ASP. NET authentication and authorization

Web applications are vulnerable to several types of attacks, and their destructive effects may vary depending on the program itself. Therefore, security is closely related to program usage and the way users interact with their functions. So how should we design and encode ASP. NET applications?

From the perspective of applications, security usually refers to user identification and access to system resources. ASP. NET provides many authentication and authorization mechanisms, which are related to IIS and ,. . NET Framework and the underlying security services of the operating system are connected.

When a client sends a Web request, the following authentication and authorization events occur:
1. IIS Authentication
2. ASP. NET Authentication
3. ASP. NET authorization

ASP. NET Authentication

If the page can be viewed and the request comes from an unrestricted IP address, IIS uses a predefined authentication mechanism to authenticate the call request. First, IIS ensures that the request comes from a trusted IP address. If not, the request is rejected due to HTTP Error 403.6. The second measure is to check whether the requested resource can be read or browsed. If not, the request is rejected due to HTTP Error 403.2. Then IIS tries to use the Intergrated, Digest, or Basic method to identify this call. If the Intergrated method of Windows is used, Kerberos or NTLM will be used. If the request passes this step, it is ASP. NET's turn.

ASP. NET supports three types of authentication methods: Windows, Forms, and Passport. if ASP. NET is configured as Windows authentication, it does not need other steps, but directly recognizes any security flag sent from IIS. If ASP. NET is configured as Forms authentication, an HTML form is used to prompt users to enter trusted materials. Search for the user ID and password in the list of valid users stored. Applications can choose the most suitable storage mechanism, including SQL Server database or Active Directory Service. Finally, if ASP. NET is configured as Passport authentication, the user will be transferred to a Passport Web site for authentication by the Passprot service.

The fourth type of authentication is None, which means that ASP. NET does not perform its own authentication, but relies entirely on the authentication that has been executed by IIS. In this case, anonymous users can connect to and access resources using ASP. NET accounts. Setting the ASP. NET Authentication Mode to None does not prevent the program from implementing its own authentication layer.

In the Web. config file, select the ASP. NET authentication mechanism by using the section. The Default Authentication mode is Windows.

ASP. NET authorization

Of course, authentication only means that the user is recognized as the user. The next step is to confirm that the user has sufficient permissions to access the requested resources.

After the authentication, ASP. NET checks whether the call is authorized to access the requested resource to perform the operation. A pair of HTTP modules provide this service: UrlAuthorizationModule and FileAuthorizationModule. The former ensures that the authorization rules in the central section of the Web. config file are fully implemented. When using Windows authentication, the latter checks whether the call has sufficient access permissions to access requested resources. In this case, compare the access control list (ACL) Call tags to perform the verification. It can also be used during processing. NET roles to change the caller's permissions to use a resource.

Authorization rules are composed of two parts of independent information, which define what is prohibited. Within the section, the tag defines the allowed users, tasks, and operations. On the contrary, tags contain forbidden users, tasks, and actions.

You may notice that the authentication mode can only be set in the machine. config file or in the Web. config file of the program layer. The subdirectory inherits the Authentication Mode of the program. However, authorization settings can be set in the Web. config file of each subdirectory. In other words, authorization is more detailed than authentication.

Role-based security

If you need to identify users, you also need to create personalized pages for them. There are two major options: one is to implement a personal data system to store configuration information for each user, and the other is to define roles to map users to these roles.

In the first case, to maintain personal data records, you may need to store settings related to the user interface and enable or disable functions. When designing the page, visit these personal data records to generate the corresponding page for the current user.

If you do not need to maintain the information of each user, but want to classify users and maintain information based on each type, the role-based method is better. A role is a name-a brief descriptive string-It defines a set of features, user interface elements, and permissions for each user that belongs to this role.

Defining a role requires two steps. First, define all possible roles and assign one or more roles to each user. This is usually done at the database layer. Typically, you add a column to the database that stores the username and password to store the role of each user.

When a user is authenticated, his/her identity is not associated with any role information. However, there is a function used to check whether an identity belongs to a specific defined role. You can use the IsInRole function of the Page. User object to test a User Role: if (User. IsInRole ("Boss "))

Response. Write ("The user is the boss ");

The second step of defining a role is to associate each authenticated user with the role. To do this, you must create a new subject object. Its type can be normal or the same as the authorization type. It is usually completed when the AuthenticateRequest event is processed in the Global. asax file: // The role is a string read from the database by the current user.

Context. User = new GenericPrincipal (User. Identity, role );

In this case, the Identification Module can check the user's role through the section of the Local Web. config file. For example, a page in the folder shown below in the Web. config file can only be accessed by users who belong to the Boss role: the authentication module uses the IsInRole function to grant permissions through the role.

Protect your applications

To protect a Web application, you must protect the Web server against various attacks, but it also needs to implement effective measures to prevent illegal access to the page. ASP. NET provides some built-in code to authenticate users and operations and authorize ASP. NET. The above describes ASP. NET authentication and authorization mechanisms.

1. Introduction to ASP. NET Applications
2. ASP. NET pre-compiled applications
3. Overview ASP. NET 2.0 FormView controls
4. Optimize ASP. NET 2.0 Profile Provider
5. Analysis on ASP. NET Process Model configuration