websites need muchst ronger security implementation to avoid malicious attacks f rom external entities.本文来自优.文,论-文·网原文请找腾讯752018766
1 Fundamental Operations of ASP. NET Security
Security in the context of ASP. NET application involves 3 fundamental operations namely Authentication , Authorization and Impersonation. Authentication is the process of validating the identity of a user to allow or deny a request .This involves accepting credentials ( e. g. username and password) from the users and validating it against adesignated authority. After the identity is verified and validated , the user is considered to be legal and the resource request is fulfilled. Future request from the same user ideally are not subject to the authentication process until the user logs out of the web application. Authorization is the process of ensuring that users with valid identity are allowed to access specific resources. Impersonation is the process that enables an application to ensure the identity of the user , and in turn make request to the other resources. Access to resources will be granted or denied based on the identity that is being impersonated.
2 Authentication in ASP. NET
Authentication is one of the foremost features of web application’s security. In ASP. NET , authentication is done at two levels . [2]First , Internet Information Server (IIS) will perform the required authentication , then send out the request to ASP. NET , as described in Figure 1. For ASP. NET application , the underlying web server is IIS. Therefore , every ASP. NET application can continue to leverage the security options provided by IIS .When the user requests a specific resource on the system, that request will come to IIS. IIS authenticates the user requesting the resource and then hands off the request and the security token for the authenticating user to ASP. NET worker process. ASP. NET worker process will decide whether to impersonate the authenticated user supplied by IIS or not . If impersonation is enabled in the configuration setting in Web. config file , then ASP. NET worker process impersonates the authenticated user. Otherwise , the thread will run under the ASP. NET worker process identity. After all , ASP.NET checks whether the authenticated user is authorized to access these resources. If they are allowed to , ASP. NET serves the request; otherwise it sends an“access denied”error message back to the user. 2613