Authentication and Authorization
Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET Security Model.
One thing to notice in ASP.NET authentication mechanism is that ASP.NET authenticates requests for resources such as .aspx, .asmx, .ashx, .axd, .ascx and others that are mapped to the ASP.NET ISAPI DLL (aspnet_isapi.dll). ASP.NET does not authenticate requests for images (GIF, JPEG, etc), CSS or JavaScript files. If you want these resources also to be secured by ASP.NET (Forms Authentication, Windows Authentication or Passport), add them to the list of ASP.NET ISAPI mappings. This can be done from the Internet Information Services Manager (IIS Manager) by following these steps:
- Open IIS Manager (Start/Run, type inetmgr and Enter)
- From the left-side tree view, select the web application you want to change the mappings for
- Right-click on the web application and select Properties
- Swirch to Home Directory Tab and click Configuration
- On the Mappings tab, click Add and enter the extension (one of .js, .css, .jpeg) and ASP.NET ISAPI DLL path for Executable. You can copy/paste the complete path to the ISAPI DLL from any other mapping, .aspx, for example.
- Repeat the above step for other file extensios too, if required
- Click OK thrice
Once done, requests to non-ASP.NET resources will also be subjected to ASP.NET authentication. The downside of this approach however is that it negatively impacts the performance of the web application because ASP.NET has to authenticate additional resource requests.
Be sure to visit the subpages for more information on specific kinds of authorization like Forms, Windows, Passport, Basic, and custom. This is just the start!
Revision number 2, Monday, February 04, 2008 8:00:00 AM by siva_sm
You must Login to comment.
|
Thu, Feb 14, 2008 2:04 AM
by vik20000in
|
Dont you think Forms Authentication, Windows Authentication, passport Authentication etcc should be a sub section to this one?
|
|
Tue, Apr 27, 2010 7:58 PM
by foluis
|
Windows authentication and custom authorization Great article But I have a question: I authenticate the application users throw active directory but I still use applications roles. So for better understanding let’s say that I have these pages and these roles: Pages: Rols: Login.aspx Rol1 Default.aspx Rol2 Page1.aspx Page2.aspx When a user enters to the applications it is authenticated in the login page if authentication is throw then the application redirects to Default.aspx. At this point the application has validated the user rol and displays a menu. For my example if the user has the Rol1 then the menu will display page1.aspx option. If the user has the Rol2 then the menu will display page2.aspx option. That works perfectly for my real application. The problems are as follow: If either user with Rol1 or Rol2 type the url of the page that has no permission the application will not know and will redirect. How can I avoid this situation? Any one has any suggestions? Thanks
|
|
Thu, Jun 3, 2010 7:31 AM
by jhallal
|
Hi, Check this article: http://www.codeproject.com/Tips/80141/Authentication-and-Authorization-in-ASP-NET.aspx you could talk about the ASP.NET Impersonation. Regards, Jamil
|
|
Thu, Jun 3, 2010 7:33 AM
by jhallal
|
what is the asp.net impersonation? do you know anything about it?
|
|
Thu, Aug 26, 2010 6:33 AM
by babpattanaik
|
Impersonation is a process by which the code will be executed under another user's context. Suppose you are trying to access any network resources or copying a file to a location where the authenticated user donot have any access. Then how do u do that. We use impersonation i.e. we use the user who got the proper rights so that the application can copy the file to the desired location. Hope this helps.....
|
|
Sat, Feb 25, 2012 10:07 AM
by shellymn
|
good one .. link is broken -- 'Samples and Quickstarts at GotDotNet'
|
Revision #2
Mon, Feb 4, 2008 8:00 AM
by mbanavige
|
Forms Authentication
MSDN How To's How To: Create GenericPrincipal Objects with Forms Authentication - This How To shows you how to create and handle GenericPrincipal and FormsIdentity objects when using Forms authentication. How To: Protect Forms Authentication in ASP.NET
|
Revision #3
Mon, Feb 4, 2008 8:00 AM
by mbanavige
|
Windows Authentication
From MSDN: "The WindowsAuthenticationModule provider relies on Microsoft Internet Information Services (IIS) to provide authenticated users, using any of the mechanisms that IIS supports." For most of us, Windows Authentication means of authenticating
|
Revision #7
Fri, Jul 4, 2008 10:49 AM
by bmains
|
Membership and Roles
"ASP.NET Membership builds on the success of the Forms authentication model from ASP.NET 1.x. ASP.NET Forms authentication provides a convenient way to incorporate a login form into your ASP.NET application and validate users against a database or other
|
Revision #4
Mon, Feb 4, 2008 8:00 AM
by pkellner
|
Role Providers
Here are a few good tutorial articles that provide a good conceptual overview of how the new membership and role management system works.Check out ScottGu's post on ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources Blogs Scott
|