Summary
Through this article, you will understand the ASP. NET authentication mechanism, the basic process of form authentication, some disadvantages of ASP. NET membership, and the main advantages of ASP. NET identity.
Directory
- Authentication and authorization)
- ASP. NET authentication method
- Understanding form verification process
- Understanding ASP. NET membership
- Embracing ASP. NET identity
- ASP. NET identity
- Summary
Authentication and authorization)
Let's first consider the following question:How to Build Secure Web applications?
This is always a hot topic. Unfortunately, there is no universal method to ensure the security of your web applications. Whether it's system vulnerabilities or other external attacks, we suffer daily security problems.
In fact, we do not need to be frustrated or entangled. Since we cannot block attacks, we can prevent them in advance and minimize the loss, right?
At present, there are many security principles applicable to ASP. NET applications, such as in-depth defense, no trust in any input data, and unnecessary function disabling. However, the most basic and important principle is authentication and authorization ).
You may be confused when you first see these two concepts. Because the authentication and authorization are indeed very similar. In fact, they only look a lot like each other, but they are quite different inside.
Authentication)
Verification is the process of identifying the visitor of an application.The verification answered the following question: who is the currently accessed user? Is this user valid? In daily life, identity authentication is not uncommon. For example, we can check the identity of the other party.
Authorization)
Authorization determines the level of security resource access permissions of users who pass the verification.A resource can be a page file on iisand a media file (.w.w.w.w.zip.
Next we will briefly describe the verification and authorization process.
ASP. NET authentication method
Security issues have always been the focus of ASP. NET. Among them, Windows Authentication and form authentication are two main security mechanisms, ASP. NET.
Windows Verification:It is generally used for LAN applications. During Windows authentication, the user's Windows Security token uses an HTTP request to send messages during the user's access to the entire website. The application uses this token to verify the validity of the user account locally (or in the domain), and evaluates the permissions of the user's role. When user authentication fails or is not authorized, the browser directs the user to a specific page to enter his/her security creden。 (username and password ).
Forms Verification:Windows verification has obvious limitations. Once you have an Internet user that has exceeded the local region controller range to access the website, problems may occur. ASP. NET form authentication makes up for this defect. With form verification, ASP. NET needs to verify encrypted HTTP cookies or query strings to identify all users' requests. Cookie is closely related to ASP. NET session mechanism (Session). After the session times out or the user closes the browser, the session and cookie will expire. You need to log on to the website to create a new session.
Understanding form authentication process
Step 1Enter the account and password in the logon window.
Step 2Check whether the user is valid. It can be found in the configuration file, SQL Server database, or other external data sources.
Step 3If the user is valid, a cookie file is generated on the client. The cookie file indicates that the user has passed the verification. When you access other resources on the website, you do not need to verify it again.
Understanding ASP. NET membership
Form authentication can solve basic authentication problems. However, most applications also contain role and user management and permission information storage issues. Therefore, we have to do the following:
- Create a user and role table.
- Write the code to access the data table.
- Provides methods for user and password verification.
Almost every application is doing something similar. After Microsoft discovered this problem, it introduced membership's major technical solution in ASP. NET 2.0. ASP. NET membership solves common requirements of Web applications in terms of membership. These requirements include form authentication, storage of usernames, passwords, and user profile information.
For a long period of time, membership greatly simplifies the compilation of applications. However, we have more and more demands. ASP. NET membership's own design defects make it difficult to adapt to such changes.
The database architecture is limited by SQL Server.It is difficult to be compatible with other databases.
A raw and hard table storage structure.If you need to add additional user information, you need to store it in other tables to make the information difficult to access (unless you use the profile provider API ).
The system is designed based on relational databases only.Of course, you can also write a non-relational database provider (such as a Windows azure storage table), but you have to write a lot of code to solve the compatibility problem.
You cannot use owin.Because the login and logout functions are based onForm AuthenticationThird-party account access is difficult.
Owin(Open Web interface for. Net ):
Owin is a specification that defines the interaction between web servers and application components. This specification aims to develop a broad and dynamic Web server and Application Component ecosystem based on Microsoft. NET Framework.
Katana is an open-source owin framework mainly used for Microsoft. NET applications. Katana 2.0 will be released with Visual Studio 2013. The new version has two notable aspects:
- Provides core infrastructure components for self-hosting.
- Provides a rich set of authentication middleware (including social providers such as Facebook, Google, Twitter, and Microsoft account) and providers for Windows azure Active Directory, cookies, and Federated identity authentication.
More information reference http://owin.org/
Embracing ASP. NET identity
In view of the disadvantages of ASP. NET membership, Microsoft has developed a new security framework ASP. NET identity. ASP. NET identity has the following advantages:
Figure ASP. NET identity basic functions
Unified Framework
It can be easily integrated into various ASP. NET frameworks and programs. For example, ASP. net mvc, web forms, web pages, web API and signalr.
Custom User Information
You can easily expand user information. For example, add a user's birthday or age.
Flexible role management
The role provider in ASP. NET identity allows you to restrict access to a part of an application based on the role. You can easily create roles such as "admin" and add users to it.
Data Persistence and compatibility
By default, the ASP. NET identity system stores all data in the SQL Server database and usesEntity Framework code firstManage databases.
Of course, it also provides good support for other storage media. For example, Sharepoint, Windows azure storage table service, nosql database, and so on.
Unit Test Capability
ASP. NET identity enables web applications to perform better unit tests.
Owin Integration
ASP. NET authentication is based on owin middleware and can be used on any owin host. ASP. NET identity is not dependent on system. Web and fully compatible with the owin framework. It can be used in any application hosted by the owin.
Nuget package
ASP. NET identity is published as an nuget package and provided as part of the ASP. net mvc, web forms, and web API project templates in Visual Studio 2013. You can also download the nuget package from the nuget library.
This release method allows the ASP. NET team to better iterate to add new functions or fix bugs, and release the software to developers more quickly.
ASP. NET identity
Figure ASP. NET identity basic components
ASP. NET identity mainly includes the core function module, entityframework module, and owin module. The details are as follows:
Microsoft. ASPnet. Identity. Core
Core library, including the main features of identity.
Microsoft. ASPnet. Identity. entityframework
It mainly includes the implementation of EF in ASP. NET identity.
Microsoft. ASPnet. Identity. owin
ASP. NET identity supports owin.
Summary
This article first introduces some security mechanisms, then extends to ASP. NET membership, and finally emphasizes the advantages of ASP. NET identity. I believe this article will give you a basic understanding of ASP. NET identity. In the future, I will introduce how to expand ASP. NET identity to implement user and role management.
First recognized identity