Authentication and Authorization

Properly securing your Web sites has always been challenging. ASP.NET 1.x made significant improvements upon earlier technologies by encapsulating the security model into the Framework. Security services are provided in the form of identities and roles. You can programmatically create identities based on credentials that are verified against the user store of your choice, and then persist this identity through the user's session.  You can also implement roles-based security in a variety of ways. For example, you can map roles to a folder so that only authenticated users with proper role membership can access the folder.

All of this, however, required custom user data storage, a lot of code to bind the security services to the user data, and custom administrative interfaces to manage Web site security.

It's not an overstatement to say that security support in ASP.NET 2.0 and VWD is a quantum leap over ASP.NET 1.x—the most comprehensive security model and suite of features to date. The legacy limitations have been designed out.  The new Provider API provides user data storage services right out of the box. Additionally, VWD provides a Web administration application for setting up and managing your security system. The Provider API is also extensible, fully supporting custom user data storage. What is more, a suite of new security controls will make your life much easier when building such user interfaces as new user registration, login and lost password.

The following diagram gives you an overview of the evolution of ASP.NET security support:

In this next series of lessons you will build a robust security mechanism for your Web application using the new authentication and authorization features of ASP.NET 2.0 and VWD.