When creating an ASP. NET application, ASP. NET provides a configuration file for us to configure session state, authorization, and authentication. There are two configuration files:
1) Maching. config -- used to define the server configuration and install. the file is installed at % winDir % \ Microsoft. net \ Framework \ yourVersion \ Config directory. The configuration in this file is applied to all virtual directories on the local machine.
2) Web. config-configure specific web applications in the directory of their respective ASP. NET applications. Each ASP. NET has its own web. config file, and each subdirectory of this application can also have its own web. config file, and the lower-level web. the settings in the config file overwrite the upper-level web. in the config file.
ASP. NET Security Basics
To develop a secure ASP. NET application, you must consider the following basic security devices:
1) Authentication -- check the user's identity.
2) Authorization -- determine which resources can be accessed based on the user's identity.
3) Impersonation: the ability of a thread to execute operations using different identities of its processes.
The System. Web. Security namespace provides many application Security classes. For example, FormsAuthentication, FormsIdentity, and PassportIdentity. For details, refer to MSDN.
ASP. NET application execution Verification
1. Verification-in general, it is to check the identity of the visitor-"Who is the visitor ?"
ASP. NET Authentication
ASP. NET uses authentication provider for authentication. These providers include:
◆ IIS authentication
◆ Windows-based authentication
◆ Forms-based authentication
◆ Passport authentication
◆ Anonymous authentication
It is described as follows:
1) IIS authentication. Any Web request must first access the ASP. NET application through IIS for verification. IIS authentication can be configured through the IIS manager. IIS provides multiple authentication devices, including:
◆ Anonymous access-Anonymous access. This method is used when user authentication is not required.
◆ Basic authentication-Basic authentication. The user must provide the user name and password, but transmitted in plain text. This usually needs to be used in combination with SSL/TLS.
◆ Digest authentication-Digest authentication. Similar to basic authentication, but does not directly transmit plain text, it transfers Hash values. In addition, IIS Server must be in a windows domain and use AD to save the user account.
◆ Integrated Windows authentication-Integrated windows authentication. Use the windows Authentication Protocol to communicate with accounts in the operating system.
◆ Client certificate authentication-Client certificate authentication. Use an X.509 digital certificate to authenticate a visitor.
2) Windows-based authentication. ASP. NET Applications rely on the windows operating system to verify users. This is the default option. The verification process is as follows: the Client requests a page --> IIS checks the windows account. If it does not comply with the rules, it requires logon --> after the user successfully logs on, it returns the requested page. This authentication method does not work with a proxy server.
3) form-based authentication. This authentication method uses HTTP client redirection to redirect unauthenticated requests to an HTML form. The process is: the Client requests a page --> ASP.. NET checks the client's cookie. If no cookie is found, log on to the client. --> after the user successfully logs on, return the page and verify the cookie to the requester. This verification method requires developers to write verification logic.
4) Passport authentication. Centralized authentication service provided by Microsoft.
5) Anonymous Authentication.
2. Form verification steps:
1) set IIS to anonymous access in IIS manager.
2) Configure Form authentication in the web. config file.
3) create authorization. In the web. config file, configure the <authorization> section to set the page for receiving or rejecting user access. You can also set the page for authentication.
4) create a logon page. On this page, ask the user to enter the user name and password, and then go to the place where the account information is saved for inspection. You can store the account information in the configuration file, registry, database, or AD.
3. Windows verification steps:
1) set IIS to windows authentication. Select either basic, Digest, or Integrated windows.
2) Configure web. config.
The above describes ASP. NET application execution Verification
- Analysis of Theme functions in ASP. NET development skills
- ASP. NET Dynamic Compilation
- Analysis on ASP. NET supported by Apache
- Introduction to ASP. NET Server standard controls
- Analysis on SQL Server Database Backup Recovery in ASP. NET