asp.net safety certification (II.)

Source: Internet
Author: User
Tags config file upload parent directory root directory
Asp.net| Security Part II Form the actual application of authentication

On the other hand, simply say the use of form forms authentication. Perhaps we think it is too simple for those in the inner master should be "water", "Little Kiss ". Today we have to order the pattern: There are six doors, rejected Leaf gu City, the East gate is not windy, blowing snow surname Simon, ribbon as a voucher, decisive battle the Forbidden City.

Five, Web.config Scope of Action

When you create a new project, vs.net creates a fixed web.configin the project root directory. In addition to the project root directory, you can create web.config in either directory, provided that the application-level nodes can only appear in the Web.config of the root directory. As for which is the application level node, this problem, in fact, I am not very clear, hehe. The computer was not invented by me, Microsoft was not created by me, C # more than I say, Immortal also have not know, so I do not know is normal. That being said, as long as it doesn't complain, that's right .

Remember the following two points about the scope of the web.config setting:

1, web.config the settings will be used for all the files in the directory and all the things under their subdirectories (Inheritance: Child with Parent last name)

2, The web.config setting in the subdirectory overrides the settings inherited by the parent directory (overwrite: The magistrate is inferior to the current management)

To ask you a question: Is there a configuration file that is larger than the root directory web.config ? The third part will tell.

Six, learn to refuse and skillfully use permission

Back to our first round of the new test project"Formtest ", since to be validated, according to international practice, there must be a username and password. Then, these users are the administrator to build their own database, or user registration, Administrator audit good. As long as not the average fool, all know to choose the latter. You still don't say, my company also really has individual project is the administrator connects to the database to build account number, belong to the more special fool, we do not learn him or not, or honestly add two pages--registration page (register.aspx) and Audit page ( Auditing.aspx).

The problem is finally coming to the surface, when you do register.aspx , want to visit it suddenly feel wrong, how to return to the login page? You look closely at the Web site, is not become:login.aspx? Returnurl=register.aspx . How to do, the user is because there is no account to access the registration page AH? (This is pure nonsense, there are accounts who still run to register.) I often say to my colleagues: "The way is to come out!!" "

1, Create a new directory public to store some common files, such as calendar, scripts ...

2, Right-click the directory public in Solution Explorer and add a web.config

3, Delete all of the above Web.config , leaving only the following:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization><allow users= "*"/></authorization>

</system.web>

</configuration>

finally cut to the chase, it's not easy. Based on the "overriding" principle, we know that the above web.config will replace the <authorization> node settings in the root web.config , namely:

<allow users= "*"/> replace <deny users= "?" ></deny>

annotation:"Allow" means the permission, "*" means all users;

"Deny" the meaning of the refusal; "represents an anonymous user;

Therefore, files that are in the public directory allow everyone to browse, including unauthenticated users. Drag register.aspx in, and no one will stop you from browsing anymore.

In addition to registering the page, we also mentioned an audit page (auditing.aspx), audit permissions are generally in the hands of the administrator or supervisor, and do not want others to browse this page (the truth is often in the hands of a few people, which is also impossible), how to do? "The way is people want to come out drop" hehe ... Create a new administrator's directory Managesys , and add another web.configin this directory. The contents are as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization>

<allow users= "Admin"/>

<deny users= "*"/>

</authorization>

</system.web>

</configuration>

Now the question is how to know who is "Admin", the question is a bit like "my soles have a hole"-- heaven knows, you do not know I know. Less gossip (if there is a good fee, I have to write a few words of power, alas ... Do you remember me at the end of the first part? What, forget it! Punish you go back to see 100 times, remember to come back again. Stop, come back! The thought of your memory, I do not trust, the first part of the browsing site is http://blog.csdn.net/cityhunter172/archive/2005/11/06/524043.aspx , The URL to return here is http://blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx

Well, no matter what the bad guys are, guys, keep looking down.

