ASP. NET architecture and security mechanism-http request processing

Guide

During the writing of this series of articles, I encountered a lot of confusion: When I was about question a, I found that I needed to explain question B first; when I think about how to explain Problem B, I find that if problem C is not clear enough, it is difficult to better understand Problem B. Well, now, I decided to start with question C. Unfortunately... I have already run the question.

This series of articles is originally divided into ten parts to describe ASP. NET architecture, security mechanism, and provider model. However, during the writing process, I found that the provider model has greatly reduced its position in this series of articles due to its wide range of knowledge. At the same time, I realized that it is impossible to use ten parts to describe the architecture and security mechanism of ASP. NET, but I will still try to use the least text to describe the most.

During the reading process, you may feel that some content in the text seems to have little to do with the content being discussed. Please read it with patience. It is often the key to your understanding of the following issues.

Before reading this series of articles, pay attention to the following points:

· This series of articles will detail form verification, Windows verification, and passport verification.

· Sometimes I will use the top-down mode to describe, and sometimes I will use the bottom-up mode to describe, depending on the needs.

· Although I do not want to insert too many gray explanatory text into the paragraph, it is not so difficult to clearly describe in many places. I will revise this series of articles after all the parts are published.

· We often mention or hear about layer-3 Development and constantly search for the source code of layer-3 development on the Internet. In fact, after you understand the Provider Model, you will find that the latest three-tier architecture is actually around. I hope to study the provider model carefully and think about its practical value.

· The illustrations in this article are taken under IIS 6.0 and Windows server2003. If the difference is too large to be misleading, please give me feedback.

· This series of articles involves many knowledge points, and I use the method of writing a part and publishing it. Therefore, it is very likely that many parts of part.3 are not clearly stated only when part.4 is written. At this time, I will stop and modify part.3 again; when I write part.5, I may find that it is more appropriate to move some content of part.1 to Part.2. Forgive me for not giving further notice when making these changes.

This will be a long journey. If you are ready for release now, let's get on the road!

Introduction

I have read a lot of ASP. net books and found that most authors have explained ASP. NET at a relatively high level. They patiently and meticulously tell you how to drag and drop controls step by step, set control properties, and write codebehind code to implement a specific function.

This practice actually answers the question "How to do it", but does not answer the question "Why can this be done.

Although I highly recommend Mr. Shi jianghua's "ASP of temple sacrifices. NET development details, but when I looked at its role and user (member) explanations, I decided to skip and read the subsequent chapters directly. I found that he also followed the big stream, and the explanation of this part stays at the "how to do it" level. I believe that a cool man like Mr. Shi cannot not understand the underlying operating principles, just because the book is already very thick.

When you develop a program based on the content described in "how to do", you are still a programmer for your users; however, for Microsoft developers who have implemented the membershipprovider and roleprovider abstract classes, you have become one of their users.

Note: I am not opposed to some authors who only explain "how to do" or "How to Do". This also has the advantage of fast development. I only recommend that you have a better understanding of some problems.

It is hoped that this series of articles will help you better understand ASP. NET's security mechanisms and the underlying operating principles of identity authentication and permission management.

HTTP Request Processing Process Overview

"Why do I enter www.tracefact.net in the address bar to see Zhang Ziyang's personal space ?", It is similar to thinking: "Why did Apple go to the ground instead of the sky ?". For ordinary visitors, this is taken for granted as if the sun rises in the east and falls in the west every day. For many programmers, it is the responsibility of system administrators or network administrators to consider this as irrelevant. After all, IIS is a component of windows and is not an integral part of ASP. NET. In fact, IIS and. NET Framework have already done a lot of behind-the-scenes work within a tenth of a second.

You may feel that it is irrelevant to understand how these behind-the-scenes jobs work. As a programmer, you only need to ensure that the developed programs can run efficiently. However, during development, you often need to use classes such as httpcontext. At this time, have you ever thought about the composition of these classes and how they are created? You may simply answer: httpcontext represents a context of the current request. But you know IIS, framework, Asp. net is how to work together to process each HTTP request, how to distinguish different requests, IIS, framework, Asp. NET data flow between the three?

To answer these questions, you must first understand how IIS processes page requests. This is also the basis for understanding form and Windows authentication modes.

When an HTTP request arrives at the server

When the server receives an HTTP request, IIS first needs to determine how to process the request (note: the server must process a .htm page and A. ASPX page ). So what does IIS do? -According to the file suffix.

After the server obtains the suffix of the requested page (Note: it can also be a file, such as jimmy.jpg), it will find an application that can process such extensions on the server, if IIS cannot find an application that can process such files, and the file is not protected by the server (Note: A protected example is the file in app_code, an unprotected example is your JS script), so IIS will directly return this file to the client.

Applications that can process various extensions are generally called ISAPI applications (Note: Internet server application programe interface, Internet server application interface ). Although this ISAPI sounds very elegant, it is also an "application", but you can take a closer look at its full name to understand that it is actually only an interface and acts as a proxy, it maps the requested page (File) and the actual processing program corresponding to the suffix.

