Home > ASP.NET Applications > ASP.NET Web Application Security > ASP.NET Architecture
ASP.NET Web Applications ASP.NET Web Application Security
This section provides an overview of the ASP.NET infrastructure and subsystemrelationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through IIS. IIS deciphers and optionally authenticates the request. If Allow Anonymous is turned on, no authentication occurs. IIS also finds the requested resource ( such as an ASP.NET application ), and, if the client is authorized, returns the appropriate resource.
In addition to the built-in ASP.NET security features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see Key Security Concepts.
This release of ASP.NET uses IIS 5.0 as the primary host environment. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0: basic, digest, and Integrated Windows Authentication ( NTLM or Kerberos ). You can select the type of authentication to use in the IIS administrative services. For more information on IIS authentication, see the IIS documentation.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.
| ASP.NET authentication provider |
Description |
| Forms authentication |
A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the form in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method the application developer specifies. |
| Passport authentication |
Centralized authentication service provided by Microsoft that offers a single log on and core profile services for member sites. |
ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory’s settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security see Hierarchical Configuration Architecture.
The security section of a Web.config file is organized as follows:
<authentication mode = " [ Windows/Forms/Passport/None ] ">
<forms name = " [ name ] " loginUrl = " [ url ] " >
<credentials passwordFormat = " [ Clear, SHA1, MD5 ] ">
<user name = " [ UserName ] " password = " [ password ] " />
</credentials>
</forms>
<passport redirectUrl = "internal" />
</authentication>
<authorization>
<allow users = " [ comma separated list of users ] "
roles = " [ comma separated list of roles ] " />
<deny users = " [ comma separated list of users ] "
roles = " [ comma separated list of roles ] " />
</authorization>
<identity impersonate = " [ true/false ] " />
The default settings for these elements are shown in the following table.
| Default Value |
Comment |
| <allow roles= > |
No default value |
| <allow users = "*"> |
All |
| <authentication mode = "Windows"> |
The authentication mode cannot be set at a level below the application root directory. |
| <credentials passwordFormat = "SHA1"> |
The hashing algorithm to be used on passwords. |
| <deny roles = ""> |
Empty |
| <deny users = ""> |
Empty |
| <forms loginUrl = "login.aspx"> |
If you set the mode to forms, and if the request does not have a valid form, this is the URL to which the request is directed for a forms-based logon. |
| <forms name = ".ASPXAUTH"> |
Forms name. |
| <forms path = "/"> |
Path. |
| <forms protection = "type"> |
Type= [ All|None|Encryption|Validation ] |
| <forms timeout = "30"> |
Timeout in seconds. |
| <forms validation = "?"> |
True or false. |
| <identity impersonate = "false"> |
Impersonation is disabled by default. |
| <passport redirectUrl = "internal" |
If you set the mode to passport, and if the requested page requires authentication but the user has not logged on with Passport, then the user will be redirected to this URL. |
| <user name = ""> |
Empty |
| <user password = ""> |
Empty |
There are three major subsections: authentication, authorization, and identity. The values for each of the elements are usually set by overriding this section of the computer-level configuration file with a similar section in an application configuration file placed in the application root. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.
NOTE: ASP.NET configuration only applies to ASP.NET resources ( those registered to be handled by Aspnet_isapi.dll ). Unfortunately, ASP.NET configuration cannot provide authorization for non-Aspnet_isapi.dll resources, so TXT, HTML, GIF, JPEG, ASP, and other types of files are still accessible by all users, subject to IIS permissions. For example, even though the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is on and no other restrictions are in place.
You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.
You can use the <location></location> tags to specify a particular file or directory to which settings should apply. For more information about how to use the <location> tag, see Hierarchical Configuration Architecture and Configuration <location> Settings.
For more details about ASP.NET configuration in general, see ASP.NET Configuration. The topics that follow provide the data flow details that show how security is handled by ASP.NET, and how the data flows through the security subsystems.
Key Security Concepts FormsAuthentication Events The Passport Authentication Provider Hierarchical Configuration Architecture Configuration <location> Settings ASP.NET Configuration