ASP. NET security question-ASP. NET security architecture

ASP. NET Security Architecture

Preface: Part 1ArticleAfter talking about a lot of theoretical things, I decided to skip some theoretical explanations and look at ASP first. net Security Architecture. I will talk about the theoretical knowledge in the next article, so that it may be better. In addition, this article focuses on the interpretation of many common concepts. I believe you will have some gains after reading them.
 

Links to articles:

ASP. NET development security issues

ASP. NET security issues-creating secure Web Applications

ASP. NET security question-ASP. NET security architecture

ASP. NET security question -- ASP. Net Security Architecture -- How to Implement. Net Security

ASP. Net Security Question-Authentication and Identity Authentication Module in ASP. NET lifecycle

ASP. NET security question-detailed introduction to Forms authentication (Part 1)

ASP. NET security question-froms verification details (Part 1)

ASP. NET security questions-Forms authentication (later)-Practice

ASP. Net Security Question -- authorization question in ASP. NET (previous article)

In the development of WebProgram, We can choose to use our own methods to achieve security policies, or purchase third-party securityCodeAnd products, in any case, are very costly. Fortunately, the. NET Framework has a built-in security solution.
ASP. NET and. NET Framework work with IIS to provide a basic structure for Web Application Security. One of its obvious advantages is that we don't have to write our own security architecture, and we can use it. net Security Architecture built-in features, and the entire security architecture is tested and tested by time.

. Net security architecture includes many classes, which are used to process identity authentication, authorization, role-based authorization, counterfeit (impersonation), and secure code access, it also contains a basic architecture for building a custom solution.
 
This article focuses on the following topics:
Main functions of ASP. NET Security Architecture
Authentication and authorization
Identity and subject in security context
Run the Authentication Module
Authorization module operation

next:
Asp. net Security
Asp. net security architecture is divided into several key security processes: identity authentication, authorization, counterfeiting, encryption provides the necessary functions. For more information, see
authentication -- specifies who visits our site again
authorization ---- who can operate and access resources? Is the user accessing the website authorized to use the requested resources?
counterfeit -What role are you going to impersonate? (Note: counterfeiting is not a derogatory term. It is not often said that counterfeit goods are counterfeited because different user roles have different permissions. If our current users cannot access a specific resource, we can impersonate users who want to access specific resources. Specifically, we can simulate users who have access to specific resources. In short, user a wants to access resources C, but has no permission, but user B can access, so a and B discuss, a will access with B's identity. For more information, see

next let's take a look at each security process:
1. identity Authentication
Identity Authentication reveals the user identity (note: the concept of identity is what we will talk about right away, in short, the user ID and name) and identify the authenticity of the process. Well understood. For example (note some terms in this example): We want to attend a meeting, we will obtain some of our creden。 (indicating our identity) provided by the registration. Once the identity is confirmed, we will get the meeting pass and we will be able to bring the pass to the meeting. In addition, everyone in the meeting can learn some information about us through our pass, such as our name and company. Authentication is: Once the identity is identified, we will get a token that can recognize us. Therefore, in another specific area, no matter where we are, our logo can be identified.

In ASP. NET, there are 4 authentication modes:
Windows Authentication)

Form Authentication)

Passpot Authentication)

Custom Authentication

For each authentication method, you must provide creden during logon. Once the identity is verified, the user will receive an authentication token. In forms authentication, the entire token is formsauthenticationticket, and the entire token is placed in the cookie. Each time a resource is requested, the token will provide the user's identification information.

2. Authorization
Let's look at the example of the previous Meeting. authorization is to show what we can do. After entering the conference hall, we found that there were many different conferences, expert-level, General-level, and different people attended different levels of meetings. In addition, some people can visit the whole conference hall, but some people can only visit the exhibition hall. This is caused by different permissions.

therefore, authorization is to approve or deny access to the requested resources based on our identification information. Note that role-based authorization is commonly used to divide users into groups and then assign different roles to each group.
counterfeit
counterfeit code is executed in the context of other user IDs. By default, all ASP. net code is executed under the domain/ASPnet user account. We should use other identifiers to execute code and counterfeit other identifiers. net security architecture. It allows us to specify the user account for code execution, such as a user account different from domain/ASPnet. You can use the authentication feature in ASP. NET to authenticate users, or use standard Windows authentication to authenticate users.

Then we can use our creden。 or pre-defined user accounts that execute code to set fake accounts.
 
Counterfeiting also allows us not to use ASP. NET provides identity authentication and authorization: We can use user accounts and their related permissions to support authentication and authorization for Windows and IIS management.

Counterfeiting is usually used to provide access control, such as authorization. An application can access any resources that its spoofed users can access. For example, by default, domain/ASPNET users cannot perform read/write operations on the file system, so this user account cannot execute transactions in Enterprise Services. However, with counterfeiting, users can do this by impersonating a specific Windows account, because this account has this permission. Therefore, we can ensure that some users can perform read and write operations on the file system, while others only perform read operations.

Now let's take a look at how to use authentication, authorization, and counterfeiting in web programs.

When users access the web site for the first time, they are anonymous users and we do not know their identity. Unless they are authenticated, we still do not know their identity in the future. When a user requests a non-secure resource, they can automatically access the resource (this is the definition of a non-secure resource)

when a user requests secure protected resources, perform the following steps:
1. the request is sent to the Web server. Because the user ID is still confirmed, the user is redirected to the logon page.
2. the user provides creden, And the creden. are verified and reviewed for identity authentication.
3. if the user credential is valid, you can access the resource. Otherwise, you cannot.

when a user requests a secure resource but has specific permissions, the following steps are performed:
1. the request is sent to the Web server. Because the user ID is still confirmed, the user is redirected to the logon page.
2. the user provides creden, And the creden. are verified and reviewed for identity authentication.
3. compare the user's creden or roles with the authorized users or roles. If the user is in the list, the user is allowed to access the resource. Otherwise, the user is rejected.
if counterfeiting is enabled, both of the following scenarios may occur. By default, counterfeiting is prohibited. You can modify the configuration file to add the element enabled:

In <identity>, set impersonate to true, and set username and password to the user account to be counterfeited. If the counterfeit feature is enabled, the authenticated credential is the credential of the counterfeit user identity, rather than the submitted credential. These two creden may be the same. Note that the counterfeit credential is accessed by an existing user on the Web server, such as an iuser.
 
I will come here today. It is too long to write, and everyone will not look tired. Next I will explain how to implement security in. NET and talk about iprincipan and identity.

 

Note: The source must be indicated after reprinting!