Authorization is the process of determining whether the user identified by the authentication process is allowed to access the resource that they’re requesting or whether to take the action that they’re attempting to take (such as updating data in a database). While authentication asks the question “Who are you?”, authorization asks the question “Are you allowed to do that?” The answer to that question determines whether the user’s action is allowed.
Authorization in ASP.NET takes three forms, which are all discussed in this section: ACL-based authorization, URL authorization, and programmatic authorization.
Access Control Lists (ACLs) are used in Windows NT, Windows 2000, and Windows XP to control access to system resources, such as files and folders in the NTFS filesystem. You can assign Windows user accounts or groups to the ACL for a given resource to allow that user or group access to the resource, or determine what type of access (read, write, change, etc.) is authorized.
ACL-based authorization is useful primarily when using Windows authentication in ASP.NET. ASP.NET can use the authenticated user identity to perform ACL checks and can also make requests for ACL-protected resources by using the user’s security context, if impersonation has been enabled.
To protect a file using ACL authorization, right-click the desired file in Windows Explorer and select Properties. Next, click the Security tab to view the current users, groups, and ...