Overview of ASP.NET Security
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
Most Web sites need to selectively restrict access to some portions of the site. You can think of a Web site as somewhat analogous to an art gallery. The gallery is open for the public to come in and browse, but there are certain parts of the facility, such as the business offices, that are accessible only to people with certain credentials, such as employees. When a Web site stores its customers' credit card information in a database, for example, ASP.NET helps protect the database from public access. ASP.NET security addresses this and many other security issues.
ASP.NET, in conjunction with Internet Information Services (IIS), can authenticate user credentials such as names and passwords using any of the following authentication methods:
Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
Microsoft Passport authentication
Forms authentication
Client Certificate authentication
ASP.NET helps control access to site information by comparing authenticated credentials, or representations of them, to NTFS file system permissions or to an XML file that lists authorized users, authorized roles (groups), or authorized HTTP verbs.
The topics in this section describe the specifics of ASP.NET security.
This section includes the following information:
How Security Works in ASP.NET: Provides an overview of ASP.NET security.
Architecture in ASP.NET: Provides an overview of ASP.NET infrastructure and subsystem relationships, as related to security.
Data Flow in ASP.NET: Describes the security data flow for two common scenarios.
Authentication in ASP.NET: Describes ASP.NET authentication providers.
Authorization in ASP.NET: Describes two fundamental ways to authorize access to a resource.
Impersonation in ASP.NET: Describes how and when to use ASP.NET Impersonation.
Authentication and ASP.NET Impersonation: Describes how to create ASP.NET application with incorporated security.
Security of ASP.NET Applications in Hosted Environments: Describes ASP.NET security features for multi-application Web servers.