Asp. NET security Certification (ii) Flexible use of forms authentication of deny and allow and protection. htm files

Source: Internet
Author: User
Tags config file upload md5 encryption parent directory access root directory
Asp.net| Security

On the other hand, simply say the use of form forms authentication. Perhaps we think it is too simple for those in the inner master should be "water", "Little Kiss". Today we have to order the pattern: there are six doors, rejected Leaf gu City, the East gate is not windy, blowing snow surname Simon, ribbon as a voucher, decisive battle the Forbidden City.

V. Web.config scope of Action

When you create a new project, Vs.net creates a fixed Web.config in the project root directory. In addition to the project root directory, you can create web.config in either directory, provided that the application-level nodes can only appear in the web.config of the root directory. As for which is the application level node, this problem, in fact, I am not very clear, hehe. Computer is not my invention, Microsoft is not I created, C # is not my final decision, Immortal also have not know, so I do not know is normal. That being said, as long as it doesn't complain, that's right.

Remember the following two points about the scope of the Web.config setting:

1. The Web.config settings will be used for all the files in the directory and all the things under their subdirectories (Inheritance: Child with parent last name)

2, the Web.config settings under the subdirectory will overwrite the settings inherited by the parent directory (overwrite: The magistrate is inferior to the current management)

To ask you a question: Is there a configuration file that is larger than the root directory web.config? The third part will tell.

Vi. learning to refuse and skillfully use permission

Back to our first round of the new test project "Formtest", since to be validated, according to international practice, there must be a username and password. Then, these users are the administrator to build their own database, or user registration, Administrator audit good. As long as not the average fool, all know to choose the latter. You still don't say, my company also really has individual project is the administrator connects to the database to build the account number, belongs to the more special fool, we do not study him, or honestly add two pages--registration page (register.aspx) and Audit page (auditing.aspx).

The problem is finally coming to the surface, when you do register.aspx, want to visit it suddenly feel wrong, how to return to the login page? You look closely at the Web site, is not become: Login.aspx? Returnurl=register.aspx. How to do, the user is because there is no account to access the registration page AH? (This is pure nonsense, there are accounts who still run to register.) I often say to my colleagues: "The way is to come out!!" ”

1, create a new directory public, used to store some common files, such as calendar, script ah ...

2. In Solution Explorer, right-click the directory public and add a Web.config

3, the above web.config of the contents of all deleted, leaving only the following can be:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization><allow users= "*"/></authorization>

</system.web>

</configuration>

Finally cut to the chase, it's not easy. Based on the "overriding" principle, we know that the above web.config will replace the <authorization> node settings in the root Web.config, namely:

<allow users= "*"/> replace <deny users= "?" ></deny>

Annotation: "Allow" means the permission, "*" means all users;

"Deny" refuses to mean; "?" Represents an anonymous user;

Therefore, files that are in the public directory allow everyone to browse, including unauthenticated users. Drag register.aspx in, and no one will stop you from browsing anymore.

In addition to registering the page, we also mentioned an audit page (auditing.aspx), audit permissions are generally in the hands of the administrator or supervisor, and do not want others to browse this page (the truth is often in the hands of a few people, which is also impossible), how to do? "The way is people want to come out drop" hehe ... Create a new administrator's directory Managesys, and add another web.config in this directory. The contents are as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization>

<allow users= "Admin"/>

<deny users= "*"/>

</authorization>

</system.web>

</configuration>

Now the question is how to know who is "Admin", the question is a bit like "my soles have a hole"--heaven knows, you do not know I know. Less gossip (if there is a good fee, I have to write a few words of power, alas ... Do you remember me at the end of the first part? What, forget it! Punish you go back to see 100 times, remember to come back again. Stop, come back! The thought of your memory, I do not trust, the first part of the browsing site is http://blog.csdn.net/cityhunter172/archive/2005/11/06/524043.aspx, back to the site is http:// Blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx

Well, no matter what the bad guys are, guys, keep looking down.

