ASP. NET Security Mechanism 1-Basics of identity authentication and authorization

This articleArticleIt is prepared for friends who are not familiar with the Identity Authentication System of Asp.net. Therefore, if youAuthentication and authorization)You can skip this step if you are very familiar with it. This article focuses on the concept and implementation of identity authentication and authorization in Asp.net.

After creating a website, you always need to consider which resources (in a narrow sense, pages) can be directly accessed and which resources require limited access. To put it simply, you need a mechanism to help you determine that these users are legitimate users (Authorized users generally require "login authentication ), this is the first concept I want to talk about: identity authentication mechanism. However, it is not enough to judge whether a user is legal. You also need to determine whether resources are restricted resources (in a narrow sense, only authenticated users can access them) which resources can be accessed at will? This is my second concept: authorization.

 

First, let's explain authorization: A simple authorization concept is how to set which resources are accessible and which resources are accessible by authenticated users. For example, default. aspx can be accessed by anyone, and then the car. aspx (Shopping Cart page) can be accessed by authenticated users. This can be imagined. Easy !!

In complex cases, authorization not only limits which resources can be accessed directly but cannot be authorized. More complex access restrictions can be achieved through authorization. For example, administrators can access background resources, while authenticated users can access some restricted foreground resources, unverified users can access any unrestricted resources .... In this scenario, authorization is required. Authorization is a basic concept of security. Let's take it as a starting point to talk about how ASP. NET uses authorization.

In ASP. NET, we always need to deal with a file. This is the Web. config file, which controls your entire ASP. NET file.Program. Authorization is also reflected in this file. Let's take a look at a snippet in the web. config file.

In the <system. Web> Configuration section, we can set the following parameters:

< System. Web >
  < Authorization >
< Deny Users = "? " />
  </ Authorization >
</ System. Web >

 

 

The configuration above will restrict any unauthenticated users (Unlogged users) from accessing any resources. The effect of this configuration is that anonymous users cannot access any resources (pages ). This is the simplest embodiment of authorization. Let's look at a complicated one.

 

 

< Authorization >
< Deny Users = "*" />
< Allow Roles = "Admin" />
</ Authorization >

 

This configuration indicates that access by any user is restricted (whether anonymous or authenticated). However, if the user belongs to the admin group, access is allowed. More details will be covered later. This is just a few examples designed to understand authorization.

 

In short, authorization is actually a mechanism that limits which users have the right to access which resources. In terms of security, at least I think it is important to understand authorization.

 

Next we will understand what authentication is. As mentioned above, anonymous users and authenticated users are often referred to as authenticated users who obtain creden. Just as if you want to watch a movie, you need to pay for a small pass to prove that you can enjoy the fun of a movie. How can we verify a user (that is, a credential that can be recognized by the System? This is what the authentication mechanism is responsible. Identity Authentication is a mechanism for verifying a user or issuing a valid credential that can be recognized by the system to the user.

Similarly, let's look at how ASP. NET works. There are three authentication methods in ASP. NET: window, form, and passport.

Window authentication method: it is an authentication method that works with IIS. In IIS, anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, and basic (base64 encoding) authentication are provided) authentication, digest authentication, and client certificate-based authentication. The following is a typical configuration that supports window authentication in the web. config file. It is also the default authentication method for ASP. NET.

 

< System. Web >
< Authentication Mode = "Windows" />
</ System. Web >

Form authentication method: One way to authenticate through the login page provided by ASP. NET, which is also the most common authentication method and the method that I will focus on today. The following is a typical configuration that supports form authentication in the web. config file.

 

 

< System. Web >
< Authentication Mode = "Forms" >
< Forms Name = ". Aspxformsauth" Defaurl URL = "Default. aspx" Path = "/"  
Protection = "All" Loginurl = "Signin. aspx" Timeout = "30" />
</ Authentication >
</ System. Web >

 

Passport authentication is a centralized authentication service provided by Microsoft, which provides single logon and core configuration file services for member sites. Passport has benefited users a lot because they do not have to log on to the restricted new resources or sites.

 

< System. Web >
< Authentication Mode = "Passport" />
</ System. Web >

 

Like authorization, authentication also shows itself in the web. config file, so the configuration file is used only because it controls the application behavior of ASP. NET.

 

Next, I will use the above concepts to complete a simple example. Let's take a look at how authentication and authorization work together. In this example, I will use form authentication.

 

1. Create an Asp.net website named securitywebsitedemo.

 

2. Create a web. config file on the created website.

 

 

3. Open the Web. config file and write the following content in the <system. Web> Configuration section:

 

< Authentication Mode = "Forms" >
< Forms Defaurl URL = "Default. aspx" Loginurl = "Login. aspx" Path = "/"  
Name = ". Aspnetauthen"   />
</ Authentication >
< Authorization >
< Deny Users = "? " />
</ Authorization >

 

The preceding configuration has completed several tasks.

1. Set the authentication method of the current ASP. NET program to forms, and point out the following points in the <forms> section:

A. Default Page: default. aspx.

B. the login. ASPX page is provided for users to log on.

2. Configure authorization to never log on to any user without authentication.

 

3. Through the above explanation, we know that forms authentication requires us to provide a page for users so that users can submit their own authentication information through the specified page (generally the user name and password ). Therefore, we need to create a login. ASPX page by ourselves.

 

Asp.net 2.0 provides us with a set of useful logon controls that can be used directly. If I drag a login control, it can help me collect necessary user information so that we can process it. Next we need to write someCodeTo complete the authentication process ).

 

 

1 Protected   Void Login1_authenticate ( Object Sender, authenticateeventargs E)
2 {
3 If ( This . Login1.username =   " Cai "   &&   This . Login1.password =   " Cai " )
4 E. authenticated =   True ;
5 Else
6 E. authenticated =   False ;
7 }

The login control provides an authenticate event. You can set the event parameter E. authenticated to determine whether the current user can obtain a credential (or valid user ). The code above shows that we have full control over how to identify a user.

 

After the program is created, you can set the default. aspx page as the start page and start debugging. You will find that you get the login. ASPX page instead of the default. aspx page. After entering the correct username and password, you will see the default. aspx page.

 

Code download

 

Complete.