Let's take a closer look at the ISAPI and see what it looks like. Please follow the steps below:

1. Open IIS.

2. Select a random site, right-click the site, and select "properties ".

3. Select the "home directory" tab.

4. Select "configuration ".

You should see the following picture:

Figure 1. Application configuration

　　

Clearly, we can see that all the file types that can be processed by IIS or that is called the proxy service provided by ISAPI and their corresponding actual background processing programs are clearly listed here.

Find the. aspx application handler and click "edit". The following figure is displayed:

Figure 2. Edit the. aspx file Handler

　　

All the way here, we can see that all. aspx files are actually processed by the aspnet_isapi.dll program. after the request for the ASPX page is submitted to aspnet_isapi.dll, it no longer cares about how the request is processed subsequently.

Note the following two points:

1. After you change "limit to", you can restrict access to pages (Files) in a specific way.

2. "Check whether a file exists" is a key option for URL address ing. I will detail it later.

Understanding the host environment (hosting)

In essence, ASP. NET is mainly composed of a series of classes whose main purpose is to convert HTTP requests into responses to clients. The httpruntime class is a main entry of ASP. NET. It has a method called processrequest. This method uses an httpworkerrequest class as a parameter. The httpruntime class contains almost all information about a single HTTP request: the requested file, server variables, querystring, and HTTP header information. ASP. NET uses this information to load and run the correct file and convert the request to the output stream. Generally, it is an HTML page.

Note: In general, it can also be an image.

When the web. the content of the config file is changed or. when the aspx file changes, in order to be able to uninstall applications running in the same process (Note: unmount is also to re-load), HTTP requests are divided into isolated application domains.

Note: You may have heard of the application domain before, but you don't know what's going on. The application domain is appdomain.

For IIS, it depends on a built-in driver called HTTP. sys to listen to HTTP requests from outside. When the operating system is started, IIS first registers its own virtual path in HTTP. sys.

Note: Actually, it is equivalent to telling HTTP. sys which URLs are accessible and which are inaccessible. For example, why do you encounter a 404 error when accessing a non-existent file? It is determined in this step.

If the request is an accessible URL, HTTP. sys will send the request to the IIS worker process.

Note: iis6.0 is called w3wq.exe, and iis5.0 is called aspnet_wp.exe.

Each worker process has an identity and a series of optional performance parameters.

Note: Optional performance parameters, such as the recycle Mechanism Setting and timeout setting.

The next step is the ISAPI described in the previous chapter.

Note: This part of the content is highly correlated. In order to make everyone better understand it, I decided to put the ISAPI in the front. Maybe I will adjust it when the full series is completed.

In addition to the corresponding handler of the ing file, ISAPI also needs to do some other work:

1. Obtain the current httq request information from HTTP. sys and save the information to the httpworkerrequest class.

2. Load httpruntime in the appdomain of the isolated application domain.

3. Call the processrequest method of httpruntime.

The next step is the work that programmers usually write. Then, IIS receives the returned data stream and returns it to HTTP. sys, and finally, HTTP. sys then returns the data to the client browser.

OK. Now you can see Zhang Ziyang's space homepage.

Figure 3. ASP. NET host environment

　　

Understanding Pipelines)

In the previous two chapters, we discussed at a relatively low level what IIS and framework did in a second from sending an HTTP request to seeing the browser output. However, we ignore the details of how the Code Compiled by the programmer is connected in this process. Let's take a look at this issue in this chapter.

When an HTTP request enters ASP. net runtime, its pipeline consists of a hosting module (Note: managed modules) and a processor (Note: handlers, which is not a CPU), and the pipeline is used to process this HTTP request.

Figure 4. Understand the HTTP Pipeline

　　

Let's take a look at how the data in this figure flows by number.

1. httpruntime transfers an HTTP request to httpapplication. httpapplication represents a web application created by a programmer. Httpapplication creates an httpcontext object for this HTTP request. These objects contain many other objects related to this request, including httprequest, httpresponse, and httpsessionstate. These objects can be accessed through the page class or context class in the program.

2. Next, the HTTP request uses some modules which can be used before performing a specific task.

3. In this step, perform some actual operations, usually the business logic completed on the. ASPX page.

4. the HTTP request returns to the module again. At this time, the module can do some things after some work has been completed.

Note: Pay attention to the words marked in red. Then, let's take a look at whether there are many paired events such as inserting and inserted in ASP. NET? In fact, ASP. NET can divide an insert operation into two parts, and then intercept the background principles of the event separately.

 

Summary

This is the first article in the series of ASP. NET architecture and security mechanisms.

First, I will outline the topics that will be discussed in this series of articles. Then, I raised a question for some programmers: learning and using ASP. NET at a relatively high level.

Later, I took an example to access my personal space home page and introduced three things described in this article:

1. What does IIS do when the HTTP request arrives at iis.

2. The host environment of the HTTP request.

3. Http pipeline.

I hope this article will help you.