.netCoders Contact Us
Search:
70-3X0 : Services
Certification Home
Exam Overview
Exam Resources

Creating
Windows service
Serviced Component
Remoting
XML Web Service
Unmanaged Code

Consuming Data
Queries
DataSets
XML

Testing / Debugging
Unit Testing
Tracing

Deploying
Setup Programs
Configure Security

Implementing and Configuring Security

When deploying Web Services, you can make use of the built-in authentication functionality of ASP.NET. This is configured in the Web.Config file. The key points to remember for the exam are what authentication options are available, and how to configure them in .NET and IIS.

Authentication, Authorization, and Impersonation

These three terms are used thoroughly when discuss security in general, and are covered on the exam. For clarification purposes to those unfamiliar with the differences between the terms, we include definitions here.
Authentication The process of verifying that the user is who they claim to be, usually through some username/password verification scheme
Authorization The process of verifying what resources an authenticated user has access to
Impersonation The process of having the ASP.NET worker process run as an authenticated or anonymous user so that authorization checks can be performed

Configuring Authentication

Authentication refers to how a user's identify is verified. There are 4 different authentication options:
Windows Users are authenticated using their Windows domain accounts. This works in conjunction with IIS security.
Forms Users are redirected to an HTML form for entering in usernames and passwords.
Passport Users are authenticated using the Microsoft Passport service.
None Users are not authenticated
Authentication is configured in the web.config file for the application. The <authentication> section of the web.config file looks like this:
<authentication mode="[Windows|Forms|Passport|None]">
     <forms name="[name]" loginUrl="[url]" >
            <credentials passwordFormat="[Clear, SHA1, MD5]">
                 <user name="[UserName]" password="[password]"/>
            </credentials>
        </forms>
        <passport redirectUrl="internal" />
</authentication>
For forms authentication, the <forms> tag provides settings for the name of the cookie given to the user (.ASPAUTHX is the default), and the path to the login form for non-authenticated users. For passport authentication, the <passport> tag allows you to indicate a redirect page after the user is authenticated. Otherwise, the passport service redirects a user to the page he/she originally requested.

Web.config Examples

Windows Authentication

<authentication mode="Windows">
</authentication>
Forms Authentication
<authentication mode="forms">
     <forms forms="MyApp" loginurl="/login.aspx" decryptionkey="1!#$$*13^">
         <credentials passwordFormat=SHA1>
             <user name="Bill" password="9611E4F94EC4972D5A537EA28C69F89AD28E5B36"/>
             <user name="Steve" password="BA7157A99DFE9DD70A94D89844A4B4993B10168F"/>
         </credentials>
     </forms>
</authentication>
Passport Authentication
<authentication mode= "Passport">
</authentication>

Configuring Authorization

Authorization is the next stage after Authentication. Once you have confirmed the identify of the user, you need to find out what they are permitted to see. Like authentication, there are web.config sections dealing with authorization, or you could use custom code to authorize users.

Authorization in Web.Config

Authorization is controlled in an <%authorization%> tag, via <allow> and <deny> elements. For example, the following authorization configuration allows Steve and Administrators to access the web application, but denies everyone else.

<authorization>
  <allow users="Steve" />
  <allow roles="Administrators" />
  <deny users="*" />
</authorization>
The asterisk (*) wildcard is used to denote all users. The question mark (?) is used to denote all non-authenticated users. The users attribute allows you to list users who should be allowed or denied access. Likewise, the roles attribute is used for role-based authorization and can be used to allow or deny users in those roles.

Location tag

Using a <location> tag, you can specify authorization settings for subdirectories in your web application. For example, your site may be public, but you use forms authentication to authenticate members and allow them access to a MembersOnly directory. The following web.config file (note that location is not inside the system.web tag) shows how to specify authentication settings for the MembersOnly directory.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
    <authentication mode="Forms">
        <forms loginUrl="Registration/login.aspx" name="OurInternetApp" timeout="30" path="/"></forms>
    </authentication>
    <authorization>
        <allow users="?" />
    </authorization>
</system.web>
<location path="MembersOnly">
    <system.web>
        <authorization>
            <deny users="?"></deny>
        </authorization>
    </system.web>
</location>
</configuration>

Impersonation

Impersonation allows you to run an ASP.NET application as a specified user. Normally, the ASP.NET worker process runs as IUSR_[MACHINENAME]. Using an <impersonate> tag in the web.config file, you can configure impersonation as follows:

<identity impersonate="true" userName="CompanyDomain\Steve" password="password" />

Additional Resources

  • ASP.NET Authentication


    • Questions, comments, or suggestions? Contact us at info@dotnetcoders.com
    © 2000-2003 .netCoders. All rights reserved. Terms of Use