This section provides an overview of the ASP.NET infrastructure and subsystemrelationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through IIS. IIS deciphers and optionally authenticates the request. If Allow Anonymous is turned on, no authentication occurs. IIS also finds the requested resource ( such as an ASP.NET application ), and, if the client is authorized, returns the appropriate resource.
In addition to the built-in ASP.NET security features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see Key Security Concepts.
Integrating with IIS
This release of ASP.NET uses IIS 5.0 as the primary host environment. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0: basic, digest, and Integrated Windows Authentication ( NTLM or Kerberos ). You can select the type of authentication to use in the IIS administrative services. For more information on IIS authentication, see the IIS documentation.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.
Using ASP.NET Configuration Files
ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security see Hierarchical Configuration Architecture.
The security section of a Web.config file is organized as follows:
The default settings for these elements are shown in the following table.
There are three major subsections: authentication, authorization, and identity. The values for each of the elements are usually set by overriding this section of the computer-level configuration file with a similar section in an application configuration file placed in the application root. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.
You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.
You can use the tag, see Hierarchical Configuration Architecture and Configuration Settings.
For more details about ASP.NET configuration in general, see ASP.NET Configuration. The topics that follow provide the data flow details that show how security is handled by ASP.NET, and how the data flows through the security subsystems.
Source : http://authors.aspalliance.com
As the illustration shows, all Web clients communicate with ASP.NET applications through IIS. IIS deciphers and optionally authenticates the request. If Allow Anonymous is turned on, no authentication occurs. IIS also finds the requested resource ( such as an ASP.NET application ), and, if the client is authorized, returns the appropriate resource.In addition to the built-in ASP.NET security features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see Key Security Concepts.
Integrating with IIS
This release of ASP.NET uses IIS 5.0 as the primary host environment. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0: basic, digest, and Integrated Windows Authentication ( NTLM or Kerberos ). You can select the type of authentication to use in the IIS administrative services. For more information on IIS authentication, see the IIS documentation.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.
Using ASP.NET Configuration Files
ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security see Hierarchical Configuration Architecture.
The security section of a Web.config file is organized as follows:
The default settings for these elements are shown in the following table.
There are three major subsections: authentication, authorization, and identity. The values for each of the elements are usually set by overriding this section of the computer-level configuration file with a similar section in an application configuration file placed in the application root. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.
You can use the
0 comments:
Post a Comment