Asp. NET security architecture-how to implement. NET Security

Are we often confused by many concepts when we use forms validation? Do you really understand what principal,identity is, and iprincipan ...? A lot of literature rarely mentions what these exactly are, just how to use, the results of the problem, resulting in a lot of friends of the understanding of the only stop on the surface, use is also tied. Believe that after reading this article, there will be a certain harvest.

Asp. NET security architecture provides an object model for implementing secure patterns of Web applications. No matter which authentication mode we choose, many of these elements are the same. Users who log on to the application are granted principal and identity according to the credentials they provide. Where the Principal object represents the user's current security context, including the user's identity and the role to which they belong. The Identity object represents the current user. The principal object is created using an Identity object that represents the user's identity, and it adds additional information, such as a role or custom data.

In short: principal=identity+ role + Custom data

One thing to be aware of is that authentication occurs at a particular time in the ASP.net run, and remember this, specifically later. Here we discuss the specific:

A context that represents security

The Identity object represents an authenticated user. The type of the identity object depends on the authentication used, for example, Windows Authentication uses a WindowsIdentity object, and froms authentication uses the FormsIdentity object.

People begin to contact the concept of identity a bit uncomfortable, in fact, the identity is a user's identity, what is the logo? is to indicate what the user is, what the user name is, but we say here a little bit more professional.

In addition, the Principal object represents a member of an authenticated user's group or role: Also the current user security context. Speaking of security context, the white point is that this object contains a lot of information about the identity of the user. The principal object is created automatically by Windows authentication in IIS, but we can also create common principal objects (which are slowly understood later).

Everyone in the programming time, more or less used HttpContent.Currrent.User attribute, in fact it represents a principal object. The Principal object is a IPrincipal interface.

IPrincipal interface

The different authentication modes have different requirements for the security context. We can use the principal object to represent the current security context. The IPrincipal interface defines the basic functionality of the Principal object. And we can customize the secure context object as long as the System.Security.Principal interface is implemented:

Identity Property--you can get the identity of the current principal object. Previously said: Principal contains identity is the reason.

IsInRole (String rolename) Method--You can determine whether the current principal object belongs to the specified role. People have used similar HttpContent.Current.User.Identity.IsInRole ("Admin") statements when they become.

The principal object can be accessed through the HttpContent.Current.User property, and the following code should all be used:

if(HttpContext.Current.User.Identity.IsAuthenticated)
　 {
　 lblUserName.Text=HttpContext.Current.User.Identity.Name+"已经登录";
　 }

(Note: Identity is the user's identity and contains the user name.) We'll talk about it later.)

The following code is more common: determining whether the current user is an administrator role

if(HttpContext.Current.User.IsInRole("Admin")
　 {
　 //
　 }