ASP. NET Security Mechanism 2-Security Control Flow

The previous chapter explains the concepts of identity authentication and authorization, which are the basis for building ASP. NET security. I will repeat these two concepts here.

Authentication: provides a mechanism for user authentication. We can use these mechanisms to verify users.

Authorization: a mechanism for setting resource accessibility. It can be used to restrict the access of resources by those users.

To understand how ASP. NET security mechanisms work, we also need to understand what security control flow is. Although we know what authentication is and what authorization is, we don't know how ASP. NET uses these concepts. We need to understand that for any webProgramIn fact, they are all simple requests and responses. For example. for requests on the ASPX page, we usually get the corresponding HTML Tag block in the browser (this is the "response "), although HTML is not obtained at any time, HTML is usually used. This is the result (response) of the next request without any restrictions. What if the default. aspx page is a restricted page? To be certain, it will never directly give a response as above. This is why I want to explain the security control flow.

If your asp. Net program uses authentication and authorization to restrict access to some resources. In this scenario, we need to clarify several things:

1. How to interpret a request for restricted resources.

2. If the request is a restricted resource, when can we determine when this request can directly access the resource?

3. What will be done if a resource cannot be accessed.

4. When to perform authentication.

See the following example.

 

Is a diagram of the security control flow. It clarifies how a request is processed when it enters. You can go to the identified key points such as A, B, C, D, E, F. I need to explain the process of control flow. Start from point.

A indicates that a request is imported from IIS to an ASP. NET program. The first thing ASP. net programs do is to determine whether the access request requires access to a restricted resource based on the information in the "Authorization" section you set in the configuration file. If this request attempts to access a restricted resource, ASP. NET will check whether the request hasAuthentication cookie.If not, the request will be directed to the logon page (also defined in the configuration file ).

As if you were going to watch a movie, what would happen if you wanted to enter the cinema without a ticket? You can only go to the ticket window to buy a ticket, but if you have a ticket, of course there is no problem.

Authentication COOKIE: ASP. NET uses cookies to indicate whether a user is a valid user. This is actually equivalentAuthentication cookie is likeMovie tickets are the same.

There are two things that point a does.

1. Obtain the request and determine whether the current request is requesting a restricted Resource Based on the configuration in the <authorization> Configuration section of the web. config file.

2. If an authentication cookie is attached to the current request, you can access this resource. Otherwise, it will be directed to the logon page (point B ).

Point B: When a request does not contain a valid authentication cookie, it is imported to the logon page (point B ), this logon page is preset in the <forms> section of <authentication>.

The logon page collects the creden provided by the user (generally the user name or password) and verifies the creden to determine whetherOriginal requestAppend an authentication cookie to access the resources requested by the original request (that is, the page that should have been obtained ).

Original request: Relatively speaking, you access the login page, but it is possible that the login page is not your initial request. The initial request may be the default. aspx page.

Cpoint: After collecting user creden。, you can determine whether to give the current request a valid credential Based on the creden. For example, you can compare the collected user name and password with the user table information in the database to determine whether to grant creden。 or give creden。 for no reason. It indicates that the process of giving user creden。 and verifying whether the creden。 are granted is totally different. It is like I can pay for a ticket or someone else may send me a ticket. for ASP. NET, as long as you have valid creden。, you can access the resources you want to access.

E: Read the authorization configuration in the configuration file and compare it with the authentication credential to determine whether the user can access resources. Have you obtained the credential? What else do I need to compare? The reason why we need to compare the authorization information here is that although we have obtained a valid credential, it does not mean that this credential can be used for any resources. Think about what I described earlier when talking about authorization. In complicated ASP. NET programs, resources may be divided into many parts. Some parts are not accessible by normal legal users, that is, they need higher permissions to access. The e-point determines whether the user currently obtains valid creden。 has the right to access the resources requested by the user.

 

To sum up, ASP. NET's security mechanism will go through several processes:

1. The security mechanism intercepts all incoming requests and tries to determine whether the request carries authentication cookies. At this stage, the security mechanism reads the "Authorization configuration" to determine how to judge the incoming request.

2. Cookies without authentication are redirected to the logon page to complete the authentication process. In this process, the security mechanism reads the "authentication configuration" to determine how to verify the user.

3. If the identity authentication is valid, you also need to verify the obtained credential to check whether the credential has sufficient rights to access the corresponding resources.

4. If the above steps are successful, you need to redirect to the resource of the original request. At this stage, the security mechanism also reads "Authorization configuration"

 

Note that the security control flow in Forms authentication is described above.