Establish security settings in Web.config

In this post (which is the 100th one in the life of the blog), we’ll review three important security-related settings that you can define in your application’s web.config file, namely: authentication, authorization and impersonation. You’ll find a very thorough article about the topic here.

First a little terminology: authentication is the process of identifying, authorization is of checking rights. A common example: when you check-in to a plane, you show your ID, passport, etc. to identify yourself. Then you show your ticket for the given plane, to show that you are authorized to be there. It’s that simple. And impersonation is the process of taking someone else’s personality, which is a bad, bad thing. So long for terminology.

There are some a few authentication types in ASP.NET.  Windows authentication uses the Kerberos protocol (or NTLM) to identify itself. Let’s consider it using with and without impersonation. You’d use Windows authentication with impersonation when:

  • The application users’ Windows accounts can be authenticated at the server.
  • You’d like to flow the original caller’s identity to the middle-tier of your application.
  • You’d like to flow the original caller’s identity to a low level (to the OS).

When you use this method, you are able to work with ACLs, and use URL authorization, too.

The other approach is to use Windows authentication without impersonation.  This is a good solution when:

  • The application users’ Windows accounts can be authenticated at the server.
  • You’d like to show fixed credentials for example to a database server, thus enhancing connection pooling.

Forms authentication is a great approach when you’d like to authenticate your users against a custom user store (a database or Windows Active Directory). Yes, when you want to use Windows AD, you shouldn’t use Windows authentication, instead, you should use Forms authentication. Use it in conjunction with the ActiveDirectoryMembershipProvider, and an appropriate connection string, that connects to the AD.

When you use Forms authentication, you should consider using SSL, since it’s a bad thing to pass authentication data between the client and the server as clear text. Guess you could imagine why.

Now a little authorization. You can specify URL authorization settings in your root web.config file, or in subfolder’s web.config files. Be aware of that ASP.NET seeks for the first matching rule, so you should write the following code:

<allow users=”John” />
<deny users=”*”/>

You can even filter for HTTP methods, like POST, GET or the rest. Authorization can be controlled by ACLs, too. In this case, we are talking about resource-based authorization. As you can guess, the former method was role-based authorization.

Further Readings

Authentication and authorization

ASP.NET Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s