Home | Site map   
  Home Products Downloads Support Contacts
  ASPRunner.NET:  Overview | Try now | Buy now | Tutorial |  Screenshots | Live demo | FAQ | Articles | Forum
 
  Back to list of Articles

Security models in ASP.NET. Authentication.
Author: Sergei Baklanov aspnetman@aspnetmania.com

Windows Authentication
Forms Authentication
Forms Authentication using XML file
Forms Authentication using web.config file
Forms Authentication using database
Forms Authentication with Web services
Passport Authentication

Windows Authentication

As you can see from its name, this method is based on use of Windows identities. It is advisable to use this method if you develop local net application and all current identities and groups are stored in a pre-defined domain. You need to be very careful, assigning access rights to users, because at the same time you assign them Windows access rights. In order to enable Windows authentication in ASP.NET application it is necessary to change your Web-project configuration file (Web.config) or, if needed, the whole server configuration file, located at WINDOWS_FOLDER\Microsoft.NET\Framework\.NET version\CONFIG\Machine.config. (� ���� � ��� ������� - ���� �������?) In our example we will work only with project file - Web.config, where you need to find authentication section and assign Windows value to mode attribute:
<AUTHENTICATION mode="Windows"></AUTHENTICATION>

Now we can start programming and implementing Windows-based authentication. We will do it with the help of WindowsIdentity class, designed to work with Windows authentication. Generally, there are two basic classes in .NET Framework for Windows based authentication:

GenericIdentity - implements the IIdentity interface and is not related to any certain authentication type WindowsIdentity - also is Iidentity implementation but it also calls for methods special for Windows based authentication only.

Username and group name are stored in WindowsIdentity object in the following format: DOMAIN\UserName and DOMAIN\Group correspondingly. Exception is made only for embedded groups, for example Administrators group, you can connect to it using connection string in WindowsIdentity: BUILTIN\Administrators. Or you can set embedded group using enumeration: System.Security.Principal.WindowsBuiltInRole.

From Fig. 1 it is clear, that WindowsIdentity object allows to get username, define authentication type, find out if authentication has been anonymous, also you can find out whether the user passed authentication or not, if he is a guest or a system user.

Since in ASP.NET applications you need to build the following chain to call WindowsIdentity object: HttpContext.Current.User.Identity, you will be able check current user role. You can do it, since in this chain User property implements Iprincipal interface, which allows to check current user role by calling IsInRole function, which has following syntaxes: 

	Public Overridable Function IsInRole(ByVal role As String) As Boolean
	Member of: System.Security.Principal.Iprincipal

But let's put aside naked theory for a while and take practical example. Create new ASP.NET Web Application project and input the following code:
Default.aspx: 

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="default.aspx.vb" Inherits="AuthSample.WebForm1"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
 <head>
   <title>Authentication Sample</title>
   <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
   <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
   <meta name=vs_defaultClientScript content="JavaScript">
   <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">
</head>
 <body MS_POSITIONING="GridLayout">
   <form id="Form1" method="post" runat="server">

   </form>
</body>
</html>
Default.aspx.vb: 
Public Class WebForm1
    Inherits System.Web.UI.Page

#Region � Web Form Designer Generated Code �

    �This call is required by the Web Form Designer.
   <System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()

    End Sub

    �NOTE: The following placeholder declaration is required by the Web Form Designer.
    �Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
        �CODEGEN: This method call is required by the Web Form Designer
        �Do not modify it using the code editor.
        InitializeComponent()
    End Sub

#End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim s As String

        s = �<p><b>Name:</b> � & HttpContext.Current.User.Identity.Name & �v/p>� & _
            �<p><b>Authentication type:</b> � & HttpContext.Current.User.Identity.AuthenticationType.ToString & �</p>� & _
            �<p><b>Is authenticated:v/b> � & HttpContext.Current.User.Identity.IsAuthenticated.ToString & �</p>� & _
            �<p><b>Is admin:</b> � & HttpContext.Current.User.IsInRole(�Administrator�).ToString & �</p>�
        Response.Write(s)
    End Sub

End Class

If Windows authentication has been chosen and IIS settings have not raised any conflicts, you will get appropriate information about your current user. If username and authentication type fields are still empty, you need to configure IIS, here are steps you need to follow:
  1. Open IIS and find virtual directory with this application
  2. Click Properties and select Directory security tab. Under Anonymous access and authentication control, click Edit button �
  3. Check off Anonymous access in pop-up window (see fig.)

With this, let us finish Windows-based authentication review and go on to forms authentication.

Back to top
 
 

Home | Products | Downloads | Support | Contacts
  © 1999 - 2005 XLineSoft. All rights reserved. All comments send to webmaster@xlinesoft.com