2.0 auth questions

[djc]

I have a couple questions about authentication and authorization in asp.net
2.0.

1) I see there are still the same authentication mode options as in 1.1
(windows, forms, or passport). However in reading through some of the new
documentation I see reference to 'membership' a lot. How does membership
relate to all this? Is it simply enhanced classes used with 'forms' based
authentication? does it also apply to windows authentication mode? etc..

2) I though I understood this correctly:
A) With forms based authentication
- users and roles exist in a data store of your choice (usually a
sql database)
- you handle your own login page to check against your user store
- authorization after authentication is performed by asp.net using
settings in web.config
B) With windows authentication mode
- the users are actual windows accounts and the roles would be
windows groups.
- authorization after authentication is handled by NTFS permissions
on the web server

I was just toying around with the website administration tool in VS 2005 for
a site that is in windows authentication mode and noticed:
- I could enable and add 'roles', which didn't make sense to me since I
thought the 'roles' in this case were actually windows groups, and I could
add access rules which specified 'roles' or users that are not windows users
or groups??

confused, probably too confused for this post to even make sense, any input
would be greatly appreciated

 

[Mark Fitzpatrick]

You're mixing apples and oranges a little. Authentication is not necessarily
membership. Yes, ASP.Net 2.0 does come with the same authentication options
such as forms and windows. It's only the method used to gather the
information and authenticate it simply. The membership system in ASP.Net 2.0
adds the capabilities for creating/managing/authenticating users from a user
store (typically a SQL Server database) based on the membership provider.
ASP.Net 2.0 can create the membership store in a SQL Server with all the
necessary tables and stored procedures. It can also implement role-based
security. Roles are not Windows Groups so don't compare them. Windows Groups
are actually an implementation of role-based security. The Membership system
does come with an optional roles-based security provider so you can
associate users with roles. It also comes with a personalization system so
you can personalize the information associated with a user without having to
muck around with creating custom user tables and such.

 

[djc]

I think most of my number 2 question was cleared up by this:
http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetauthorization.asp

If I understand correctly now I need one last clarification that was not
specfied in the article above:
when users/roles for URLAuthorizationModule are specified in web.config they
are automatically matched against windows accounts/groups when using windows
authentication mode or against whatever user store you used (sql db most of
the time) if using forms authentication. (Yes/No)?

my confusion was that I didn't realize the URLAuthorizationModule (settings
in <authorization></authorization> in web.config) could also be used when
using windows authentication mode. Now I just want to verify where the
users/roles specified in the <authorization></authorization> section are
matched against.

still not sure on my number 1 below though (about membership, which I think
is new to 2.0?).

my first question below is still

 

[djc]

Thanks for the reply Mark.
so if Im using windows authenticaton mode and add an authorization entry in
web.config specifying <allow roles="GroupName" /> it would not match
"GroupName" with a windows user group named "GroupName"?