ASP. NET Security Authentication (2)

Asp.net

ASP. NET Security Authentication (2) flexible use of Form authentication deny and allow and protection. HTM files Author: Han Yufeng (Cityhunter172)Strong> Part 2 Form Practical application of certification 

In other words, the usage of Form authentication is briefly described. Maybe everyone thinks it is too simple. For those experts, it should be "sprinkling water" and "little kiss )". Let's look at some tricks today: there were six doors in ancient times, and ye Gu city was rejected; the east door was not windy, and the snow was surnamed Simon; the ribbon was used as a credential to fight the Forbidden City.

V,Web. configScope of action

When you create a project, vs. Net creates a fixed web. config file in the project root directory. In addition to the project root directory, you can also create web. config in any directory. The condition is that application-level nodes can only appear in Web. config in the root directory. I am not sure about the application-level nodes. I didn't invented my computer. I didn't create Microsoft, and C # was not my final idea. I don't know anything about the gods, so I don't know it's normal. Even so, as long as it does not report an error, it is correct.

For the scope of the web. config settings, remember the following two points:

1. The settings will apply to all the objects in the directory and all the objects in its sub-directories (inherit: child with parent name) web. config

2. The web. config settings under the subdirectory will overwrite the settings inherited by the parent directory (overwrite: the county officials are not as competent as they are now)

I would like to ask you a question: is there a configuration file that is more effective than the root directory web. config? After reading the third part, we will be able to understand the problem.

VI,Learn to reject and use allow

Go back to the test project "formtest" we created in the first round. To verify the project, we have to have a user name and password according to international practice. So, are these users created by the Administrator in the database, or are these users registered and reviewed by the administrator. As long as it is not an ordinary idiot, we all know that we should select the latter. Don't you mention that some of my company's projects are actually managed by the Administrator to connect to the database to create an account. It's a special dumb. Let's leave him alone, add two pages honestly-register the page (register. aspx) and audit page (auditing. aspx ).

The problem is coming to the fore. When you try register. aspx and want to access it, you suddenly feel that something is wrong. Why did you go back to the login page? Take a closer look at the url. Is it login. aspx? Returnurl = register. aspx. What should I do? The user can access the registration page without an account? (This is a nonsense. If you have an account, you can register it .) I often say to my colleagues, "the way is people come up !!"

1. Create a directory named public to store some public files, such as perpetual calendar and scripts ......

2. In Solution Explorer, right-click the directory public and add a web. config

3. delete all the preceding web. config content. Leave the following only:

<? XML version = "1.0" encoding = "UTF-8"?>

<Configuration>

<System. Web>

<Authorization> <allow users = "*"/> </authorization>

</System. Web>

</Configuration>

It's not easy to get started. According to the "Overwrite" principle, we know that the above Web. config will replace the <authorization> node settings in the root directory web. config, that is:

<Allow users = "*"/> replace <deny users = "? "> </Deny>

Note: "allow" allows meaning; "*" indicates all users;

"Deny": "?" Indicates an anonymous user;

Therefore, files in the public directory are accessible to all users, including unauthenticated users. Drag register. aspx in and no one will stop you from browsing.

In addition to the registration page, we also mention an audit page (auditing. aspx), audit permissions are generally in the hands of administrators or supervisors, and do not want others to browse this page (truth is often in the hands of a few people, this is also impossible), what should I do? "The way is people come up with something ...... Create an Administrator directory named managesys, and add another Web. config under this directory. The content is as follows:

<? XML version = "1.0" encoding = "UTF-8"?>

<Configuration>

<System. Web>

<Authorization>

<Allow users = "admin"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Configuration>

The question now is how can we know who is "admin"? It's a bit like "my sole has a hole"-I don't know, you don't know. Gossip (if there is a good charge, I will have the motivation to write a few more words, alas ......), Do you still remember the end of my first part? What, forget it! You can go back and read it for one hundred times. Remember to come back. Come back! Think of your memory, I don't worry, the first part of the web site is http://blog.csdn.net/cityhunter172/archive/2005/11/06/524043.aspx, back here the web site is http://blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx

Okay, no matter what you can't remember, let's continue.

