Lately at SCS I have been assigned to build up the security module and related tasks in the Real Estate Management System we are building. So I decided to share what I have learned in this past period and of course to hear from the community to find optimal solutions for the scenarios I worked with, all what I write here might be repeated but I will share it anyway. [more]
In this part, I will show some important basic points that should be clear to everyone before implementing asp.net security tasks.
Looking at any web application, the security is a matter of users/passwords/roles/groups… etc. While ASP.NET provides more mechanisms for authentication and authorization that work with the Operating system,IIS and .NET framework classes. So the ASP.NET application runs through these 3 levels.
- IIS Level
- ASP.NET worker process level
- ASP.NET pipeline level
So, the Big Question, What is the Identity that runs my application ?
First, When an IIS web server machine receives an ASP.NET request, the IIS assigns it to one of the threads pooled in it, IIS runs under the SYSTEM account which has all the powers in a Microsoft Windows operating system. You can read extra information in the ASP.NET Application Life Cycle Overview article on the msdn.
Next, the 3 security levels run on the request one after the other.
1- The IIS thread context : the identity of this thread is determined according to the settings of the website in the IIS which has one of the following settings:
- Basic authentication prompts the user for a user name and a password, also called credentials, which are sent unencrypted over the network.
- Integrated Windows authentication uses hashing technology to scramble user names and password before sending them over the network.
- Digest authentication operates much like Basic authentication, except that passwords are sent across the network as a hash value. Digest authentication is only available on domains with domain controllers running Windows Server operating systems.
- Anonymous authentication allows everyone access to the public areas of the Web sites, without asking for a user name or password. When this is set, the identity impersonates the identity set in the textboxes, with the default user name IUSR_MACHINENAME. Like shown in the figure down below.
Further more, IIS provides SSL (Secure Socket Layer) authentication mode that is based on certificates, to authenticate users requesting/providing secret information on the server, two trusted certificate providers (which I know but never used) are http://www.thawte.com/ and http://www.verisign.com/.
After authentication, the thread sends the request to the appropriate external module.
Next part I will talk about the 2 next security level contexts.