The ASP. NET security architecture provides an object model for implementing the security mode of Web applications. No matter which authentication mode we choose, many of the elements are the same. Users logging on to the application are granted Principal and Identity according to the creden。 they provide. The Principal object indicates the current security context of the user, including the user's identity and roles. The Identity object indicates the current user. The Principal object is created using the Identity object (indicating the user's Identity), and it adds some additional information, such as role or custom data.
In short: Principal = Identity + role + Custom Data
One thing you should note: Identity Authentication occurs in a specific period of ASP. NET running. Remember this and I will talk about it later. Let's talk about it as follows:
1. Security Context
The Identity object indicates the authenticated user. The type of the Identity object depends on the authentication in use. For example, Windows Authentication uses the WindowsIdentity object, while Froms authentication uses the FormsIdentity object.
It is a little uncomfortable to get started with the concept of Identity. In fact, Identity is a user's Identity. What is the Identity? It indicates what the user is and what the user name is. It's just a little more professional here.
In addition, the Principal object indicates the members of the group or role of the user who passes Identity Authentication: that is, the security context of the current user. In security context, the white point is the information that this object contains many user identities. The Principal object is automatically created for Windows Authentication in IIS, but we can also create a common Principal object (which you will understand later ).
During programming, you have used the HttpContent. Currrent. User attribute more or less. In fact, it represents a Principal object. The Principal object implements the IPrincipal interface.
IPrincipal Interface
Different authentication modes have different security context requirements. We can use the Principal object to represent the current security context. The IPrincipal interface defines the basic functions of the Principal object. You can also customize the Security context object as long as the System. Security. Principal interface is implemented:
Identity attribute -- you can obtain the Identity of the current Principal object. As mentioned earlier, Principal contains Identity.
IsInRole (string roleName) method-you can determine whether the current Principal object belongs to a specified role. You have also used a similar HttpContent. Current. User. Identity. IsInRole ("Admin") statement.
The Principal object can be accessed through the HttpContent. Current. User attribute. The following code should be used:
If (HttpContext. Current. User. Identity. IsAuthenticated)
{
LblUserName. Text = HttpContext. Current. User. Identity. Name + "logged on ";
}
(Note: Identity is the user ID, including the user name. As we will talk about later)
The following code is more common: determine whether the current user is an administrator role.
If (HttpContext. Current. User. IsInRole ("Admin ")
{
//
}
Next, let's take a look at the object that implements the IPrincipal interface built in ASP. NET:
GenericPrincipal class
The GenericPrincipal class implements the IPrincipal interface. From the name, we can see that the GenericPrincipal object represents a general and basic security context. It only defines the role of the current user. That is to say, this object only partially implements the IPrincipal interface. (In the future, we will call the object implementing the IPrincipal interface as the subject ). For a Windows Authentication mode, WindowsPrincipal is used, because WindowsPrincipal implements IPrincipal more specifically. In Forms authentication, only GenericPrincipal is used. That is to say, we can implement custom Principal objects according to our requirements. As mentioned below.
Every implementation of the IPrincipal interface must rewrite the Identity attribute and IsInRole method. The IsInRole method of the GenericPrincipal class compares the role value with the role defined in the string, the IsInRole method of the WindowsPrincipal class compares the role with the role assigned to the Windows user account.
We can create an instance of the GenericPrincipal class to be used throughout the lifecycle of the Current request, and assign it to the HttpContent. Current. User attribute.
The GenericPrincipal constructor has two parameters: the user's GenericIdentity (the user identity GenericIdentity implements the IIdentity Interface) and a string array that represents the user role. So we previously said: Principal = Identity + role is the reason.
Once a GenericPrincipal object is created, it can be assigned to the HttpContent. Current. User attribute to indicate the security context of the currently requested User.
The following is an example of the created code:
Code
// Create a general GenericPrincipal
// We have said: the identifier is the object containing the user name. The following contains an identifier named "xiaoyang ".
GenericIdentity identity = new GenericIdentity ("xiaoyang ");
// Create GenericPrincipal
// Note roles indicates a character string array of a role, such as role = new string {"Admin", "Customer "};
GenericPrincipal principal = new GenericPrincipal (identity, roles );
// Add
HttpContext. Current. User = principal;
Note: The above code should be written in a specific place, that is, the specific time of the lifecycle, which will be described later.
After talking about Principal, let's talk about what the user identity is.
2. User ID
The Identity object is used to identify the current user. The identifier can only provide a small amount of security context information, such as the user name. The Identity object can be used to authenticate users.
IIdentity Interface
Like the IPrincipal interface, this interface must be implemented for all objects identified by the user. The IIdentity interface defines the structure of the basic amount of the Identity object, which is defined as follows:
AuthenticationType (string type) attribute -- it can obtain the type of identity authentication used. For example, if Forms authentication is used, the property returns a "Forms" string, therefore, the custom identifier can return the "mimidentity" string.
IsAuthenticated (bool type) attribute -- identifies whether a user passes authentication. We can often use HttpContext. Current. User. Identity. IsAuthenticated to determine whether the User has logged on.
Name (string type) attribute -- obtains the user Name. I believe it is no stranger to HttpContext. Current. User. Identity. Name.
Next, let's take a look at our own identity class that implements the IIdentity interface.
Code
Using System;
Using System. Security. Principal;
Public class CustomIdentity: IIdentity
{
Private string name;
// The constructor only receives one string parameter. You can refer to the previous Code: GenericIdentity identity = new GenericIdentity ("xiaoyang ");
Public CustomIdentity (string name)
{
This. name = name;
}
//
Private string authenticateType = "CustomerIdentity ";
Public CustomIdentity (string name, string authenticateType)
{
This. name = name;
This. authenticateType = authenticateType;
}
// The following interface is implemented:
Private bool isAuthenticated = false;
Public bool IsAuthenticated
{
Get {return isAuthenticated ;}
}
Private string name;
Public string Name
{
Get {return name ;}
}
}
The above code is just a demonstration, and you can expand according to your own requirements.
As before, let's take a look at the built-in Identity class in ASP. NET:
FormsIdentity -- Used in Forms authentication
PasswordIdentity -- Used in Passport verification
GenericIdentity -- a common identifier
WindowsIdentity -- used for Windows Authentication
Let's take a look at the use of GenericIdentity, and other usage.
In fact, GenericIdentity identifies a basic Identity object. It is basic for Identity objects. We have seen an example of GenericPrincipal before. In this example, we create an instance of the GenericIdentity class,
GenericIdentity identity = new GenericIdentity ("xiaoyang ");
We can also provide more specific Identity objects, such as FormsIdentity mentioned earlier, to provide specific user information.