text/microsoft-resx
1.3
System.Resources.ResXResourceReader, System.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Resources.ResXResourceWriter, System.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Web Site Administration Tool Security Tab
Web Site Administration Tool Security Tab
Use the <span class=UI>Security</span> tab of the Web Site Administration Tool to manage rules for securing specific resources in the Web application. ASP.NET uses a security system that lets you restrict access to specific user accounts or the roles to which the user accounts belong. With the <span class=UI>Security</span> tab, you manage user accounts, roles, and access rules for the Web site. Before using the <span class=UI>Security</span> tab for the first time, use the <span class=UI>Security Setup Wizard</span> to configure basic security settings for the Web site.
Introduction
ASP.NET security is based on the concepts of user accounts, roles, and access rules and lets you restrict access to your Web application resources to only the user accounts that you specify. Security settings are established using a combination of configuration settings and data stored in a database (or other data store). User accounts and roles that you create are stored in the database and access rules are stored in the Web.config file.
You can configure your application to use the following types of security, which depend on how the Web site will be used:
Forms-based authentication (<span class=UI>From the Internet</span>)
Forms-based authentication is used for Web sites that are made available to the Internet. Forms-based authentication uses the ASP.NET membership system to manage individual user accounts and groups (roles). User account information is stored in a local database or in a Microsoft SQL Server database. You can use the ASP.NET logon controls to create a logon page where users can enter their credentials.
Integrated Microsoft Windows authentication (<span class=UI>From a local network</span>)
Windows authentication interacts with Windows security, using the logon credentials that users provide when they log on to Windows. Therefore, Windows authentication is suited for intranet scenarios, where users have logged on to a Windows-based network. You do not have to create a logon page, because users are automatically logged on to your application with their Windows credentials.
Use the <span class=UI>Users</span> section of the <span class=UI>Security</span> tab to complete the following tasks:
Create, edit, and delete registered user accounts for the Web site.
View a list of all registered user accounts for the Web site.
Change the authentication method that is used by the Web site.
Note You can create and manage user accounts, if you chose the <span class=UI>From the Internet</span> option for your authentication type (if you are using forms-based authentication). If you chose the <span class=UI>From a local network</span> option as your authentication type (if you using integrated Windows authentication), you cannot manage individual user accounts. If you change the authentication type, any user information that you have created will be lost. Additionally, access rules might no longer work in the way that you configured them. Generally, you should select an authentication type only when you first configure the Web site.
Use the <span class=UI>Roles</span> section of the <span class=UI>Security</span> tab to group user accounts, which makes it easier to assign permissions (authorization).
Use the <span class=UI>Access Rules</span> section of the <span class=UI>Security</span> tab to allow or deny access for specified pages to specific user accounts or to all user accounts that belong in a specified role. Typically, you use an access rule to restrict pages for some user accounts.
Creating Users
You can create and manage user accounts, if you have set the authentication type to <span class=UI>From the Internet</span> (forms authentication). To change authentication types, click <span class=UI>Select authentication type</span>.
To create user accounts
Click <span class=UI>Create user</span>, and then specify the following information.
User Name
Enter the name for the user account to create.
Password
Enter the password for <span class=UI>User Name</span>. Passwords are case sensitive.
Confirm Password
Re-enter <span class=UI>Password</span>.
E-mail
Enter the e-mail address for <span class=UI>User Name</span>.
The Web Site Administration Tool does not confirm whether the address that you enter is a valid e-mail address, but it does validate that the e-mail address conforms to the correct format for e-mail addresses.
Security Question
Enter a question to ask the user when they need to reset or recover their password.
Security Answer
Enter the answer to <span class=UI>Security Question</span>.
Active User
Select this option to enable this user account as an active (current) user of the site. If you do not select this option, the user information is stored in the database, but the user cannot log on to the Web site.
Roles
Select the roles for <span class=UI>User Name</span>. You create roles separately. For more information, see the next section.
Creating Roles
To create roles
On the <span class=UI>Security</span> tab, click <span class=UI>Enable roles</span>.
Click <span class=UI>Create or Manage roles</span>.
In the <span class=UI>New role name</span> box, enter a name for the role to create, such as Administrator, Member, or Guest, and then click <span class=UI>Add Role</span>.
To add user accounts to roles
On the <span class=UI>Security</span> tab, click <span class=UI>Manage Users</span>, and then click<span class=UI> Edit User</span>.
Under <span class=UI>Roles</span>, select the roles for the user account.
Creating Access Rules
To create access rules
On the <span class=UI>Security</span> tab, click <span class=UI>Create access rules</span>.
Specify the following options:
Select a directory for this rule
You can choose to create a rule that applies to the whole site or to only a specific subdirectory. In the directory structure display for the Web site, select the directory to which the rule applies.
Under <span class=UI>Rule applies to</span>, specify how to apply the rule.
Role
Select <span class=UI>Role</span>, and then in the list, select the name of the role to which the access rule applies.
User
Select <span class=UI>User</span>, and then enter the name of the user account to which the access rule applies. If you are using ASP.NET membership (Web site security is set to <span class=UI>From the internet</span>), you can also use the Search for users feature.
All users
Select this option to apply the rule to all visitors to the Web site.
Note Be careful when you create a rule with the <span class=UI>All users</span> option. Because rules are applied in order, you can unintentionally create a rule that prevents all users from accessing a folder.
Anonymous users
Select this option to apply this rule to anonymous (non-registered) user accounts only.
Typically, you choose the <span class=UI>Anonymous users</span> option to restrict (deny) access for users who are not logged on.
Permission
Select <span class=UI>Allow</span> to give access to the specified directory for the specified user account or role.
Select <span class=UI>Deny</span> to not allow access to the specified directory for the specified user account or role.
For example, to prevent users who are not logged on (anonymous) from viewing pages in a folder, click the folder, select <span class=UI>Anonymous users</span>, and then select <span class=UI>Deny</span>.
Sometimes, you might have to create multiple rules for the same folder in order to establish the correct permissions. For example, you might create a rule that denies access to anonymous user accounts and a second rule that denies access to user accounts in the role of Guest. That way, only users who are logged on and in another group can access the folder.
Behind the Scenes
The Web Site Administration Tool manages security information in the following two places:
The Web.config file at the root of the Web site.
The site provider database that is used to store user and group information.
Web.config Settings
The Web.config settings that are managed through the <span class=UI>Security</span> tab are the <authorization>, <roleManager>, and <authentication> sections.
The following code example is the Web.config file that is created by the Web Site Administration Tool within a restricted subdirectory of the Web site. Access to the restricted subdirectory is allowed for administrators and denied for anonymous users.
Database
When you use the default data provider, the Web Site Administration Tool creates entries in the default ASP.NET database. By default, the Web Site Administration Tool creates a database in the App_Data folder of the Web site. However, using the <span class=UI>Provider</span> tab, you can specify that application information for user accounts and roles be kept in another database (for example, retrieving role information from the Windows user database). For detailed information, see Web Site Administration Tool Provider Tab.
More Information
For more information about the settings that are managed in the <span class=UI>Security</span> tab, in the .NET Framework documentation, see the following topics:
Managing Users with ASP.NET Membership
Limiting Access to ASP.NET Web Sites
ASP.NET Configuration Overview
See Also
Web Site Administration Tool Overview
Web Site Administration Tool Application Tab
Web Site Administration Tool Provider Tab
Web Site Administration Tool Internals