Chapter 9. ASP.NET Security

Security is an extremely complicated subject, and ASP.NET security is no exception. This chapter discusses the approaches you can take to secure your ASP.NET applications. Absent from the discussion are the topics of network, server, and infrastructure security. This should not be interpreted to mean these topics are unimportant. On the contrary, without properly securing any supporting servers and infrastructure, the measures you take to secure your application with the tools made available by the .NET Framework will be for naught. A discussion of these topics, however, is beyond the scope of this book. The security section of the Microsoft TechNet web site, referenced at the end of this chapter, contains a wealth of information on how to secure your servers and network properly, including tools to assist you in this important task.

The importance of securing your applications cannot be stressed enough. Failure to devote the time and resources to get security right can result in data loss, application failure or hijacking, as well as loss of revenue and/or reputation. And it's important that security be considered from the very beginning. Application security added as an afterthought is little better than no security at all.

Securing access to an application or to the resources belonging to an application involves two processes: authentication and authorization. This chapter explains how these processes relate to ASP.NET and how each fits into the overall scheme of allowing or preventing access to ASP.NET application resources. The discussion focuses on the three authentication methods the ASP.NET runtime provides: Windows, Forms, and Passport. The chapter also discusses ACL-based and URL authorization, as well as strategies for obtaining secure access to data and securing web services. The discussion also touches briefly on code access security, which underlies the ASP.NET security model.