Tags in web.config
This blog covers some of the commonly used tags in web.config. In simple term web.configs are ASP.NET configurations maintained in XML format. All the configuration are maintained in the form of XML tags. The first tag which I would like to explain is the one related to the different authentication which can be enabled using web.config. There are many types of authentication which can be used in a web application. They are Anonymous, Windows, Forms, Passport, basic, Certificate, Kerberos and digest. The ones which we are going to enable using web.config are anonymous, windows and forms.
Authentication Tags
Anonymous authentication: Anonymous authentication can be enabled using the following tag
<authentication mode="none" > |
With anonymous authentication enabled anyone can access the website. Most of the websites have anonymous enabled for the pages which can be browsed by all without restriction. Recently I heard a comment from a techie saying that anonymous authentication cannot be enabled through web.config it can be enabled only through IIS. This is not true. With the above tag one can very well enable anonymous authentication.
Now you have given anonymous authentication, what about giving access to people having their login details in your domain network or your company' network. Then you can make use of windows authentication. The tag for the same is as follows
<authentication mode="Windows" /> |
<authentication mode="Windows" /> <authorization> <allow user=* /> <deny user="sand" /> </authorization> |
<authentication type="Windows" /> <identity impersonate="true"/> |
How about giving access to your customers who don't fall in your domain or customers created dynamically?
The answer is making use of forms authentication. By making use of forms authentication you can redirect all unauthenticated requests to your website or to some resources in your website to a page say "login.aspx" and get the user id and password and authenticate user against a database of your choice and give authenticated access to the resources in your website. Forms authentication is a cookie based based authentication system. The tag for the same is given below.
<authentication mode="Forms"> <forms name="FormCookie" loginUrl="Login.aspx" protection="None" timeout="20" requireSSL="false" slidingExpiration="true" defaultUrl="home.aspx"> </forms> </authentication > |
Attributes | Explanation |
name | Attribute in the form tag tells the system the name of the authentication cookie in which the authentication details will be stored. The default value is ".ASPXAUTH" |
loginUrl | Is the name of the login/authentication page with path. The default value taken by the system is "login.aspx" |
protection | Specifies the type of encryption used for storing the authentication cookie details. Default value is All. The allowed values are Encryption, None and Validation. |
requireSSL | Specifies whether the cookie needs ssl connection to be transmitted. If the property is set to true then the cookies are not returned unless the connection being used is ssl enabled. By default the value is set to false. |
timeout | Is the time specified in minutes after which the cookie expires. Please refer sliding expiration also. |
slidingExpiration | The default value is true which means the cookie needs to be refreshed on each and every request and also the cookie expiration time is also reset. All this happens for a single session. Confused? Lets understand with an e.g. If sliding expiration attribute is set to true then the cookie timeout is calculated after the last request i.e. for e.g. suppose a user "A" logs in and he is authenticated at around 8:20 am and the timeout attribute is set to 20 minutes then his cookie will expire by 8:40 am thereby his session. If the user accesses some resource/page in the website say at about 8:30 am then his cookie timeout is reset to 8:50 am. This goes on for further request till his session is closed or timed out or the user logs out. If the slidingExpiration attribute is set to false then the logged in user' session will expire by 8:40 even if he access any number resources/pages in the site. So if slidingExpiration is set to true then the session will be increased by the number of minutes specified in the timeout property after each and every request. The default timeout is 30 minutes. |
defaultUrl | The url of the page to which the user needs to be redirected after he is successfully authenticated. |
A small C# sample code showing authentication procedure.
bool authenticated = Authenticate(userName.Text.Trim(), password.Text.Trim());//Method which will connect to the database and return true if the user exists. if (authenticated) { //Getting the authentication section of the web.config file. AuthenticationSection authenticationSection = (AuthenticationSection)WebConfigurationManager. GetSection("system.web/authentication"); /*Retrieving the minutes from the timeout attribute of forms tag of web.config. */ int timeOut = authenticationSection.Forms.Timeout.Minutes; //Creating the authentication ticket. FormsAuthenticationTicket authenticationTicket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(timeOut), false, roles); //Encrypting the content. string encryptedTicket = FormsAuthentication.Encrypt (authenticationTicket); /*Creating the cookie with the name retrieved from the web.config name attribute. */ HttpCookie authenticationCookie = new HttpCookie (FormsAuthentication.FormsCookieName, encryptedTicket); /* Adding the cookie to the response and authenticating the user. */ Response.Cookies.Add(authenticationCookie); } |
Table 1. IIS anonymous authentication
Web.config Settings | Variable Location | Resultant Identity |
<identity impersonate="true"/> | HttpContext | - |
<identity impersonate="false"/> | HttpContext | - |
<identity impersonate="true"/> | HttpContext | Name provided by user |
<identity impersonate="false"/> | HttpContext | Name provided by user |
Table 2. IIS basic authentication
Web.config Settings | Variable Location | Resultant Identity |
<identity impersonate="true"/> | HttpContext | Domain\UserName |
<identity impersonate="false"/> | HttpContext | Domain\UserName |
<identity impersonate="true"/> | HttpContext | Name provided by user |
<identity impersonate="false"/> | HttpContext | Name provided by user |
Table 3. IIS digest authentication
Web.config Settings | Variable Location | Resultant Identity |
<identity impersonate="true"/> | HttpContext | Domain\UserName |
<identity impersonate="false"/> | HttpContext | Domain\UserName |
<identity impersonate="true"/> | HttpContext | Name provided by user |
<identity impersonate="false"/> | HttpContext | Name provided by user |
Table 4: IIS integrated Windows
Web.config Settings | Variable Location | Resultant Identity |
<identity impersonate="true"/> | HttpContext | Domain\UserName |
<identity impersonate="false"/> | HttpContext | Domain\UserName |
<identity impersonate="true"/> | HttpContext | Name provided by user |
<identity impersonate="false"/> | HttpContext. WindowsIdentity | Name provided by user |
Location Tag
You have enabled forms authentication, now you want some files or folders to have free access or some restriction based on user or their roles, in such a scenario you can make use of the location tag. The syntax is as given below.
<location path="graph"> <system.web> <authorization> <allow users="user1, user2"/> <deny users="user5"/> <allow roles="admin"/> <deny roles="normaluser"/> </authorization> </system.web> </location> |
<location path="graph"> <system.web> <authorization> <allow users="*"/> <deny users="user5"/> </authorization> </system.web> </location> |
<location path="graph"> <system.web> <authorization> <deny users="user5"/> <allow users="*"/> </authorization> </system.web> </location> |
<location path="AdminFolder"> |
//After validating the user create an authentication ticket. |
Know more.
Sandeep