System. Web. Security. formsauthentication. setauthcookie (this. txt_username.text, false); // The cookie is issued after verification.

I have previously stressed that the first parameter is very important. To what extent? Speaking of this, I am afraid everyone on Earth knows it-it is the basis of allow and deny. Assume that you enter "admin", that is, this. txt_username.text = "admin"; then, after entering the system, he will be able to access the webpage under the managesys directory, and all other idle people will be rejected.

To consolidate the above content, we will leave a homework assignment for everyone: This project is used by two departments, each of which has some specific pages for users of this department to browse and use, how can I use the web. config to achieve the effect? Similarly, the answer is displayed in the third part.

VII,Decentralization and centralization

At first glance, it is like Marxism-Leninism, *** ideology, and the dialectical relationship in Deng Xiaoping theory. Everyone can rest assured that, even if they are studying science, they only understand that "they hold high the great banner of programmers, write code as the center ". Stop ......

So far, our test project "formtest" already has two directories and three web pages. config. more and more config, such as common file upload functions. A large number of web. config files are distributed in different directories, Which is annoying to maintain. Can we manage them in a centralized manner? What should we do? "The solution is ......" Hey, someone should say it first. Yes, "the solution is really just for people to come out." I don't say, are you just a cool companion? Joke: to let more people remember this sentence, I plan to tell you how to centralize management.

To centralize management, you have to use the <location> node and path attributes. In this project, we put the settings in the public and managesys directories in the web. config directory under the root directory, as shown below:

<? XML version = "1.0" encoding = "UTF-8"?>

<Configuration>

<Location Path = "public">

<System. Web>

<Authorization>

<Allow users = "*"/>

</Authorization>

</System. Web>

</Location>

<Location Path = "managesys">

<System. Web>

<Authorization>

<Allow users = "admin"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Location>

<System. Web>

 

<! -- The content of web. config in the original root directory will not be listed here -->

(This article from Han Yu Feng cityhunter172 blog: http://blog.csdn.net/cityhunter172 personal site: http://172.meibu.com)

</System. Web>

</Configuration>

Please note that

1. The <location> node is located on a sub-node of <configuration>. It is in parallel with the original <system. Web>.

2. The <location> node only needs to be placed into the content of the <system. Web> node in the corresponding subdirectory web. config.

8,Additional protection

The second part is about to end. Now it's 04:50 am. It's easy for me. The purpose of authentication is to prevent others from browsing pages illegally or using certain functions without permission. Of course, there is no absolute security in the world. Now MD5 encryption has been cracked by Chinese people, which is the best example.

Careful people may have discovered that ASP. Net Security authentication only applies to. aspx,. ascx ...... And other ASP. NET files, but "Ignore" common pages and files, such as. htm and. js. jpg. Follow these steps to protect the file type you want to protect.

1. Open Internet Information Service (IIS) manager → right-click the project virtual → properties, such as (http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_aspxForm01.JPG)

 

 

2, click the button "configuration", the following dialog box appears: (http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_aspxForm02.JPG)

 

 

3. Double-click the application extension of. aspx → view the content of the dialog box, such as: (http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_aspxForm03.JPG)

 

 

4. Copy the full path name of the executable file, click Cancel, and return to the previous dialog box. Click Add"

5. paste the copied content (my system is mounted on drive D, so the content is D: \ windows \ Microsoft. net \ framework \ v1.1.4322 \ aspnet_isapi.dll) → enter the suffix. htm → enter the action limit as "Get, Head, post, debug" (you can choose all for convenience)

6. Click "OK" → add htmlpage1.htm to the project → enter http: // localhost/formtest/htmlpage1.htm in the address bar of the IE browser → view the test results

Finally, let's send you a piece of Web. config settings. It's really difficult to go to bed.

<Location Path = "decisive battle against the Forbidden City">

<System. Web>

<Authorization>

<Allow users = "ye Gu City"/>

<Allow users = "Ximen snow blowing"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Location>

<Location Path = "Golden Temple ridge">

<System. Web>

<Authorization>

<Allow users = "people with waist ribbons"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Location>

Trackback: http://tb.blog.csdn.net/TrackBack.aspx? Postid = 528463