PDA

Click to See Complete Forum and Search --> : Authentication and Authorisation in ASP.Net

yemiu
November 23rd, 2004, 04:39 PM
Hi there,
+ As I know, there are 4 types of authentication for ASP.Net app: Windows, Custom, Forms and Passport.
I think ASP.Net only provides us the methodologies, but not real authentication job. What I mean is, for example, using Forms Authentication, what .Net does is just protect all the folders from unauthenticated accesses, except for the Login page. We - developers- still need to check username, password, or even diving to ADO.Net accessing DB in order to check credentials. So whats the point to have those supports from Asp.Net? Am I still right with other authentications, cause I only have had chance to use Form.

+ For authentication, I see there is a tag <authentication> in the web.config file. Also I see <authorization> tag. I never touch that tag. Is it true we dont have control on authorization but .Net framework? I mean I would like to know abit more about authorization.

Thanks
Pat
mmetzger
November 24th, 2004, 10:00 AM
You do have to actually setup the authentication routines (ie, check the database, if in database create cookie, add roles, etc.) but the underlying framework allows for this to occur.

Here an example web.config showing both authentication and authorization:


<configuration>
<system.web>
<trace enabled="true" localOnly="false" />
<!-- compilation debug="true"/ -->
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms loginUrl="default.aspx"
name="MyWeb"
protection="All"
path="/"/>
</authentication>
</system.web>
<location path="support">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="knowledge">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="trace.axd">
<system.web>
<authorization>
<allow roles="Developer" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>


The authentication tag defines I'm using forms auth, and I have the application's global.asax file defining how the requests are to be handled (this defines the checking for principals, roles, etc.) The authorization is used for simple denying / redirect of files / directories / etc. The true power in the roles though would be to create a custom page class, and define a property for each page which states which role is available.
Andy Tacker
November 24th, 2004, 10:54 AM
Please refer to this post (http://www.codeguru.com/forum/showthread.php?t=309652)
yemiu
November 24th, 2004, 04:58 PM
Thanks alot for your all inputs. I am clear now.
Regards,
Patrick