ASP.NET Security Architecture
This section provides an overview of the ASP.NET security infrastructure. The following illustration shows the relationships among the security systems in ASP.NET.
As the illustration shows, all Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates the request if required and then locates the requested resource (such as an ASP.NET application). If the client is authorized, the resource is made available.
When an ASP.NET application is running, it can use built-in ASP.NET security features. In addition, an ASP.NET application can use the security features of the .NET Framework. For more information, see Key Security Concepts.
In addition to relying on the authentication capabilities of IIS, you can perform authentication in ASP.NET. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS assumes that a set of credentials maps to a Microsoft Windows NT account and that it should use those credentials to authenticate a user. The authentication methods used in IIS 7 are the following: anonymous, ASP.NET impersonation, basic, client certificate mapping, digest, forms, and Windows Integrated Security (NTLM or Kerberos). You can select the type of authentication by using IIS administrative services. For information, see Configuring Authentication in IIS 7.
If users request a URL that maps to an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides forms authentication. Forms authentication is a system by which unauthenticated requests are redirected to an ASP.NET Web page that you create. The user provides credentials and submits the page. If your application authenticates the request, the system issues an authentication ticket in a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests include an authentication ticket with the request.
ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.
ASP.NET security settings are configured in the Machine.config and Web.config files. As with other configuration information, base settings and default settings are established in the Machine.config file in the Config subdirectory of the current .NET Framework installation. You can establish site-specific and application-specific settings (including overriding settings from the Machine.config file) in Web.config files in the Web site root and application root directories. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. To see an example of the way in which the hierarchical configuration system works for security, see configSections Element (General Settings Schema).
There are three major subsections to a Web.config file: the authentication, authorization, and identity sections. The values for each security element are usually set in the Machine.config file and overridden as required in the application-level Web.config file. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override inherited settings.
ASP.NET configuration applies only to ASP.NET resources, namely those registered to be handled in IIS by the Aspnet_isapi.dll extension. ASP.NET configuration cannot provide authorization for resources not processed by ASP.NET. Therefore, .txt, .htm, .html, .gif, .jpg, .jpeg, .asp, and other types of files are accessible by all users (subject to IIS permissions). For example, even though the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place. You can put these types of files under ASP.NET security by explicitly mapping such file name extensions to the Aspnet_isapi.dll extension using the IIS administration tool. However, processing these types of files through ASP.NET can affect the performance of the Web site. For more information about how to secure files in a folder, see How to: Configure Specific Directories Using Location Settings.
You can use the location configuration element to specify a particular file or directory to which settings should apply. For more information, see configSections Element (General Settings Schema) and Configuring Specific Files and Subdirectories. For more details about ASP.NET configuration in general, see ASP.NET Configuration Overview.
The following example shows the syntax of the security sections of a configuration file:
<authentication mode="[Windows|Forms|None]"> <forms name="name" loginUrl="url" protection="[All|None|Encryption|Validation]" timeout="minutes" path="path" requireSSL="[true|false]" slidingExpiration="[true|false]"> defaultUrl="string" cookieless="[UseCookies|UseUri|AutoDetect|UseDeviceProfile]" domain="string" <credentials passwordFormat="[Clear|MD5|SHA1]"> <user name="********" password="********"/> </credentials> </forms> </authentication> <authorization> <allow users="comma-separated list of users" roles="comma-separated list of roles" verbs="comma-separated list of verbs" /> <deny users="comma-separated list of users" roles="comma-separated list of roles" verbs="comma-separated list of verbs" /> </authorization> <identity impersonate ="[true|false]" userName="domain\username" password="password" /> <trust level="[Full|High|Medium|Low|Minimal]" originUrl=""/> <securityPolicy> <trustLevel name="Full" policyFile="internal"/> <trustLevel name="High" policyFile="web_hightrust.config"/> <trustLevel name="Medium" policyFile="web_mediumtrust.config"/> <trustLevel name="Low" policyFile="web_lowtrust.config"/> <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/> </securityPolicy>
The default settings for these elements are shown in the following table.
<allow roles="" />
An empty string indicating that all roles are allowed by default.
<allow users="*" />
An empty string indicating that all users are allowed access (no authentication is required).
<allow verbs="" />
An empty string that indicates that no verbs are assigned by default.
<authentication mode="Windows" />
The authentication type that determines the source of the current User value. The default is Windows.
<credentials passwordFormat="SHA1" />
The hashing algorithm used on passwords. The default is SHA1.
<deny roles="" />
An empty string indicating that no roles are denied by default.
<deny users="" />
An empty string indicating that no users are denied by default.
<deny verbs="" />
An empty string that indicates that no verbs are assigned by default.
<forms cookieless="UseDeviceProfile" />
The method to use to store the forms authentication ticket on the client. Valid values are UseCookies, UseUri, AutoDetect, UseDeviceProfile (default).
<forms defaultUrl="default.aspx" />
A string that indicates the URL of the page to redirect to after login.
<forms domain="" />
An empty string that indicates that no domain has been specified for the cookie.
<forms loginUrl="logon.aspx" />
The URL to which the request is directed if you set the authentication mode to Forms and if the request does not have a valid authentication ticket.
<forms name=".ASPXAUTH" />
The name under which the forms authentication cookie is stored on the user's computer.
<forms path="/" />
The path to which forms authentication applies. The default is all paths from the application root down.
<forms protection="All" />
The security applied to the forms authentication ticket. Values include: All, None, Encryption, and Validation.
<forms timeout="30" />
The timeout in minutes before the forms authentication ticket expires and users must re-authenticate.
<forms requireSSL="false" />
A Boolean value indicating whether an SSL connection is required to transmit the authentication cookie.
<forms slidingExpiration="true" />
A Boolean value indicating whether sliding expiration is enabled. For more information, see the SlidingExpiration property.
<identity impersonate="false" />
A Boolean value indicating whether impersonation is disabled. For more information, see ASP.NET Impersonation.
<identity userName="" />
An empty string indicating that no user identity is specified by default.
<identity password="" />
An empty string indicating that no password for the user identity is specified by default.
<trust level="Full" originUrl="" />
The security policy that will be applied to the application.
<trustLevel name="Full" policyFile="internal"/>
The default policy file for Full trust level.
<trustLevel name="High" policyFile="web_hightrust.config"/>
The default policy file for High trust level.
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
The default policy file for Medium trust level.
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
The default policy file for Low trust level.
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
The default policy file for Minimal trust level.