Categories:
.NET (357)
C (330)
C++ (183)
CSS (84)
DBA (2)
General (7)
HTML (4)
Java (574)
JavaScript (106)
JSP (66)
Oracle (114)
Perl (46)
Perl (1)
PHP (1)
PL/SQL (1)
RSS (51)
Software QA (13)
SQL Server (1)
Windows (1)
XHTML (173)
Other Resources:
How does authorization work in ASP.NET
How does authorization work in ASP.NET?
✍: Guest
ASP.NET impersonation is controlled by entries in the applications web.config file. The
default setting is “no impersonation”. You can explicitly specify that ASP.NET shouldn’t
use impersonation by including the following code in the file
<identity impersonate=”false”/>
It means that ASP.NET will not perform any authentication and runs with its own
privileges. By default ASP.NET runs as an unprivileged account named ASPNET. You
can change this by making a setting in the processModel section of the machine.config
file. When you make this setting, it automatically applies to every site on the server. To
user a high-privileged system account instead of a low-privileged set the userName attribute
of the processModel element to SYSTEM. Using this setting is a definite security risk, as
it elevates the privileges of the ASP.NET process to a point where it can do bad things to
the operating system.
When you disable impersonation, all the request will run in the context of the account
running ASP.NET: either the ASPNET account or the system account. This is true when
you are using anonymous access or authenticating users in some fashion. After the user
has been authenticated, ASP.NET uses its own identity to request access to resources.
The second possible setting is to turn on impersonation.
<identity impersonate =”true”/>
access in IIS, this means ASP.NET will impersonate the IUSR_ComputerName account
that IIS itself uses. If you aren’t allowing anonymous access,ASP.NET will take on the
credentials of the authenticated user and make requests for resources as if it were that
user. Thus by turning impersonation on and using a non-anonymous method of
authentication in IIS, you can let users log on and use their identities within your ASP.NET
application.
Finally, you can specify a particular identity to use for all authenticated requests
<identity impersonate=”true” username=”DOMAIN\username” password=”password”/
>
it correct in the configuration file). So, for example you could designate a user for a single
application, and use that user’s identity every time someone authenticates to the
application. The drawback to this technique is that you must embed the user’s password
in the web.config file in plain text. Although ASP.NET won’t allow anyone to download
this file, this is still a security risk if anyone can get the file by other means.
2007-10-24, 5626👍, 0💬
Popular Posts:
What Does a HTML Document Look Like? A HTML document is a normal text file with predefined tags mixe...
How To Calculate Expressions with SQL Statements? - MySQL FAQs - Introduction to SQL Basics There is...
How To Display a Past Time in Days, Hours and Minutes? - MySQL FAQs - Managing Tables and Running Qu...
How can we know the number of days between two given dates in PHP? Simple arithmetic: <?php $...
How can JavaScript make a Web site easier to use? That is, are there certain JavaScript techniques t...