The following topics are covered under Security:
- Authentication
- Authorization
- Secure Communication
- Profile Management
One has always to keep in mind the dual architecture of the AxCMS.net: it consists of the Management System (MS) and the Live System (LS). Security concepts apply to the both sides, though every system has its own User Store with a unique set of roles, rights and protectable objects. See Definitions for description of concepts.
Authentication
AxCMS.net maintains its own User Store with user credentials, permissions and profiles. As a default HtmlForms-Authentication of ASP.NET is used.
It is also possible to use ActiveDirectory to authenticate the users, which are already logged in into a windows domain. Read more under ActiveDirectory.
Alongside with the standard web-application used to access AxCMS.net there are two other ways: WebDAV and WebService.
WebDAV is used to enable other applications, like Windows Explorer, to access AxCMS.net using Files&Folders metaphor. WebDAV implementation supports both AxCMS.net standard authentication (digest authentication is used to transfer credentials) and ActiveDirectory-authentication. Read more under AxCMS.net and WebDAV.
WebService unleashes the AxCMS.net-functionality to be used in other applications, like AxDMS.net. Only AxCMS.net-authentication is supported by the WebService, WSE3 is used to pass credentials from the client to server. WebService documentation will be available in the near future.
In the Live System there is no authentication by default. You can use the same technique on the Live Side, which AxCMS.net uses: HtmlForms-Authentication with the own User Store. AxCMS.net offers support tools for that. There is no ActiveDirectory nor WebDAV support out of the box.
On the other side IP-Address Based Authentication is available. It lets you map client IP-addresses to particular users (members). If client IP is not found in the map and he tries to access a protected page, standard authentication (with a login page) is used.
Please consider, that in the AxCMS.net-jargon we use the term User (german: Benutzer) for the user in Management System, but refer the users in Live System as Members (german: Teilnehmer). Other names you will probably encounter are: MS-user and LS-user.
Authorization
Authorization is about allowing access to particular objects only for particular, already authenticated, users. AxCMS.net offers a flexible model which you can customize to suit for the needs of your project. The key concepts of AxCMS.net-authorization are: Roles, Rights and Checkpoints. Read more under Authorization in AxCMS.net.
If you wish, you can reuse the same security model, used in the Management System, for the Live System to protect your Live-Pages, Documents and other objects. Read more under Authorization in Live System.
Secure Communications
If you want to secure the communication between the client and the server, we suggest using SSL.
For the communication with AxCMS.net-WebServices we use WSE3 (Web-Service-Enhancements) from Microsoft in the application level. SSL can be used as well, configuring the WebServices only to accept the requests from the known client IPs is also advisable. For an overview of WSE read Why WSE? in MSDN.
Profile Management
Both the Users and Members have profiles in AxCMS.net. You can manage these profiles from inside the AxCMS.net-GUI (for the Users: Admin / User, for the Members: Extras / Members).
If you'd like to extend the Member-Profiles, you are to inherit from the AxUser class and tell AxCMS.net to use your class instead of the standard class. Read more under Extending Live AxUser.