Asp. The authorization problem in the--asp.net of net security problem (the first chapter)

Foreword: Some previous articles have discussed some questions about the verification, next some articles will say the authorization as well as the code access security question.

In a asp.net application, authorization means access to resources, and there are many forms of resources: files, databases, pictures, and so on. The process of authorization is essentially to create a user or group of users, and then assign permissions to them. In the. NET framework, there are many ways to implement authorization, such as file authorization, URL authorization, and custom authorization.

Here we will talk about how to control access to restricted resources, this article mainly describes the following questions: asp.net

1. role-based Security

2. Mapping of permissions:

3. Permission Introduction to Permission Object

This article is not a lot of code, to the next actual combat chapter as far as possible to give more code.

1. role-based Security

I believe everyone has a lot of roles to play and role-based security, and their concepts don't go into the details. Before we talk about role-based security, I want you to know about the identity and IPrincipal that you've spoken about (if not very clearly, see my previous Security series).

In. NET, you can use the. NET Framework to flexibly combine user identities (identity) and roles, and define permissions for a combined body. We said before:

Subject (IPrincipal) = (User id: An object containing information such as user name) identity+ role;

We can define a number of roles and then define permissions for the role to access the resource. We typically define roles, such as defining a customer role, then making the user's role customer, and then defining the customer's access rights, then the access permissions are applied to users who have the role of customer, that is to say, We do not define permissions for each user individually, because it is troublesome to maintain and modify them.

Of course, we can also authorize a particular user individually, such as writing a file. There are many ways to authorize, but their ideas are broadly the same:

Typically, the authorization steps for an application are as follows:

1. Determine if a user has legitimate access to resources (that is, the validation process we talked about earlier)

2. Deny specific users access to specific resources

3. Allow specific users access to specific resources

2. Mapping of permissions:

In. NET, there are built-in permission objects that allow users to have the appropriate permissions to access resources. Before you talk about the following questions, first talk about what is permission. We know that our system generally has a lot of files and folders, and these files or folders are often access to permissions, for example, we can have some file permissions defined as: Only the administrator to modify, the general user only read, this is not unfamiliar to everyone.

Note: We are using the system to configure the permissions of these files or folders. (Everyone should be)

Our site, in fact, is a few files on the server, since these files are on the server, such as Win Server 2003, then these files must have access permissions. If you are the administrator of this server, then you can do any of these files, other users do not have the ability.

Now we assume that our site is placed on the server, and that the site's files, such as ASPX pages, pictures, App_Code, etc. are in the folder of the Web site, and that the permissions for these file resources have already been defined, such as read-only.

Actually, we were. NET some of the permission classes, in fact, is the mapping of permissions. What do you say?

If we have a file in our web site folder, such as the Admin.aspx page, we can define the access to this file through the operating system (action: Select the file, right-click, select "Sharing and Security", and then choose which users can access, and what these users are doing, such as reading, writing, Security control, etc.). These are some of the permissions that the system defines, the. NET framework "takes out" some of the permissions defined on a file and wraps them in some permission classes so that we can manipulate those permissions with managed code, such as C #, without the win API (unmanaged code). (Understand if there is a problem, please correct me!)