Software QA (13)
SQL Server (1)
How does authorization work in ASP.NET
How does authorization work in ASP.NET?
ASP.NET impersonation is controlled by entries in the applications web.config file. The
default setting is “no impersonation”. You can explicitly specify that ASP.NET shouldn’t
use impersonation by including the following code in the file
It means that ASP.NET will not perform any authentication and runs with its own privileges. By default ASP.NET runs as an unprivileged account named ASPNET. You can change this by making a setting in the processModel section of the machine.config file. When you make this setting, it automatically applies to every site on the server. To user a high-privileged system account instead of a low-privileged set the userName attribute of the processModel element to SYSTEM. Using this setting is a definite security risk, as it elevates the privileges of the ASP.NET process to a point where it can do bad things to the operating system.
When you disable impersonation, all the request will run in the context of the account running ASP.NET: either the ASPNET account or the system account. This is true when you are using anonymous access or authenticating users in some fashion. After the user has been authenticated, ASP.NET uses its own identity to request access to resources.
The second possible setting is to turn on impersonation.
<identity impersonate =”true”/> access in IIS, this means ASP.NET will impersonate the IUSR_ComputerName account that IIS itself uses. If you aren’t allowing anonymous access,ASP.NET will take on the credentials of the authenticated user and make requests for resources as if it were that user. Thus by turning impersonation on and using a non-anonymous method of authentication in IIS, you can let users log on and use their identities within your ASP.NET application.
Finally, you can specify a particular identity to use for all authenticated requests
<identity impersonate=”true” username=”DOMAIN\username” password=”password”/ >
it correct in the configuration file). So, for example you could designate a user for a single application, and use that user’s identity every time someone authenticates to the application. The drawback to this technique is that you must embed the user’s password in the web.config file in plain text. Although ASP.NET won’t allow anyone to download this file, this is still a security risk if anyone can get the file by other means.
2007-10-24, 5449👍, 0💬
How To Blend a Color Layer to a Image? - PSP Tutorials - Fading Images to Background Colors with PSP...
What Happens to Your Transactions When ERROR 1213 Occurred? - MySQL FAQs - Transaction Management: C...
How do you handle change request? Normally change request are handled by preparing an Impact analysi...
What is more advisable to create a thread, by implementing a Runnable interface or by extending Thre...
Can two catch blocks be executed? No, once the proper catch section is executed the control goes fin...