System.Web.Security.FormsAuthentication.SetAuthCookie (this. Txt_username.text,false); Through validation, cookies are issued

I have stressed before, to note that the first parameter is important, to what extent? Speaking of this, I am afraid the earth people know--it is the basis of allow and deny . If this is the "Admin" that the user fills out here . Txt_username.text = "Admin"; then enter the system, he will be able to access the Managesys directory of the Web page, and other unauthorized people are shut out.

In order to consolidate the above, to save a homework for everyone: This project has two departments, each of which has a specific page for users to browse the use of the department, how to use web.config to achieve results? Again, the answer is in part three.

Seven, Decentralization and concentration

At first glance, like the dialectical relationship between Marxism-Leninism, Mao Zedong Thought and Deng Xiaoping theory, everyone can rest assured that I am learning science, only understand "the great banner of the programmer, to write code as the center." Stop......

To this end, our test project "formtest" already has two directory three web.config , with the diversification of user needs,web.config will be more and more, For example, the commonly used file upload function and so on. Many of the Web.config are distributed in different directories, and maintenance is certainly more annoying. Can we concentrate on management, what should I do? "The solution is ..." Yo, someone said it first. Yes, "the solution is really people want to come out of the drop", I do not say, you are not only on one side cool companion? To make a joke, I'm going to tell you the central management approach in order to get more people to remember this phrase. to centralize management, you have to use the <location> node and path attributes. In this project, we place the directory public and the settings under Managesys in the web.config under the root directory, as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<location path = "public" >

<system.web>

<authorization>

<allow users= "*"/>

</authorization>

</system.web>

</location>

<location path = "Managesys" >

<system.web>

<authorization>

<allow users= "Admin"/>

<deny users= "*"/>

</authorization>

</system.web>

</location> <system.web>

<!--Place the contents of the original root directory web.config, it is not listed-->

(this article from the Han Feather maple cityhunter172 Blog: http://blog.csdn.net/cityhunter172 Personal site: http://172.meibu.com )

</system.web>

</configuration>

You need to be reminded that

1, <location> node position is A child node in <configuration>, it with the original < System.web> belong to the juxtaposition relationship

2, <location> nodes only need to put the <system.web> node contents in the corresponding subdirectory web.config

Eight, Extra Protection

The second part is coming to an end, now time is 4 points in the morning, 50 points, I easy I. The purpose of authentication is to prevent others from illegally browsing the page or using certain features without permission. Of course, there is no absolute security in the world, now MD5 encryption has been cracked by our countrymen, is the best example.

Careful people may have found out that asp.net 's security credentials are only for . aspx,. ascx ... such as asp.net files, and the normal pages and files are "blind", such as . htm,. js ,. jpg , etc. You can protect the type of file you want to protect by following these steps. 1, open Internet Information Services (IIS) manager → Right click this project virtual → properties, as shown below (http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_ Aspxform01.jpg)

2, Click on the button "Configuration", the following dialog box appears:(Http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_aspxForm02.JPG)

3, Double - Click Application Extensions for. aspx → View the contents of the dialog box, as shown in the following figure: (Http://blog.csdn.net/images/blog_csdn_net/cityhunter172/85935/r_aspxForm03.JPG)

4, Copy the full path name of the executable file → Click Cancel to return to the previous level dialog → Click the button "add"

5,   paste what you just copied (my system is installed in D disk, so the content is d:\windows\microsoft.net\ Framework\v1.1.4322\aspnet_isapi.dll ) → fill in the suffix named . htm → fill action limit to get,head,post,debug (You can select all for convenience)

6, finally click "OK" → add htmlpage1.htm → in the address bar of IE browser directly enter http:// localhost/formtest/htmlpage1.htm → watch test results

Finally send everyone a section of web.config settings, hair finished sleeping, is really sleepy.

<location path = "Decisive Battle of the Forbidden City" >

<system.web>

<authorization>

<allow users= "leaf gu City"/>

<allow users= "Simon blowing Snow"/>

<deny users= "*"/>

</authorization>

</system.web>

</location>

<location path = "Throne room Roof" >

<system.web>

<authorization>

<allow users= "The Man with the Ribbon"/>

<deny users= "*"/>

</authorization>

            </system.web>         </location>


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.