Page 242 - DCAP312_WEB_TECHNOLOGIES_II
P. 242
Web Technologies-II
Notes The ASP.NET version 3.5 membership feature provides secure credential storage for application
users. It also provides a membership API that simplifies the task of validating user credentials
when used with forms authentication. Membership providers abstract the underlying store used
to maintain user credentials. ASP.NET 3.5 includes the following providers:
• ActiveDirectory Membership Provider. This uses either an Active Directory or Active
Directory Application Mode (ADAM) user store.
• SqlMembership Provider. This uses a SQL Server user store.
With the pluggable membership architecture, we can also add support for own user stores. For
example, we can add support for other Lightweight Directory Access Protocol (LDAP) directories
or other existing corporate identity stores. To do so, we create a custom provider that uses the
Membership Provider abstract class.
In most cases, the user store contains user credentials such as user names and passwords, and
in some cases, personalization information. Avoid mixing personalization with authentication.
If we only need to identify users for personalization reasons, a simple user name inside a cookie
is sufficient. However, if we want to restrict and control access to different areas and functions
of Web site and if we need to audit operations attributed to different users, then we must use
authenticated access and forms authenticat.
We use the SQLMembership Provider with forms authentication if user information is stored
in SQL Server. In most cases, this occurs when we have an intranet and user information is
application-specific or when the application is Internet facing and the users do not have Active
Directory accounts.
When we install ASP.NET, the Machine.config file for our server includes configuration elements
that specify SQL Server membership providers. By default, the SQL provider is configured to
connect to the local instance of SQL Server.
12.1 ASP.NET IIS Security
Most Web sites need to selectively restrict access to some portions of the site. We can think of a
Web site as somewhat equivalent to an art colonnade. The gallery is open for the public to come
in and browse, but there are confident parts of the ability, such as the business offices, that are
accessible only to people with certain credentials, such as employees. When a Web site stores
its customers’ credit card information in a database, for example, ASP.NET helps defend the
database from public access. ASP.NET security addresses this and many other security issues.
ASP.NET, in conjunction with Internet Information Services (IIS), can authenticate user credentials
such as names and passwords using any of the following authentication methods:
• Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
• Microsoft Passport authentication
• Forms authentication
• Client Certificate authentication.
ASP.NET helps control access to site information by comparing authenticated credentials, or
representations of them, to NTFS file system permissions or to an XML file that lists authorized
users, authorized roles (groups), or authorized HTTP verbs.
12.1.1 Provides an of ASP.NET Security
Websites against unauthorized right of entry are a critical, complex issue for Web developers.
A successful system requires careful planning, and Web site administrators and programmers
must have a clear understanding of the options for securing their site.
236 LOVELY PROFESSIONAL UNIVERSITY
