NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

ASP+ Architecture

This section provides a high level overview of the ASP+ infrastructure and the subsystem relationships, as they relate to the subject of security. These relationships are shown in the following illustration:

As shown, all Web clients communicate with ASP+ applications through IIS. Among other things, IIS deciphers the request, does some authentication, finds the requested resource (such as an ASP+ application), and, if authorized, returns the appropriate resource to the client. In addition to the built-in ASP+ security features, an ASP+ application can use the NGWS runtime low-level security features. For more information on the NGWS runtime security features, see Key Concepts in Security.

Integrating with IIS

This release of ASP+ uses IIS 5.0 as the primary host environment. When considering ASP+ authentication, you should understand the interaction with IIS authentication services.

IIS always assumes that a set of credentials map to a Windows NT account and uses them to authenticate a user. There are three different kinds of authentication in IIS 5.0: Basic, Digest, and Windows authentication. The type of authentication used can be set in the IIS administrative services. For more information on these types of authentication, see the IIS documentation. If a URL containing an ASP+ application is requested, the request and authentication information gets handed off to the application.

ASP+ provides three additional types of authentication: Cookie authentication, Passport authentication, and customized Windows authentication. These will be discussed in later sections.

Using ASP+ Configuration Files

ASP+ configuration is done using XML configuration files. There are file sections for each major category of ASP+ functionality. The security section is as follows:

Config.web file
<security>
     <authentication mode=”[Windows/Cookie/Passport]”>
          <cookie cookie=”[name]” loginurl=”[url]” decryptionkey=”[key]”>
               <credentials passwordformat=”[Clear, SHA1, MD5]”>
                    <user name=”[UserName]” password=”[password]”/>
               </credentials>
           </cookie>
     </authentication>

     <authorization>
           <allow users=”[comma separated list of users]”
                  roles=”[comma separated list of roles]”/>
           <deny  users=”[comma separated list of users]”
                  roles=”[comma separated list of roles]”/>
     </authorization>

     <identity>
          <impersonation enable=”[true/false]”/>
     </identity>
</security>

The default settings for these elements are shown in the following table:

Element or Attribute Default Value
<authentication mode= "Windows"
<cookie cookie= ".ASPXCOOKIEAUTH"
<cookie URL= "login.aspx"
<cookie decryption key= "autogenerate"

Causes a machine-specific key, as provided by the Microsoft CryptoAPI, to be used.

<passwordformat= "sha1"
<user name= "" (empty)
<user password= "" (empty)
<allow users= "*" (all)
<allow roles= "*" (all)
<deny users= "" (empty)
<deny roles= "" (empty)
<impersonation enable= true

Notice that there are three major subsections: authentication, authorization, and identity. The values for each of the elements are usually set by overriding this section of the master configuration file with a similar section in an application configuration file placed in the application root. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override their parent directory's settings.

Each of these security subsections is discussed in more detail in the document sections that deal with those topics. For more details on ASP+ configuration in general, see ASP+ Configuration Concepts.

The next topic provides the data flow details that show how security is handled by ASP+, and how the data flows through the subsystems.