SP+ provides several new authentication and authorization schemes to enable not only the security but also the personalization of your Web site. These schemes are in addition to the default authentication schemes that IIS provides. The .NET PDC Tech Preview documents four authentication providers: Cookie, Passport, Windows, and None. The most interesting one for me, from a development standpoint, is cookie authentication. This article delves into cookie authentication and shows you how to add value to your sites.
What you need:
Windows 2000 Server
.NET PDC Tech Preview
|
|
It is important to note that these ASP+ authentication providers are only executed for files that invoke the ASP+ engine. This means that requesting an .asp file will not invoke the ASP+ authentication provider by default. All authentication options are set in an XML file, called CONFIG.WEB—the new location for much of the information that was placed in the metabase in the past. To specify the authentication provider you need to use the <security> and <authentication> tags. A sample is shown in Listing 1.
Note that Listing 1 shows a valid XML document. This means that case matters, as does the order of the tags. If there is no security node in CONFIG.WEB, then ASP+ defaults to using no authentication provider. Although ASP+ is not using an authentication provider, the underlying IIS mechanisms are still in place. In this mode authentication is unchanged from IIS 4.0/ASP 3.0.
The Windows authentication provider is used to authenticate logins and map them to Windows groups. This is done by creating a WindowsPrincipal object and attaching it to the request. This object is then used for authentication when accessing resources or assemblies in the page. The passport authentication provider integrates with the Microsoft Passport service and uses the passport service for authentication.
Cookie Authentication
Cookie authentication is useful when you want to control the entire authentication process from login form to authorization. However, this method requires your user to accept cookies for it to work. Cookie authentication, as the name implies, uses a cookie to persist authentication information and permit access to locations in the site.
You might wonder how cookie authentication actually works. When a request for an ASP+ page first comes to a Web set using cookie authentication, ASP+ checks for an authentication cookie. If none is present it is redirected to a login form. The login form that you write collects the username and password and then authenticates it in a way you define. If the username/password combo pass authentication, then you call an API to write the authorization cookie and redirect the user to the original content they were looking for. If an authentication cookie is present on subsequent requests, the user is passed through immediately to the content they requested.
