.netCoders Contact Us
Search:
70-3X5 : Web Apps
Certification Home
Exam Overview
Exam Resources

User Services
ASP.NET pages
Adding Controls
Navigation
Validation
Error Handling
Displaying Data
Invoking services
Accessibility
Intrinsic Objects

Components & Assemblies
Assemblies
Web Controls

Consuming Data
Queries
Data Error Handling

Testing & Debugging
Unit Test Plans
Tracing
Debugging

Deployment
Planning
Setup Programs
Deploying
The GAC

Maintainance
Optimization
Diagnostics

Configuration & Security
Configuration
Security
Authorization
Caching
Session State
Server Services

Security

ASP.NET works together with IIS and Windows to provide several different security options for your web application. The key points to remember for the exam are what authentication options are available, and how to configure them in .NET and IIS.

Authentication, Authorization, and Impersonation

These three terms are used thoroughly when discuss security in general, and are covered on the exam. For clarification purposes to those unfamiliar with the differences between the terms, we include definitions here.
Authentication The process of verifying that the user is who they claim to be, usually through some username/password verification scheme
Authorization The process of verifying what resources an authenticated user has access to
Impersonation The process of having the ASP.NET worker process run as an authenticated or anonymous user so that authorization checks can be performed

Configuring Authentication

Authentication refers to how a user's identify is verified. There are 4 different authentication options:
Windows Users are authenticated using their Windows domain accounts. This works in conjunction with IIS security.
Forms Users are redirected to an HTML form for entering in usernames and passwords.
Passport Users are authenticated using the Microsoft Passport service.
None Users are not authenticated
Authentication is configured in the web.config file for the application. The <authentication> section of the web.config file looks like this:
<authentication mode="[Windows|Forms|Passport|None]">
     <forms name="[name]" loginUrl="[url]" >
            <credentials passwordFormat="[Clear, SHA1, MD5]">
                 <user name="[UserName]" password="[password]"/>
            </credentials>
        </forms>
        <passport redirectUrl="internal" />
</authentication>
For forms authentication, the <forms> tag provides settings for the name of the cookie given to the user (.ASPAUTHX is the default), and the path to the login form for non-authenticated users. For passport authentication, the <passport> tag allows you to indicate a redirect page after the user is authenticated. Otherwise, the passport service redirects a user to the page he/she originally requested.

Web.config Examples

Windows Authentication

<authentication mode="Windows">
</authentication>
Forms Authentication

<authentication mode="forms">
     <forms forms="MyApp" loginurl="/login.aspx" decryptionkey="1!#$$*13^">
         <credentials passwordFormat=SHA1>
             <user name="Bill" password="9611E4F94EC4972D5A537EA28C69F89AD28E5B36"/>
             <user name="Steve" password="BA7157A99DFE9DD70A94D89844A4B4993B10168F"/>
         </credentials>
     </forms>
</authentication>
Passport Authentication

<authentication mode= "Passport">
</authentication>

Additional Resources

  • ASP.NET Authentication


    • Questions, comments, or suggestions? Contact us at info@dotnetcoders.com
    © 2000-2003 .netCoders. All rights reserved. Terms of Use