Web Site Security, Authentication
Good MSDN overview topic: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconaspnetauthentication.asp
Use System.Threading.Thread.CurrentPrincipal to obtain and IPrincipal interface, then Idendity for an IIdentity interface, which has properties Name, IsAuthenticated, AuthenticationType.
System.Security.Principal.IIdentity i = System.Threading.Thread.CurrentPrincipal.Identity;
Trace.Write("Authentication", string.Format("Name={0} Is={1} Type={2}", i.Name, i.IsAuthenticated, i.AuthenticationType));
The web.config file defines which authentication modules will be activated for an ASP.NET application.
Windows is the default.(?)
Windows is secure and easy in terms of coding; a bit tricky to ensure correct behavior; and only handles IE >5.x browsers. It uses Kerberos if the server is running Active Directory, otherwise NTLM.
Passport is a commercial solution. Licensing is $10k per year per company + $1.5k per year per URL. Coding is required. Start by downloading the SDK.
Forms is the most flexible and requires the most work to make secure. SSL is required for any real security. Requires clients to trust each web site with their un-encrypted password.
Windows Authentication Details
Add the following to web.config as children of the system.web element:
<authentication mode="Windows" />
<identity impersonate="true"/>
I still haven’t experimentally confirmed the behavior of identity impersonation.
The authorization element can be used to add allow and deny elements. "*" means all users. "?" means the anonymous user. Both lists are supposed to allow comma separated lists of users. I haven’t determined the required syntax yet. E.g. with or without domain or machine prefix, fully qualified or not, etc.
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
You can also put a block like the following at the configuration element child level to put constraints on a specific path. If the path is omitted, the constraint is applied to the folder containing the web.config file.
<location path="consulting.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Access control is a combination of file system ACLs, IIS security settings, and web.config authorization elements.
|
|
ACL |
IIS Directory Security à Authentication & Access Control |
web.config |
|
Baseline Settings |
Everyone: full control INTERACTIVE: Read & Execute (folders only) NETWORK: Read & Execute (folders only) SYSTEM: Read (folders only) & Execute (folders only) |
Anonymous access enabled. Integrated Windows authentication. |
No authorization elements: access allowed. <deny users="?" />: forces authentication then allows access. |
|
Access Restricted to Group |
Group: full control Administrators: full control SYSTEM: Read (folders only) & Execute (folders only) |
Anonymous access DISABLED. Integrated Windows authentication. |
No authorization elements: access is allowed only after login by group member. Could not simply add the Administrator account to the Group. For some reason this doesn’t work. <allow users="*" />: BOGUS, can’t give privileges the ACL doesn’t allow. <deny users="*" />: Denies access to everyone. (UNSURE THIS ALWAYS WORKS) |