124 |
Saturday Afternoon |
super user, power user, administrator or anonymous is defined by the application and given access to execute certain files, run certain functions or add/update/delete certain data.
Impersonation is when an application assumes the user’s identity as the request is passed to the application from IIS. Then, access is granted or denied based on the impersonated identity. So, we could establish two accounts in the application called genericUser and superUser, we could then selectively have incoming Web clients run as one of these accounts depending upon the rules established during authorization for each specific user.
Web.config and Security
There are two types of XML configuration files used by ASP.NET, they are called machine.config and Web.config. The format of these files and elements that they can contain are the same, however the machine.config file provides the default configuration for all applications and directories, while the Web.config file allows you to modify these defaults for a specific application or virtual directory. The machine.config is a located at:
[install drive]:\WINNT\Microsoft.NET\Framework\[ASP.NET Version Number]\CONFIG
and there is only one copy of this file per Webserver, whereas there may be dozens of Web.config files for various applications and subdirectories.
You can establish the conditions for access to a particular directory or application, by modifying the <system.Web> section in your application’s Web.config file. The conditions you set in the Web.config file will apply to the directory, which contains it, as well as all of its associated sub directories.
Within the Web.config file the <system.Web> section establishes the security profile for the application or directories overseen by it. The general syntax for the security section of the Web.config file is illustrated in Listing 13-1:
Listing 13-1 General syntax for the security section of the Web.config file
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<location path=”[Path of specific file to which system.Web applies]”> <system.Web>
<authentication mode=”[Windows/Forms/Passport/None]”>
<forms name=”[name]” loginUrl=”[url]” protection=”[All, None, Encryption, Validation]” timeout=”[time in minutes]” path=”[path]” >
<credentials passwordFormat=”[Clear, SHA1, MD5]”> <user name=”[UserName]” password=”[password]”/>
</credentials>
</forms>
<Passport redirecturl=”internal” /> </authentication>
<authorization>
<allow users=”[comma separated list of users]” roles=”[comma separated list of roles]” verb=”[GET, POST, HEAD]”/>
<deny users=”[comma separated list of users]” roles=”[comma separated list of roles]” verb=”[GET, POST, HEAD]”/>
</authorization>
<identity impersonate=”[true/false]” name=”[Domain\Username to operate under]” password=”[password of Domain\UserName]”/>
Session 13—Authentication and Authorization |
125 |
</identity>
<system.Web>
</location>
</configuration>
Note
Note the use of camel-casing throughout the Web.config and machine. config file where the first letter of the first word is always lower-case and the first letter of the subsequent word is upper-case, as in “configSections”. This is important because the entire file is case sensitive, and errors in case will create application errors.
The default and optional values for these elements are shown in Table 13-1.
Table 13-1 Default and Optional Values for Security Section of Web.config
Element and Default Value |
Optional Values |
Comment |
<location path=””> |
Any string that represents |
If you include a location tag in |
|
a valid path to a file |
then the settings contained in |
|
|
the <system.Web> section fol- |
|
|
lowing this tag will only apply to |
|
|
the specific file path named in |
|
|
the path property. This tag is |
|
|
optional and should typically |
|
|
only be used for files not sup- |
|
|
ported by ASP.NET. |
|
|
|
<authentication mode= |
Forms, Passport, None |
The authentication mode cannot |
”Windows”> |
|
be set at a level below the |
|
|
application root directory. |
|
|
|
<forms name=”.ASPXAUTH”> |
Any string for storing |
You can use any string you like |
|
the cookie |
for the cookie name. |
|
|
|
<forms login Url= |
Any valid absolute or |
If the mode is set to Forms, and |
”login.aspx”> |
relative URL |
if the request does not have a |
|
|
valid cookie, this is the URL to |
|
|
which the request is directed for |
|
|
a forms-based login. |
|
|
|
<forms protection= |
All, None, Encryption |
The value within the cookie can |
”None”> |
and Validation |
by encrypted or sent in plain |
|
|
text. For sites that only use |
|
|
forms authentication to identify |
|
|
a user and not for security pur- |
|
|
poses, then the default None is |
|
|
just fine. |
|
|
|
Continued
126 |
Saturday Afternoon |
Table 13-1 |
|
Continued |
Element and Default Value |
Optional Values |
Comment |
<forms path=”/”> |
Any valid string |
Specifies the path value of the |
|
|
cookie. Cookies are only visible |
|
|
to the path and server that sets |
|
|
the cookie. |
|
|
|
<credentials |
Clear, MD5 |
Tells ASP.NET the password |
passwordFormat=”sha1”> |
|
format used to decrypt the pass- |
|
|
word value of the user attribute. |
|
|
Note that just setting this value |
|
|
does not automatically encrypt |
|
|
the password value, instead it is |
|
|
the developers responsibility to |
|
|
add the password value in an |
|
|
encrypted format. |
|
|
|
<Passport redirecturl= |
Any valid URL that |
The authentication mode must |
”internal”> |
provides a login |
equal “Passport” for this to |
|
validation |
apply. When the requested page |
|
|
requires authentication and |
|
|
the user has not signed on |
|
|
with Passport, then the user |
|
|
will be redirected to the supplied |
|
|
“redirecturl”. |
|
|
|
<user name=””> |
Any valid user name |
For example use the value |
|
as string |
“jsmith”. |
|
|
|
<user password=””> |
Any valid password |
For example use the value |
|
as string |
“jsmithspassword”. |
|
|
|
<allow users=”*”> |
Any comma-delimited |
By default the special character * |
|
list of users |
indicates that all users are |
|
|
allowed; alternatively, ? indicates |
|
|
that anonymous users are |
|
|
allowed. |
|
|
|
<allow roles= > |
Any comma-delimited |
The special character * indicates |
|
list of roles |
that all roles are allowed. |
|
|
|
<deny users=””> |
Any comma-delimited |
Special characters * for all users |
|
list of users |
and ? for anonymous user can be |
|
|
used. |
|
|
|
Session 13—Authentication and Authorization |
127 |
Element and Default Value |
Optional Values |
Comment |
<deny roles=””> |
Any comma-delimited |
The special character * for all |
|
list of roles |
roles can be used. |
|
|
|
<identity impersonate= |
True |
With impersonation set to |
”false”> |
|
“True”, the usernames and |
|
|
passwords will be compared |
|
|
against valid NT User Groups |
|
|
to determine access based upon |
|
|
NTFS Access Control Lists. |
|
|
|
Note
The ASP.NET Configuration System only applies to ASP.NET Resources, which are those items handled by the xspisapi.dll. By default items not handled by this DLL, such as TXT, HTML, GIF, JPEG, and ASP files, are not secured by the Web.config. To secure these items use the IIS admin tool to register these files, or use the <location> tag to specify a specific file or directory.
The following example grants access to Tony, while denying it to Jason and anonymous users:
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<authorization>
<allow users=”Tony” /> <deny users=”Jason” /> <deny users=”?” />
</authorization>
<system.Web>
</configuration>
Next we’ll look at how users and roles may refer to multiple entities using a commaseparated list:
<allow users=”Tony, Jason, DomainName\tcaudill” />
As you can see, the domain account (DomainName\tcaudill) must include both the domain and user name combination.
Special identities
In addition to identity names, there are two special identities: *, which refers to all identities, and ?, which refers to the anonymous identity. So, to allow Jason and deny all other users you could set the configuration section as shown in the following code sample:
<?xml version=”1.0” encoding=”utf-8” ?> <configuration>
<system.Web>
<authorization>
<allow users=”Jason” />