Page 245 - DCAP312_WEB_TECHNOLOGIES_II
P. 245

Unit 12: Security and Membership



                 needs  only  to  verify  that  in  the  ASP.NET  configuration  file,  the  impersonation-enable   Notes
                 directive is set to true; no ASP.NET security code needs to be written.
                 Notice  that if  impersonation  is  not  enabled, the application  runs  with the IIS  process
                 identity. For Microsoft Windows 2000 Server and Windows XP, the default identity is a
                 User account named ASP.NET that is created automatically when ASP.NET is installed.
                 For products in the Microsoft Windows Server 2003 family, the default identity is the
                 Network Service account. If we want to restrict access, we must use some other means of
                 authorization, such as URL authorization.
                 For more details about using impersonation in ASP.NET applications, see Impersonation
                 in ASP.NET and Using IIS Authentication with ASP.NET Impersonation.
               5.  If access is granted, the ASP.NET application returns the requested page through IIS.
            Scenario 2 - Forms Authentication
            In this scenario an application uses ASP.NET forms authentication, a process that enables the
            application to collect credentials such as name and password directly from the client requestor
            and make its own determination about their authenticity. IIS authentication is not used by the
            application, but IIS authentication settings are important to the ASP.NET forms authentication
            process. Unless we decide to reject all requests that do not meet the criteria for the enabled
            method of IIS authentication, we must enable the IIS Anonymous Access setting.

            If we do not enable anonymous access in IIS, requests not meeting the criteria for IIS authentication
            will be rejected and never reach the ASP.NET application.

            The data flow in this scenario is shown in the following Figure 12.3.

                                    Figure 12.3: Forms Authentication

                                    Client request

                          IIS
                                    If IIS Authentication settings
                                    are set properly, the request
                                    is passed to ASP.NET
                         ASP.NET
                                         No           Logon form
                                                      collects user
                                   Authentication     credentials
                                   cookie attached?
                                                      Authenticate
                                                      credentials


                                  Yes
                                                     Authenticated?
                                                Yes
                                                     Attach cookie
                                                                   No
                                                      Test
                                                      authorization


                                                     Authorized?
                                                    Yes            No

                                              Allow access to    Deny access
                                             protected resource


                                             LOVELY PROFESSIONAL UNIVERSITY                                   239
   240   241   242   243   244   245   246   247   248   249   250