NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

How ASP+ Security Works

Securing Web sites is a critical issue for Web developers. It is also one of the most potentially confusing. A secure system requires careful planning, and Web site administrators and programmers must have a clear understanding of the options for securing their site. Security, in the context of an ASP+ application, involves performing three fundamental functions: authentication, authorization, and impersonation for a given request.

Authentication is the process of accepting credentials (various forms of identification, such as name and password) from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials can be considered an authenticated identity. Then, given an identity, authorization is the process of determining whether or not that identity has access to a given resource. Impersonation is when the application executes using the identity of the client making the request. Access authorization is then left up to Windows NT file access permissions, and/or URL authorization, as described in the sections that follow.

It is helpful to understand how all of the various security subsystems interact. This section, and the following sections, provide a brief overview of the subsystems involved, and more detail on the specifics of ASP+ security.

ASP+ works in concert with the NGWS frameworks and runtime and Internet Information Server (IIS) 5.0 to provide outstanding security capabilities that can be implemented by Web application designers. ASP+ provides these capabilities in three key areas:

Since ASP+ is built on the NGWS frameworks and runtime, the ASP+ application developer also has access to all of the built-in security features of the NGWS runtime, such as code access security and role-based, user access security. For details on NGWS runtime security capabilities, see the Code Access Security section of this document.