System.Web.Security.FormsAuthentication.SetAuthCookie (this. Txt_username.text,false); Through validation, cookies are issued

I have stressed before, to note that the first parameter is important, to what extent? Speaking of this, I am afraid the earth people know--it is the basis of allow and deny. If this is the "Admin" that the user fills out here. Txt_username.text = "Admin"; Then enter the system, he will be able to access the Managesys directory of the Web page, and other unauthorized people are shut out.

In order to consolidate the above, to save a homework for everyone: This project has two departments, each of which has a specific page for users to browse the use of the department, how to use Web.config to achieve results? Again, the answer is in part three.

Vii. Decentralization and concentration

At first glance, like the dialectical relationship between Marxism-Leninism, Mao Zedong Thought and Deng Xiaoping theory, everyone can rest assured that I am learning science, only understand "the great banner of the programmer, to write code as the center." Stop......

To this end, our test project "Formtest" already has two directory three web.config, with the diversification of user needs, Web.config will be more and more, such as the commonly used file upload function and so on. Many of the web.config are distributed in different directories, and maintenance is certainly more annoying. Can we concentrate on management, what should I do? "The solution is ..." Yo, someone said it first. Yes, "the solution is really people want to come out of the drop", I do not say, you are not only on one side cool companion? To make a joke, I'm going to tell you the central management approach in order to get more people to remember this phrase.

To centralize management, you have to use the <location> node and path attributes. In this project, we place the directory public and the settings under Managesys in the web.config under the root directory, as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<location Path = "Public" >

<system.web>

<authorization>

<allow users= "*"/>

</authorization>

</system.web>

</location>

<location Path = "Managesys" >

<system.web>

<authorization>

<allow users= "Admin"/>

<deny users= "*"/>

</authorization>

</system.web>

</location>

<system.web>

<!--Place the contents of the original root directory web.config, it is not listed-->

(This article from the Cold Feather Maple cityhunter172 Blog: http://blog.csdn.net/cityhunter172 personal site: http://172.meibu.com)

</system.web>

</configuration>

You need to be reminded that

1, <location> node position is in the <configuration> of a child node, it and the original <system.web> belong to the parallel relationship

2, <location> node only need to put in the corresponding subdirectory Web.config <system.web> node content

Viii. Additional protection

The second part is about to end, now time is 4:50 A.M., I am easy. The purpose of authentication is to prevent others from illegally browsing the page or using certain features without permission. Of course, there is no absolute security in the world, now MD5 encryption has been cracked by our countrymen, is the best example.

Careful people may have found out that ASP.net's security credentials are only for. aspx,. ascx ... such as asp.net files, and the normal pages and files are "blind", such as. htm,. js,. jpg, etc. You can protect the type of file you want to protect by following these steps.

1. Open Internet Information Services (IIS) Manager → Right click on this project virtual → attribute, as shown below

2, click the button "Configuration", the following dialog box appears:

3, double-click the application extension of. aspx → View the dialog box content, as shown in the following figure:

4, copy the "executable" full path name → Click "Cancel" to return to the previous layer dialog → Click the button "add"

5, paste just copied content (my system is installed in D disk, so the content is D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll) → Fill in the suffix named. htm→ Fill Action Limited to GE T,head,post,debug "(For convenience you can choose All)

6, the last click "OK" → add htmlpage1.htm→ to the project in IE browser address bar directly input http://localhost/formtest/htmlpage1.htm→ Watch test results

Finally send everyone a section of web.config settings, hair finished sleeping, is really sleepy.

<location Path = "Decisive Battle of the Forbidden City" >

<system.web>

<authorization>

<allow users= "leaf gu City"/>

<allow users= "Simon blowing Snow"/>

<deny users= "*"/>

</authorization>

</system.web>

</location>

<location path = "Throne room Roof" >

<system.web>

<authorization>

<allow users= "The Man with the Ribbon"/>

<deny users= "*"/>

</authorization>

</system.web>

</location>



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.