Check Windows ACLs
If your application is having problems accessing a file or registry key (or any
securable Windows object protected with ACLs), check the ACLs to ensure that the
Web application identity has at least read access.
Check Identity
Also make sure you know which identity is being used for resource access by the
ASP.NET Web application. This is likely to be:
The ASP.NET process identity (as configured on the
web.config.
336 Building Secure ASP.NET Applications
This defaults to the local ASPNET account specified with the username “machine”
and password “AutoGenerate”.
The authenticated caller’s identity (if impersonation is enabled within
web.config) as shown below.
<identity impersonate="true" />
If you have not disabled anonymous access in IIS, this will be IUSR_MACHINE.
A specified impersonation identity as shown below (although this is not recommended)
<identity impersonate="true" userName="Bob" password="password" />
More Information
For more information about the identity used to run ASP.NET and the identity used
to access local and network resources, see Chapter 8, “ASP.NET Security”.
Check the <authorization> Element
Confirm that the <allow> and <deny> elements are configured correctly.
If you have <deny users=�?� /> and you are using Forms authentication and/or IIS anonymous authentication, you must explicitly place an IPrincipal object into
HttpContext.User or you will receive an access denied 401 response.
Make sure the authenticated user is in the roles specified in
elements.
ASP.NET
Enable Tracing
ASP.NET provides quick and simple tracing to show the execution of events within
a page and the values of common variables. This can be a very effective diagnostic
aid. Use the page level Trace directive to turn on tracing, as shown below:
<%@ Page language="c#" Codebehind="WebForm1.aspx.cs" AutoEventWireup="false"
Inherits="Test.WebForm1" Trace="true" %>
More Information
For more information on the new tracing feature in ASP.NET see the Knowledge
Base article Q306731, “INFO: New Tracing Feature in ASP.NET”.
Configuration Settings
Most application settings should be placed in web.config. The following list shows
main security related settings that can be placed in web.config.
<authentication>
<authorization>
<trust>
<identity>
The following setting which controls the identity used to run the ASP.NET worker
process (aspnet_wp.exe) must be located in machine.config.
Configuration settings for an application are always retrieved from the application’s
web.config file first and these override any equivalent settings within
machine.config. If you want a particular setting to be applied to your application,
explicitly configure the setting in the application’s web.config file.
The main (and often only) web.config file for a particular application lives in its
virtual directory root. Subdirectories can also contain web.config files. Settings in
these files override the settings from web.config files in parent directories.
Determining Identity
Many security and access denied problems relate to the identity used for resource
access. The following code samples presented in this section can be used to help
determine identity in Web pages, COM objects, and Web services.
For more information about .NET identity variables, see “ASP.NET Identity Matrix”
in the Reference section of this guide.
Determining Identity in a Web Page
The following script can be used to gather security context related information and
indicates the identity being used to run a Web page.
To use this code, copy and paste it to create a file with a .aspx file extension. Copy
the file to an IIS virtual directory and view the page from a browser.
<%@ Page language="c#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Threading" %>
<%@ Import Namespace="System.Security.Principal" %>
<HTML>
<HEAD>
<title>WhoAmI</title>
</HEAD>
<body>
<form id="WhoAmI" method="post" runat="server">
<TABLE id=contextTable border=1>
<TR>
<TD align=middle colSpan=3 rowSpan="">
HttpContext.Current.User.Identity</TD>
</TR>
<TR>
<TD><b>Name</b></TD>
<TD><asp:Label ID="contextName" Runat=server /></TD>
</TR>
<TR>
<TD><b>IsAuthenticated</b></TD>
<TD><asp:Label ID="contextIsAuth" Runat=server /></TD>
</TR>
<TR>
<TD><b>AuthenticationType</b></TD>
<TD><asp:Label ID="contextAuthType" Runat=server /></TD>
</TR>
</TABLE>
<br><br>
<TABLE id=windowsIdentityTable border=1>
<TR>
<TD align=middle colSpan=3 rowSpan="">WindowsIdentity.GetCurrent()</TD>
</TR>
<TR>
<TD><b>Name</b></TD>
<TD><asp:Label ID="windowsName" Runat=server /></TD>
</TR>
<TR>
<TD><b>IsAuthenticated</b></TD>
<TD><asp:Label ID="windowsIsAuth" Runat=server /></TD>
</TR>
<TR>
<TD><b>AuthenticationType</b></TD>
<TD><asp:Label ID="windowsAuthType" Runat=server /></TD>
</TR>
</TABLE>
<br><br>
<TABLE id=threadIdentityTable border=1>
<TR>
<TD align=middle colSpan=3
rowSpan="">Thread.CurrentPrincipal.Identity</TD>
</TR>
<TR>
<TD><b>Name</b></TD>
<TD><asp:Label ID="threadName" Runat=server /></TD>
</TR>
<TR>
<TD><b>IsAuthenticated</b></TD>
<TD><asp:Label ID="threadIsAuthenticated" Runat=server /></TD>
</TR>
<TR>
<TD><b>AuthenticationType</b></TD>
<TD><asp:Label ID="threadAuthenticationType" Runat=server /></TD>
</TR>
</TABLE>
</form>
</body>
</HTML>
<script runat=server>
void Page_Load(Object sender, EventArgs e)
{
IIdentity id = HttpContext.Current.User.Identity;
if(null != id)
{
contextName.Text = id.Name;
contextIsAuth.Text = id.IsAuthenticated.ToString();
contextAuthType.Text = id.AuthenticationType;
}
id = Thread.CurrentPrincipal.Identity;
if(null != id)
{
threadName.Text = id.Name;
threadIsAuthenticated.Text = id.IsAuthenticated.ToString();
threadAuthenticationType.Text = id.AuthenticationType;
}
id = WindowsIdentity.GetCurrent();
windowsName.Text = id.Name;
windowsIsAuth.Text = id.IsAuthenticated.ToString();
windowsAuthType.Text = id.AuthenticationType;
}
</script>
October 19, 2010
0 Troubleshooting Authorization Issues In ASP.NET
Posted by raj on 7:01 AM
Posts
0 comments:
Post a Comment