What: Discussion Day in Best Practices Forums
Who: Lonnie Wall and Andrew Lader, Co-Authors of " Building Web Services and .NET Applications"
Date: June 27, 2002
Time: 10:00 to 2:00 p.m. ET
ABSTRACT: Web security means many different things to different people and it can often be misinterpreted. The term is normally used as an umbrella that encompasses three issues: encryption of data transmitted between Web client and server, authentication, and authorization. In our discussion, we will focus on authentication and authorization. To avoid confusion, we will agree on terms. Authentication refers to the portion of the application that serves as gatekeeper. It determines who the user is that's accessing the Web application or service, and then either allows or denies that individual access to the site. When a user visits a Web site, there's always some form of authentication. This is done through the exchange of credentials, typically, a user ID and password. In open, public Web sites, the authentication is minimal, allowing all users to visit the site through the use of some sort of anonymous user. This is usually the default. But, for secure Web sites, authentication limits who can visit the site, allowing only specific users through and rejecting everyone else.
Once through, authorization takes over. Getting access to the site is one thing, but actually viewing and interacting with the site falls under the domain of authorization. Here, issues of permissions and roles define what an authenticated user is allowed to do with a particular Web site. Can the users see this menu item? Can they click that button? Are they allowed to navigate from this page to that page? Controlling what they can and can't do is what authorization is all about.
We will be focusing on the following items:
- The various types of authentication
- Windows authentication
- Passport Authentication
- Forms Authentication
- Securing a Web service with Forms authentication in the web.config file
- Allowing and deny specific users
- Authorization using the web.config file
- Code Access Security
- Declarative access using the PrincipalPermissionAttribute
- Imperative access using the IsInRole() method
BIO: Lonnie Wall is a Principal Architect for RDA with more than 16 years of software development experience. His primary area of expertise is designing and implementing large distributed applications using XML on various platforms. Qualifications include Microsoft Certified Systems Engineer, Microsoft Certified Solution Developer and Sun Certified Java 2 Programmer. Recently, Lonnie has been responsible for the design and implementation of several large Web-based business applications, which included a large .NET solution.
Andrew Lader has been in the software industry for over 12 years and is also a Principal Architect for RDA. His wide background of experience in software development includes expertise in C#, C++, C, XML, XSLT, XPath, Java, Visual Basic, SQL Server, MTS/COM+, ADO, and MSMQ. Most recently, Andrew has been working on projects for two clients, implementing Web applications and Web services using Microsoft's .NET Technology.
For More Information:
- For insightful opinion and commentary, read our Guest Commentary columns.
- Tired of technospeak? The Web Services Advisor column provides a clear understanding of Web services.
- Looking for shortcuts and helpful developer tips? Visit our Tip Exchange for time-saving XML and .NET tips.
- Visit our huge Best Web Links for Web Services for hand-picked resources by our editors.
- Discuss this article, voice your opinion or talk with your peers in our Discussion Forums.
- Visit Ask the Experts for Web services, SOAP, WSDL, XML, .NET, Java and EAI answers.