A sample aspx page to show the security details

  • Article

This is a pretty small sample to help you figure out the ASP.NET identity matrix and how it comes in effect. I am posting this since quite often we need to troubleshoot security related issues on a production website and making any Application level changes become really difficult.

What you can do now is to create a sample page called SecurityTest.aspx in the Virtual Directory where you are having security related issues and paste the following code...

<%@ Page Language="VB" %>
<script runat="server">
    Protected Sub btnShowInfo_Click(ByVal sender As Object, ByVal e As System.EventArgs)
        Dim strInformation As New StringBuilder
        Try
            strInformation.Append("")
            strInformation.Append("Http Context = " & GetHTTPContext() & "<BR>")
            strInformation.Append("Windows Identity = " & GetWindowsIdentity() & "<BR>")
            strInformation.Append("Thread Information = " & GetThreadInformation() & "<BR>")
            Response.Write(strInformation)
        Catch ex As Exception
            Response.Write(ex.Message)
        Finally
            strInformation = Nothing
        End Try
    End Sub
    Private Function GetHTTPContext() As String
        GetHTTPContext = HttpContext.Current.User.Identity.Name
    End Function
    Private Function GetWindowsIdentity() As String
        GetWindowsIdentity = System.Security.Principal.WindowsIdentity.GetCurrent.Name.ToString
    End Function
    Private Function GetThreadInformation() As String
        GetThreadInformation = Threading.Thread.CurrentPrincipal.Identity.Name
    End Function
</script>
<head runat="server">
    <title>.NET Security Demo</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:Button ID="btnShowInfo" runat="server" Text="Show Information" OnClick="btnShowInfo_Click" />
<BR><HR><B><U>HttpContext</U></B>= HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current web request. This is the authenticated Web client. <BR> <B><U>WindowsIdentity</B></U> = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread. <BR><B><U>Thread</U></B> = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.<BR><HR><A href="https://msdn2.microsoft.com/en-us/library/aa302377.aspx">Read about the Security Identity Matrix</A><BR><A href="https://msdn2.microsoft.com/en-us/library/aa302376.aspx">How does IIS & ASP.NET Processing work</a>!
    </div>
    </form>
</body>
</html>

You can change your web.config file and set impersonation = true/false and authentication mode to windows/forms etc and see how your identity matrix looks like. This sample comes in pretty handy when I need to show some ASP.NET security related stuff to anyone.

Read about the Security Identity Matrix
How does IIS & ASP.NET Processing work!

Hope this helps!
Rahul