|
|
The authorization points (or gatekeepers) available to a remote object hosted by ASP.NET are:
IIS. With anonymous authentication turned off, IIS only permits requests from users that it can authenticate either in its domain or in a trusted domain. IIS also provides IP address and DNS filtering.
UrlAuthorizationModule. You can configure <authorization> elements within your application’s Web.config to control which users and groups of users should have access to the application. Authorization is based on the IPrincipal object stored in HttpContext.User.
FileAuthorizationModule. The FileAuthorizationModule is available to remote components, although this requires specific configuration, as described in “Using File Authorization” later in this chapter.
| Note |
Impersonation is not required for File authorization to work. |
The FileAuthorizationModule class only performs access checks against the requested file or URI (for example .rem and .soap), and not for files accessed by code within the remote object.
Principal Permission Demands and Explicit Role Checks. In addition to the IIS and ASP.NET configurable gatekeepers, you can also use principal permission demands (declaratively or imperatively) as an additional fine-grained access control mechanism. Principal permission checks allow you to control access to classes, methods, or individual code blocks based on the identity and group membership of individual users, as defined by the IPrincipal object attached to the current thread.
| Note |
Principal permission checks used to demand role membership are different from calling IPrincipal.IsInRole to test role membership. The former results in an exception if the caller is not a member of the specified role, while the latter simply returns a Boolean value to confirm role membership. |
With Windows authentication, ASP.NET automatically attaches a WindowsPrincipal object that represents the authenticated user to the current Web request (using HttpContext.User).
|
|