ASP. Net Security Question -- authorization question in ASP. NET (previous article)

ASP. Net Security Question -- authorization question in ASP. NET (previous article)

PreviousArticleI talked about some verification issues. Next I will talk about authorization andCodeAccess security issues.
 
Application in ASP. NETProgram. The authorization process is basically: create a user or user group and assign permissions to them. In. NET Framework, there are many ways to implement authorization, such as file authorization, URL Authorization, and custom authorization.

Next, let's talk about how ASP. NET controls access to restricted resources. This article focuses on the following issues:
1. Role-based security
2. Permission ing:
3. Permission object permission

There are not many codes in this article. In the next article, we will try to provide more code as much as possible.
 

Links to articles:

ASP. NET development security issues

ASP. NET security issues-creating secure Web Applications

ASP. NET security question-ASP. NET security architecture

ASP. NET security question -- ASP. Net Security Architecture -- How to Implement. Net Security

ASP. Net Security Question-Authentication and Identity Authentication Module in ASP. NET lifecycle

ASP. NET security question-detailed introduction to Forms authentication (Part 1)

ASP. NET security question-froms verification details (Part 1)

ASP. NET security questions-Forms authentication (later)-Practice

ASP. Net Security Question -- authorization question in ASP. NET (previous article)

1. Role-based security
I believe that everyone has some knowledge about role-based security and their concepts will not be repeated. Before talking about role-based security, I hope you will understand the identity and iprincipal mentioned earlier (if not, refer to my previous Security Series ).
 
In. net, you can use the. NET Framework to flexibly combine user identity with roles and define permissions for the combined subjects. We have said before:

Subject (iprincipal) = (User ID: object containing user name and other information) Identity + role;
 
We can define many roles, and then define the permissions for the role to access resources. Generally, we define a role. For example, we define a customer role and set the user role to customer. Then we define the access permission of the customer, then these access permissions are applied to the users whose roles are customer. That is to say, we do not define permissions for each user separately, because maintenance and modification are troublesome.

Of course, we can also authorize specific users separately, such as writing files. There are many authorization methods, but their ideas are roughly the same:

Generally, the authorization process for an application is as follows:

1.Determine whether a user has a valid credential for accessing resources (that is, the verification process we talked about earlier)
2.Deny specific users access to specific resources
3.Allow specific users to access specific resources

2. Permission ing:

In. net, there are some built-in permission objects that allow users to have proper permissions to access resources. Before talking about the following questions, let's first talk about permission. As we know, our system generally has a lot of files and folders, and these files or folders often have access permissions. For example, we can define the permissions of some files: it can only be modified by the Administrator. Generally, users are read-only.

Note:We configure the permissions of these files or folders through the system. (Everyone should)

Our website actually stores some files on the server. Since these files are on the server, such as win Server 2003, these files must have access permissions. If you are the administrator of this server, you can perform any operations on these files, and other users will not be able to perform this operation.

Now let's assume that our website is placed on the server, and all website files, such as aspx pages, images, and app_code, are in the folder of the website, the permissions for these file resources have long been defined, such as read-only.
 
In fact, some of our permission classes in. NET are actually permission ing. What do you say?

Assume that a file in our website folder, such as admin. on the ASPX page, we can use the operating system to define the access permissions for this file (Operation: select a file, right-click the file, select "share and security", and then select which users can access the file, what are the operations of these users, such as reading, writing, and security control ). These are system-defined permissions ,. net Framework will "retrieve" Some permissions defined on files and wrap them in some permission classes so that we can use managed code such as C # to operate these permissions, instead of using win APIs (unmanaged code. (If you have any questions, please correct them !)

 

3. Permission object permission
Here are some examples of the permission class.
Fileiopermission
Principalpermission
 
These built-in permission objects protect specified resources. For example, the fileiopermission object will ensure that only authorized users are allowed to access one file. That is, the fileiopermission object maps the creden of the current user to the operating system level. The ing result is that the user and the existing user in the system have the same operation permissions (such as iuser ), now this user can set file permissions.
 

Fileiopermission
Fileiopermission objects must be Windows users or ASP. the net processing process runs under a specific Identifier (usually an ASPnet user account) and grants read or write permissions based on the permissions defined for files or folders in the file system. That is, the fileiopermission object verifies principal in the context of the permission defined in the file system.

For example, in ASP.. Net program, we may want to write a file after clicking the button, then the file should be configured with the necessary access permissions, and grant the necessary permissions to the user logging on to the application.
 
If you want to deny access to a specific folder, such as C: \ Windows, you can deny the permission to operate the fileiopermission object in the running stage. We can write down the following in a specific place:

[Fileiopermissionattribute ( " Securityaction. Deny, all = " C: \ Windows " )]

 

 

The above is written as a declaration. We can also use code to describe it later.
 
The securityaction enumeration defines the access type, such as deny rejection.

The preceding Declaration can be used at the class level, method level, and assembly level. This is just a simple description. You can understand it. The specifics are described later.
 
 
Principalpermission
Principalpermission ensures that the caller's context has the requested principal associated with it. This is a bit difficult to understand. Let's take a look at the example below:

The following code ensures that only a user named Xiaoyang can access a specific method:

[Principalpermission (securityaction. Demand, name = " Localhost \ Xiaoyang " ]

 

 

Put the code above the declaration of any method.

I will write it here today, with many theories. Sorry!
Next articleAuthorization in ASP. NETProblem.