ASP.NET.in.a.Nutshell.Second.Edition [Electronic resources] نسخه متنی

9.2 Authorization

Authorization
is the process of determining whether the user identified by the
authentication process is allowed to access the resource that
they're requesting or whether to take the action
that they're attempting to take (such as updating
data in a database). While authentication asks the question
"Who are you?", authorization asks
the question "Are you allowed to do
that?" The answer to that question determines
whether the user's action is allowed.

Authorization in ASP.NET takes three forms, which are all discussed
in this section: ACL-based authorization, URL authorization, and
programmatic authorization.

9.2.1 ACL-Based Authorization

Access Control Lists (ACLs) are used in
Windows NT,
Windows 2000,
Windows XP, and Windows Server 2003 to control access to
system resources, such as files and folders in the
NTFS
filesystem. You can assign Windows user accounts or groups to the ACL
for a given resource to allow that user or group access to the
resource, or determine what type of access (read, write, change,
etc.) is authorized.

ACL-based authorization is useful primarily when using Windows
authentication in ASP.NET. IIS uses the authenticated user identity
to perform ACL checks and can also make requests for ACL-protected
resources by using the user's security context, if
impersonation has been enabled.

To protect a file using ACL authorization, right-click the desired
file in Windows Explorer and select Properties. Next, click the
Security tab to view the current users, groups, and permissions on
the file (as shown in Figure 9-2). Use the Add and
Remove buttons to add or remove user or group accounts and the
checkboxes in the Permissions section to modify permissions for the
selected user.

In Windows XP, the Security tab may not appear in the Properties dialog for a file or folder if Simple File Sharing is enabled. To see if this feature is enabled (and to disable it and make the Security tab available), select Tools Folder Options in Windows Explorer. Then select the View tab, and then in the Advanced Settings section, clear the "Use simple file sharing (recommended)" checkbox.

Figure 9-2. File properties dialog

One of the first things
you might do in this example is remove the Everyone group from the
folder, since this group (as the name suggests) allows anyone who can
access the computer to access this file.

Use caution when removing special accounts (such as the SYSTEM account) from the ACLs for a given resource. Some operating system files require the SYSTEM account to have access to them for the OS to function, so removing those permissions can cause major problems, up to and including not being able to start the OS.

9.2.2 URL Authorization

URL
authorization uses the
<allow> or
<deny> elements of the
<authorization> configuration element to
control access to folders and files within the application, as we saw
in the example on Forms authentication. Access can be allowed or
denied based on username, role, and/or HTTP verb used to request the
resource. Thus, to allow user Marcie to access any resource in the
application with any HTTP verb, but to prevent user Charles from
making POST requests, we'd add the following
<authentication> section to the

web.config file at the root of the application
(you can also add an <authentication>
section to a

web.config file in a child
directory to override or add to these settings):

<authorization>
<allow verb="GET" users="*" />
<allow verb="POST" users="Marcie" />
<deny verb="POST" users="Charles" />
<deny users="?" />
</authorization>

As we saw in Example 9-1, you can also use the
<location> tag with the
path attribute to control access to a specific
folder or file:

<location path="filetoprotect.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

Because the <location> tag in

web.config requires its own
<system.web> tag pair, the
<location> tag should always appear
inside the <configuration> and
</configuration> tags, but outside the
<system.web> and
</system.web> tags. You can define as many
different <location> tags as you like, and
each can contain its own URL authorization restrictions.

To specify domain rather than local accounts or groups, use the
domainname\
userorgroupname format when specifying the
name in the <allow> or
<deny> element. There are two wildcards for
users, both of which we've seen already. The
asterisk (*) refers to all users, while the question mark (?) refers
to anonymous (unauthenticated) users. Finally, multiple users or
groups can be specified in the <allow> or
<deny> elements by separating the list of
users or groups with commas.

9.2.3 Programmatic Authorization

You can also perform
programmatic
checks at runtime to determine whether a user should be allowed to
perform certain actions. The primary means of doing this is the
IsInRole method, which is defined by the
IPrincipal interface and accessible from the User
property of the Page class. As with ACL-based
authorization, this method is most useful when
you're using Windows authentication and want to
check whether the authenticated user belongs to a particular Windows
group, such as a managers' group. The use of
IsInRole is shown in the following code snippet:

If Page.User.IsInRole("Managers") Then
'perform some action restricted to managers
Else
Message.Text = "You must be a manager to perform this action"
End If