Requires Free Membership to View
Security is big subject. I would like to refer you to Professional ASP .NET (Wrox Press). This subject is discussed rather well in Chapter 14,
"Securing ASP.NET Applications". One thing to keep in mind before we
proceed is that you will have to create and manage a Windows login for
each user who will connect to your site if you use their NT account for
authentication. If you have many users or if the users are added and
deleted frequently, that can be a nightmare to manage.In some cases, it makes sense to use Windows Authentication. Here is a brief discussion of the basic steps to set this up. For a more in-depth, but easy to follow treatment, check out the book I mentioned above.
1. Set the authentication mode and turn on impersonation in web.config. Here's an example of part of web.config:
<configuration> <system.web> <authentication mode="Windows" /> <identity impersonate="true" /> </system.web> </configuration>2. You can also specify a list of groups and users that are allowed access through allow and deny elements in the <authorization> element like so:
<allow roles="comma-separated list of Windows account groups" users="comma-separated list of Windows user accounts" verb="GET|POST|HEAD" />The verb attribute is optional and at least either roles or users (or both) must be present. This is a very basic discussion of this topic. There are many other options available. For example, if you set up this information in the machine.config file, it controls access for all .NET apps on that particular server. Another option to consider is using Passport authentication, details can be found at www.passport.com. Still another option is to use Forms-based authentication. This is an improvement on how we have done authentication in ASP applications in the past. It makes it very easy to implement. Once a user is authenticated, you can find out information on the current user programmatically through the User object. The User object is property of the HttpContext object and provides information about the user including if they belong to a particular group or not, how they were authenticated (Forms, MTLM, Basic, Passport), what their user name is, etc.
This was first published in April 2002
Join the conversationComment
Share
Comments
Results
Contribute to the conversation