Share via


How Security Works in ASP.NET

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Helping protect Web sites against unauthorized access is a critical, complex issue for Web developers. A successful system requires careful planning, and Web site administrators and programmers must have a clear understanding of the options for securing their site.

ASP.NET works in concert with the Microsoft .NET Framework and Internet Information Services (IIS) to help provide Web application protection. To help protect an ASP.NET application, you must perform the two fundamental functions described in the following table.

Security function Description

Authentication in ASP.NET

Assures that the user is, in fact, who the user claims to be. The application obtains credentials (various forms of identification, such as name and password) from a user and validates those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity.

Authorization in ASP.NET

Limits access rights by granting or denying specific permissions to an authenticated identity.

IIS can also grant or deny access based on a user's host name or IP address. Any further access authorization is performed by NTFS file access permission's URL authorization.

It is helpful to understand how all the various security subsystems interact. Since ASP.NET is built on the Microsoft .NET Framework, the ASP.NET application developer also has access to all the built-in security features of the .NET Framework, such as code access security and role-based user-access security. For details about the security capabilities of ASP.NET, see ASP.NET Code Access Security.