ASP. NET security-Asp. Net Security Architecture-how to implement. Net Security

Source: Internet
Author: User

ASP. NET security architecture-how to implement. Net Security

Are you often confused by many concepts when using forms verification? Do you really understand what is principal, identity, and iprincipan ...? Many documents seldom mention what these items are. They are just about how to use them, and the results are problematic. As a result, many friends simply stop at the surface and use them as a result. I believe there will be some gains after reading this article.

 

SeriesArticleLink:

ASP. NET development security issues

ASP. NET security issues-creating secure Web Applications

ASP. NET security question-ASP. NET security architecture

ASP. NET security question -- ASP. Net Security Architecture -- How to Implement. Net Security

ASP. Net Security Question-Authentication and Identity Authentication Module in ASP. NET lifecycle

ASP. NET security question-detailed introduction to Forms authentication (Part 1)

ASP. NET security question-froms verification details (Part 1)

ASP. NET security questions-Forms authentication (later)-Practice

ASP. Net Security Question -- authorization question in ASP. NET (previous article)

 

ASP. NET security architecture for Web ApplicationsProgramProvides an object model. No matter which authentication mode we choose, many of the elements are the same. Users logging on to the application are granted principal and identity according to the creden。 they provide. The principal object indicates the current security context of the user, including the user's identity and roles. The identity object indicates the current user. The principal object is created using the identity object (indicating the user's identity), and it adds some additional information, such as role or custom data.

In short: Principal = identity + role + Custom Data 

One thing you should note: Identity Authentication occurs in a specific period of ASP. NET running. Remember this and I will talk about it later.Let's talk about it as follows:

1. Security Context
The identity object indicates the authenticated user. The type of the Identity object depends on the authentication in use. For example, Windows Authentication uses the windowsidentity object, while froms authentication uses the formsidentity object.

it is a little uncomfortable to get started with the concept of identity. In fact, identity is a user's identity. What is identity? It indicates what the user is and what the user name is. It's just a little more professional here.
In addition, the principal object indicates the members of the group or role of the user who passes Identity Authentication: this is also the security context of the current user. In security context, the white point is the information that this object contains many user identities. The principal object is automatically created for Windows Authentication in IIS, but we can also create a common principal object (which you will understand later ).
httpcontent is used more or less during programming. currrent. user attribute, which represents a principal object. the principal object implements the iprincipal interface.
iprincipal interface
different authentication modes have different security context requirements. We can use the principal object to represent the current security context. The iprincipal interface defines the basic functions of the principal object. You can also customize the security context object as long as the system. Security. Principal interface is implemented:


Identity attributes-- The identity of the current principal object can be obtained. As mentioned earlier, Principal contains identity, which is the reason.
Isinrole(String rolename) Method -- determines whether the current principal object belongs to a specified role. You have also used a similar httpcontent. Current. User. Identity. isinrole ("admin") statement.
 
The principal object can be accessed through the httpcontent. Current. User attribute.CodeYou should have used:

  If (Httpcontext. Current. User. Identity. isauthenticated)
  {
Lblusername. Text=Httpcontext. Current. User. Identity. Name+"Logged On";
}

(Note: identity is the user ID, including the user name. As we will talk about later) 

The following code is more common: determine whether the current user is an administrator role.

  If (Httpcontext. Current. User. isinrole ( " Admin " )
{
//
}

 

let's take a look at the iprincipal interface built in ASP. NET:
genericprincipal class
the genericprincipal class implements the iprincipal interface. From the name, we can see that the genericprincipal object represents a general and basic security context. It only defines the role of the current user. That is to say, this object only partially implements the iprincipal interface. (In the future, we will call the object implementing the iprincipal interface as the subject ). For a Windows Authentication mode, windowsprincipal is used, because windowsprincipal implements iprincipal more specifically. In forms authentication, only genericprincipal is used. That is to say, we can implement custom principal objects according to our requirements. As mentioned below.
Each implementation of the iprincipal interface must rewrite the identity attribute and isinrole method. The isinrole method of the genericprincipal class compares the role value with the role defined in the string, the isinrole method of the windowsprincipal class compares the role with the role assigned to the Windows user account.

We can create an instance of the genericprincipal class to be used throughout the lifecycle of the current request, and assign it to the httpcontent. Current. User attribute.
The genericprincipal constructor has two parameters: the user's genericidentity (the user identity genericidentity implements the iidentity Interface) and a string array that represents the user role. So we previously said: Principal = identity + role is the reason.
Once a genericprincipal object is created, it can be assigned to the httpcontent. Current. User attribute to indicate the security context of the currently requested user.
 
The following is an example of the created code:

Code
// Create a general genericprincipal
  // We have said: the identifier is the object containing the user name. The following contains an identifier named "Xiaoyang ".
Genericidentity identity = New Genericidentity ( " Xiaoyang " );
 
  // Create genericprincipal
  // Note roles indicates a character string array of a role, such as role = new string {"admin", "customer "};
Genericprincipal principal = New Genericprincipal (identity, roles );

 //Additional
Httpcontext. Current. User=Principal;


Note: The above code is written in a specific place, that is, when the lifecycle is specific, we will talk about it later.

after talking about Principal, let's talk about what the user ID is, as mentioned many times ago.
two user IDs

the identity object is used to identify the current user. The identifier can only provide a small amount of security context information, such as the user name. The identity object can be used to authenticate users.

iidentity interface
is the same as iprincipal interface, indicates that all objects identified by the user must implement this interface. The iidentity interface defines the structure of the basic amount of the Identity object, which is defined as follows:

Authenticationtype (String type) Property -- it can obtain the type of identity authentication used, for example, if the forms authentication is used, this property returns the "forms" string, therefore, the custom identifier can return the "mimidentity" string.
 Isauthenticated(Bool type) Property -- identifies whether a user passes identity authentication. We can often use httpcontext. Current. User. Identity. isauthenticated to determine whether the user has logged on.
Name (string type) attribute -- obtains the user name. I believe it is no stranger to httpcontext. Current. User. Identity. Name.

Next, let's take a look at our own identity class that implements the iidentity interface.

 

Code

UsingSystem;
UsingSystem. Security. Principal;

Public   Class Customidentity: iidentity
{
Private String Name;
// The constructor only receives one string parameter. You can check the previous Code: genericidentity identity = new genericidentity ("Xiaoyang ");
Public Customidentity ( String Name)
{
This . Name = Name;
}

//
Private   String Authenticatetype =   " Customeridentity " ;
Public Customidentity ( String Name, String Authenticatetype)
{
This . Name = Name;
This . Authenticatetype = Authenticatetype;
}

// The following interface is implemented:
Private   Bool Isauthenticated =   False ;
Public   Bool Isauthenticated
{
Get { Return Isauthenticated ;}
}

Private StringName;
Public StringName
{
Get{ReturnName ;}
}

}

The above code is just a demonstration, and you can expand according to your own requirements.
 
 
As before, let's take a look at the built-in identity class in ASP. NET:
Formsidentity -- Used in Forms authentication
Passwordidentity -- Used in passport verification
Genericidentity -- a common identifier
Windowsidentity -- used for Windows Authentication
 
Let's take a look at the use of genericidentity, and other usage.
 

In fact, genericidentity identifies a basic identity object. It is basic for identity objects. We have seen an example of genericprincipal before. In this example, we create an instance of the genericidentity class,

Genericidentity identity = New Genericidentity ( " Xiaoyang " );

 
We can also provide more specific identity objects, such as formsidentity mentioned earlier, to provide specific user information.
 
Today we are here, and hope you will have some gains.
 

 Note: The source must be indicated after reprinting!

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.