There are a number of different ways to design security into ASP+ applications, depending on the preferences of the designer. This section shows the security data flow for one of the more common scenarios.
In this scenario it is desired to have little or no security programming in the ASP+ application itself, but rather, rely on IIS authentication and Windows NT file access security. The data flow is shown in the following illustration:
As shown in this illustration, the sequence of events is as follows:
Notice that if impersonation is not enabled, the application runs with a "Local Machine" identity. Access at the Access Control List (ACL) level is normally allowed for ASP+ applications running with the Local Machine identity. If you want to restrict access, the ACLs must be tightened up or some other means of authorization, such as URL authorization, must be used.
For more details on using impersonation in ASP+ applications, see the Impersonation section later in this document.