Explain how authorization works in ASP.NET.
ASP.NET impersonation is controlled by entries in the applications web.config file.
Though the default setting is no impersonation, it can be explicitly set using:
With ASP.NET won’t perform any authentication and would run with its own privileges. The default is an unprivileged account named ASPNET. It can be changed a setting in the processModel section of the machine.config file.
Disabling impersonation runs the entire request in the context of the account running ASP.NET (ASPNET account or the system account).
The second possible setting is to turn on impersonation.
<identity impersonate =”true”/>
Here, ASP.NET takes on the identity IIS passes to it. If anonymous access is allowed in IIS, then the IUSR_ComputerName account will be impersonated otherwise ASP.NET will take the authenticated user credentials and make requests for resources.
A particular identity can be specified to use all authenticated requests as:
<identity impersonate=”true” username=”DOMAIN\username” password=”password”/>
With this, the requests are made as the specified user. The password is assumed to be correct. The drawback is that you must embed the user’s password in the web.config file in plain text which is a security risk.
What is Authorization in ASP.NET?
Usually after a user is authenticated by means of a login, the process of authorization is followed where the decision is made whether a user should be granted access to a specific resource.
There are 2 ways to authorize access to a given resource:URL authorization:
- URL authorization is performed by the UrlAuthorizationModule
- It maps users and roles to URLs in ASP.NET applications.File authorization:
- File authorization is performed by the FileAuthorizationModule.
- It checks the access control list of the .aspx or .asmx handler file to determine whether a user should have access to the file.