ASP. NET member role series (1)-entry to verification and authorization

In today's information world, portal websites, e-commerce, and community forums share the following common characteristics: they usually need to verify the identity of the current user and determine the permissions of the user based on the authentication results.

For example, in the blog park, it allows unregistered anonymous users to view posts, but does not allow them to post. to post a post, anonymous users must first register as formal users. in the process of registering as a formal user, the following steps are generally required.

(1) Create an users data table to store the registered user information.

(2) create a registration page (register. aspx) for anonymous users to register.

(3) create a logon page (login. aspx) to log on to the system as a registered user.

(4) Establish a mechanism to record the user status, so that users do not need to log on again when posting or replying.

However, it is not enough to verify the user. The system also needs to obtain the user's permissions, that is, what the registered user can do and what it cannot do. we still take the blog Park as an example. As we all know, we can also register users. moderators can modify others' posts, while system administrators can appoint moderators in various sections. to implement this function, permission management needs to be introduced. The following steps are generally required:

(1) create a roles table to store user roles (such as management cranes and moderators ).

(2) create a users-roles table ing to manage users.

(3) create an administrator page for the Administrator to set the user.

(4). (not required), you may need an email sending page, so that you can retrieve the password after the password is lost.

It seems that authentication and authorization have a "ambiguous" relationship. Here we will start with verification.

I. identity Verification: Simply put, it is what kind of authentication is required by the system. ASP. NET provides three user authentication modes, namely Windows (using authentication directly provided by IIS) and forms window authentication (using application-specific logic for authentication) and passport authentication (centralized identity authentication service provided by Microsoft ).

The Identity Authentication Mode specifies the. Syntax in Web. config as follows:

<Authentication mode = "Windows | forms | passport | node">

</Authentication>

Since forms are usually used in most cases, forms verification is analyzed in detail here.

Form Verification records logon information in cookies. In general, we redirect unauthenticated users to the logon interface in this setting.

Common forms verification attributes include:

(1). loginurl: If no valid authentication cookie is found, redirect the request to the user login URL.

(2 ). name: Specifies the HTTP cookie for user authentication. if you are running multiple applications on a server and each application requires a unique cookie, you must. configure the cookie name in the config file. the default value is ". aspauth ".

(3). Path: Specify the path for the cookie sent by the application. The default path is slash (/). Note: case sensitive.

(4). Protection: security settings.

(5). Timeout: Specifies the cookie expiration time.

A simple example is provided to illustrate how the above attributes are applied.

<Authentication mode = "forms">

<Forms name = ". mycookie" longinurl = "login. aspx" Protection = "all" timeout = "30" Path = "/">

<Credentials passwordformat = "clear">

<User name = "admin" Password = "amdin"/>

<User name = "A" Password = "A"/>

</Credentials>

</Forms>

</Authentication>

<Authorization>

<Deny users = "? "/> // Authorization management, which will be discussed later.

</Authorization>

In this way, we have basically completed a simple verification. The following will be combined with verification to analyze authorization management.

 

 

II. authorization management: Authorization determines whether to grant access to a specific resource to a specific Identifier. whether you have the permission to access a webpage or a type of webpage. in ASP.. net.

1. file authorization: The file authorization is executed by fileauthorizationmodule. it checks. aspx and. the access control list (ACL) of the asmx processing program file to determine whether the user has the permission to access the file. ACL permission is used to verify the user's windows identity (If Windows authentication is already used) or ASP.. Net process. this method is generally less likely to be used in the usual design.

2. URL Authorization: URL Authorization is also the most common authorization method. executed by urlauthorizationmodule, which maps users and roles to ASP.. NET application URL. this module can be used to allow or deny access to any part of the application by a specific user or role (however, the directory is generally used as the authorized object.

Next we will focus on analyzing URL Authorization methods.

(1 ). with URL Authorization, You can explicitly allow or deny a user name or role's access to a specific directory. therefore, create an authorization section in the configuration file of this directory. to enable URL Authorization, specify a user or role list in the allow or deny element in the authorization section of the configuration file. permissions for directories will also be applied to subdirectories unless the configuration files in the subdirectories overwrite these permissions.

(2) The authorization section has the following syntax:

<Authorization>

<[Allow | deny] user/roles/verbs/>

</Authorization>

The allow or deny elements are required. The allow and deny elements grant access permissions and revoke access permissions respectively.

(3). The attributes supported by the allow and deny elements include user, roles, and verbs. The explanations are as follows:

Users attribute: identifies the target identity of the allow or deny element (that is, the user account we often call), which is defined as a question mark (?) Identifies an anonymous user and uses an asterisk (*) to specify all authenticated users.

Roles: identifies a role for the current request that is allowed or denied to access the resource, that is, whether a certain type of user is allowed to access a webpage or a certain type of webpage.

Verbs: defines the HTTP predicates to be applied to an operation, such as get, Head, and post. The default value is * And all predicates are specified.

(4 ). for example, the following operations grant access permissions to users a and admins. at the same time, B (Note: if B belongs to the admins role, it has access permissions) and all anonymous users refuse access permissions.

<Authorization>

<Allow users = "A"/>

<Allow roles = "Admins"/>

<Deny urses = "B"/>

<Deny users = "? "/>

</Authorization>

 

Come here... there will be a series of chapters later

Hope to help beginners.