asp.net asp.net offers a number of new authentication and Authorization scenarios that will be a different approach for developers. It is gratifying that the programmes offered by ASP.net are more flexible; Unfortunately, this is based on IIS. I know that some people don't like IIS and think it is vulnerable to attack. Just always do not like the way of ASP, messy HTML tags mixed with code, difficult to maintain and difficult to debug. Now that we have a new solution, let's take a look.
The new ASP.net authentication Provider (I'll use the asp.net ap for short) only occurs when the ASP.net engine executes the. aspx file, which means that the ASP.net engine will not be invoked when the. asp file is invoked. All the authentication options are placed in an XML file. Whenever you create a asp.net project, you can find a config.web file in the project directory, <security> in this XML file, <authentication>, < You can set and control the authorization> and other tags. The default is: <authentication mode= "None"/>, which means that asp.net will not use any authentication Provider, then this mode, ASP. NET is identical to the original ASP and IIS 4/5.
A typical config.web is usually the following:
<!--authentication
This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None"
-->
<authentication mode= "None"/>
We'll look at each of the possible values in <authentication>, but as an open person, my final focus will be on "Forms," and finalize our platform environment: W2K ADV, Vs.net RCx, IE 6. (Vs.net Beta2 should be OK, because my system was upgraded from Beta 2 when I wrote this article, so I can only say: I think Beta 2 is ok.) But we're not going to discuss the mode= "Cookie", which only happens in the case of asp+, not in asp.net after Beta 2, and then we use the examples in the SDK, because simplicity can be the best starting point.
Then we need to simply set up a directory C:\Inetpub\wwwroot\Security first, and then copy the original SDK frameworksdk\samples\quickstart\aspplus\samples\ The files in security are in the new directory (you can also extract the accompanying files directly into this directory)
1. Mode= "None"
This pattern is the default, as mentioned above, and its behavior is not any different from the original ASP.
But when you use vs.net to build a asp.net project, this pattern is generated by default.
2. Mode= "Windows"
In this mode, every page we visit will need to be authentication by the system, the visitor may see some confusion and the authentication window peculiar to the Windows environment, and frankly I prefer to see it under Window XP, it is more lovely. Using this mode means you can implement it quickly without any extra code, but I don't think your business users will like it, and as a developer, you can't customize it.
It will be very easy for you to implement this approach now.
1. Set <authentication mode= "Windows" in the Config.web file/>
2. Go to the IIS Control Admin interface to set your application properties. The following figure:
3. Then visit your page and you will see this dialog, which is interesting but absolutely confusing to the unprofessional.
4. We are using the Windowauth page. Note that mode= "Windows" is not advanced enough to mode= Windows authentication with a set of good.
The result is as shown in figure:
3. Mode= "Passport"
For this mode, ASP. NET engine will use the authentication mechanism of Microsoft Passport, theoretically this mode will be the most OK and labor-saving, but as far as it seems, it is not a easy thing to realize passport under ASP.net, vs.net Beta The 2 class library does not fully implement the Passport 2.1 functionality (passportidentity). The only thing Microsoft currently shows is the ColdStorage example on MSDN, which is basically based on Passport 1.4 and requires a specialized DLL, just as with DirectX. There is data to show that the class library after the Vs.net RC2 has realized the original function, but it seems to be missing the information, so leave this information to Microsoft and Passport 3.0, we will visit later, for passport I have confidence , and as long as on the Microsoft platform, we may not be able to evade the face of passport.
For information about ColdStorage's passport, refer to the following article:
In this mode, I think every open person will gain maximum flexibility and control, and this is the most practical and feasible way to look at it now. Let's look at a simpler example:
1. In the Config.web file, make the following settings:
Here we use the hard code, which currently allows only new2001@msn.com and ccboy to be logged in as users. When testing we do not directly access Login.aspx but request default.aspx this page, asp.net use its authentication mechanism, will redirect to Login.aspx, when the user input information is accepted then return the original request Default.aspx. On the way Since we use the dotnet WebUI control, it is more object-oriented, and when judged by FormsAuthentication execute the RedirectFromLoginPage method, this function emits a cookie and redirects the user to the original requested resource. This way under the ASP.net AP did half the work, in fact it was passively completed RedirectFromLoginPage
The result is as shown in figure:
Below we modify the Config.web file so that authentication obtains information from Config.web and occurs
<credentials></credentials> Specifies the user name and password to access the system resources, and can customize and manage the encrypted password (it is recommended that the user name and password should not be placed here in the actual application)
Passwordformat can be "clear", "SHA1", "MD5" equivalent.
Clear: Saves the password in plain text. Users and passwords do not require further conversion to be used directly with the user to compare
SHA1: Saves the password with a SHA1 hash category. The user's password is hashed using the SHA1 algorithm, and then compared to the value.
MD5: Similar to SHA1, just use a different algorithm.
When using SHA1 and MD5, a specialized API (HashPasswordForStoringInConfigFile) is required to perform the encryption, and the result is saved to the Config.web file. You can refer to the following links:
The result is the same as the previous one, but this time we handed the judgment to the ASP.net AP, we only passed the Useremail,userpass two parameters, authenticate method will complete the authentication process, This user will be the same as we set in the <user></user> in Config.web.
The MS Document "Forms authentication Using an XML users file" shows another way to get a username and password, in a way that users and passwords are placed in a separate XML file for security. For a specific reference to the following links:
Again, the same can be done by invoking the business logic. NET component, or by invoking another Web services, which, in this sense, is somewhat the same as Ms Passport. Microsoft's approach is heavyweight in comparison.
5. Mode= "Mymode"
This is what we will discuss later, ASP.net supports us to use our own AP to implement the authentication and Authorization scenarios. This will be a more advanced approach, in fact asp.net more flexible and versatile than the previous version. Keith Brown discussed security issues with ASP.net on MSDN Magazine in 11, December.
To sum up, we can see a basic situation about ASP.net authentication, the benefits are obvious, but if you do not like IIS itself, then you will also consider using other authentication scenarios. Jeff Kercher's authentication in ASP. NET: the. NET Security Guide will be a more macro-directed direction that you start and delve into.
This article specifically describes the environment and pros and cons of various validation scenarios to help you select and determine the best authentication method.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.