Asp.net -IMPERSONATION

Visual Basic .NET » Visual Basic .NET General Discussion

Asp.net -IMPERSONATION -- pavankumar --

To,
Cerebrus & DotNetDevelopmentGroups

i need detailed explinatin about *Impersonation* in *ASP.NET *
and also *Authentication and Authorization *
* *

--
Thanks & Regards Sayin(pavan)

-- BradleyPeter --

OK. Here's a shot at it just off the top of my head.

Impersonation is the name for the technique whereby the asp.net process runs as in the context of a user other than the default ASPNET user.
You can find details here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7

/
html/vxconImpersonation.asp

I won't go into any more detail since it is not a technique that we use.
We believe that it is a security mistake to give ASP.NET anything other than minimal privileges.

Authentication is the process of asking users to identify themselves.
When a user provides correct credentials (usually a username and password), we say that the user is authenticated. So authentication answers the question, "Who are you?"

Authorisation, on the other hand, is the process of determining whether or not the authenticated user is permitted to carry out a particular function. So authorization answers the question, "Are you allowed to do this?"

In ASP.NET applications, users are typically authenticated using Forms Authentication. Users enter their credentials (uid and password), which are then checked against some form of secure data store. The secure data store might be a secure database, or Active Directory/LDAP, or some other repository of user information. There are other methods of authentication, but they have considerable drawbacks like, for example,
requiring that the Web server is on the Windows domain.

Authentication credentials should be reviewed every time a security boundary is crossed. This can be achieved by asking again for the user to supply credentials or (more likely) by ensuring that the credentials flow through the application with the user. In .NET a security challenge can be issued by including declarative attributes in code at appropriate places. Such a challenge may require, for example, if placed directly above a class definition, that the user must be logged in, in order to execute code in the class.

Authorisation is achieved by storing permitted roles against a user's credentials in the secure data store. This means that the roles the user is permitted to adopt can be retrieved immediately the user is authenticated, and can be stored along with authentication credentials in a security principal object. This security principal object can be associated with the current context to be presented each time a security challenge is issued. The upshot of this is that attributes similar to those described above for authentication can be used to allow only authorized users to carry out certain tasks. For example a method might be decorated with an attribute, declaring that only users belonging to certain specified roles are permitted to carry out the function of that particular method (e.g. "only administrators are allowed to add new users").

As well as declarative attributes, .NET also provides for imperative code that can retrieve details of the current users and their roles
(e.g. the method, IsInRole()).

It is important to remember that if security challenges are issued, they will raise security exceptions if the challenge fails. You need to include code in your application to catch these exceptions and deal with them gracefully. The default behaviour is to display an ASP.NET error page that may contain details you would not wish your users to see.
This is actually a more general security principle, that all errors should be caught by the application and dealt with gracefully. If a user ever sees the default ASP.NET error pages, the developer has made a mistake.

Some details of role-based security can be found here:

http://www.eggheadcafe.com/articles/20020418.asp

For a full discussion of all the above, and more, you should consult Microsoft's own book on the subject:

http://www.microsoft.com/mspress/books/6501.asp

If you don't fancy spending money on a book, you could read the white paper at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse

c/html/secnetlpmsdn.asp

HTH

Peter

-- Cerebrus --

Sayin(pavan) wrote :

To,
Cerebrus & DotNetDevelopmentGroups

He he, strange that you should address it to me, separately ! Remember,

Peter is the resident expert on all topics especially ASP.NET. I'm just here to pass the time ;-)

I have one tip for you, though.

Try to avoid asking for detailed explanations on any topic. These can be easily accessed by a simple Google search. Not everyone would have the time to give you a detailed explanation on a conceptual topic.
Therefore, your question runs the risk of getting ignored. (Not everyone is as forgiving as Peter) It is much more preferable to read up the topic, using what resources you can find, and then address any doubts or confusions that remain, to the newsgroup.

As I have said earlier : "The newsgroup helps those who help themselves."

-- BradleyPeter --

Erm. Don't think so. I choose carefully what I reply to, and sometimes get I lucky.
Peter

-----Original Message-----
From: DotNetDevelopment

Re: Asp.net -IMPERSONATION
Sayin(pavan) wrote :

To,
Cerebrus & DotNetDevelopmentGroups

He he, strange that you should address it to me, separately ! Remember,

-- pavankumar --

thanks ur very much peter

sorry for menction the name in the previous mail.
now on wards i use the group id only.

Regards pavan(sayin)

Home