the biggest chapter in the whole book…

Fundamentals

– Terminology
– Application Design (Trusted Subsystem vs Impersonation/Delegation)
– ASP.NET Security Pipeline and Infrastructure
  – IPrincipal and IIdentity
  – Role-based Authorization (programmatically vs declarative)
– Server Authentication

Using Windows Accounts

– IIS Authentication Methods (Basic, Digest, NTLM, Kerberos)
– Impersonation
  – Automatic vs. Programmatic
  – Impersonation Gotchas (multi-threading and async handlers, error handling)
– Delegation and How to get it to Work
– Security Context and Accessing External Resources

Using Custom Accounts

– Forms Authentication
  – Mechanics
  – Configuration
  – Security
– Customizing Forms Authentication
  – Issuing Tickets
  – Role Management
  – Role Caching (Cache vs User Data)
  – Web Farms and Single-Sign-On Scenarios
– Protecting Non-ASP.NET Resources with ASP.NET
  – Securing classc ASP

Hybrid Approaches

– Manual Windows Authentication (LogonUser vs LDAP)
– Converting a Windows Token into a GenericPrincipal
– Caching Windows Tokens
– Protocol Transition
– Basic Authentication against Custom Accounts
– Client Certificate based Authentication
  – Cryptographic Operations
  – Translating between Certificates and Windows Accounts
– Mixed Mode Authentication