Authorization - what page can request ?
- Form authentication
- setup in used for internet web application, relies on configuration in web.config.
- First time user access to protected resource, ASP.NET will redirect user to login page.
- If login is successful, ASP.NET will give authentication ticket (cookies) to user.
- The expiration time of ticket can be configure.
- different web config in folder can be configure different set of access.
- authorization deny user=? , put in main page, so anonymous users cannot access.
- authorization allow user=* , put in register so everyone can in.
- authorization allow role="admin", deny user=* , except admin all cannot access.
- Windows Authentication
- identifies and authorizes users based on the server's user list
- Suitable for intranet web application.
- Don't force users who already logged in to Windows and log in again.
- Good For in house use and behind firewall.
- Cannot work through firewalls.
- Not for internet use.
- Passport Authentication
- Rely on a centralized authentication service provided by Microsoft
- Install and Configure .NET Passport SDK.
- email address and password
- Google account can login youtube, blogger , gmail
- When enable impersinate (true)
- To use existing Windows user permission, user identity as the account you logged in.
- False = IIS APPPOOL\DefaultAppPool
- True = Dk\oby
- user must authenticated by IID
- To give each web application different permissions
- No matter what user access the application, it will become the preset specific account
Authorization
<location path="HRpages">
<system.web>
<authorization>
<allow roles="HR" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="salesPages">
<system.web>
<authorization>
<allow roles="sales" />
<deny users="*" />
</authorization>
</system.web>
</location>
<deny users="?" /> <!-- Allow all users -->
No comments:
Post a Comment