Asp. The function and principle of security control of NET application

Asp.net| Security | program | Control as a Web server is to provide feedback to the viewer in a friendly way. If a visitor submits a data access request in a reasonable and reasonable capacity according to the rules of the Network service, then the interaction becomes logical. But in fact it is not so simple, as in the world of traffic, not all vehicles are in accordance with the prescribed road to travel, there will always be some unintentional visit is irregular (illegal). Therefore, network application security issues are particularly important.

We know that Web applications provide services that can be accessed through any computer in the world that can connect to the Internet. There may be data interception anywhere on the link path, but it is difficult to determine the location of the user. These irregular accesses can have varying degrees of impact on the server, light causes the server to respond to errors, the heavy person leaks other confidential information or causes the server to be paralyzed. And we are most afraid of the latter, imagine: the record of Customer credit card account information was stolen, online security server was attacked paralysis and so on, this is how terrible things. And these dangerous security of illegal access are exploited vulnerabilities, whether it is a network of vulnerabilities, or Web application vulnerabilities, if not strict security control, the loss is often difficult to measure, but we can from the security control to the greatest possible reduction of such things happen. Web application security and network security are not the same thing, but they are critical. Here we mainly introduce the security control of Web application in asp.net.

Any successful application security policy is based on solid authentication and authorization, as well as secure communications that provide confidentiality and integrity of confidential data. In maintaining the security control of Web applications, we generally use authentication techniques. Authentication (authentication) is a process that identifies an application client, where the client may include an end user, service, process, or computer, and the authenticated client is called the principal (principal). Authentication can occur across multiple tiers of an application. The end-user is initially authenticated by the Web application, typically based on the user name and password, and then the end user's request is processed by the middle-tier application server and the database server, which is also authenticated to authenticate and process the requests.

ASP.net is used in conjunction with the underlying security services provided by IIS, the. NET framework, and the operating system to provide a range of authentication and authorization mechanisms, as Figure 12.1 illustrates how these components work together to achieve security control.

Figure 12.1 ASP. NET Security Service System

As a web programmer, we are more concerned with the security control phase of authentication and authorization. Asp. NET authentication providers include forms (forms) Validation (also known as form authentication), Windows authentication, Passport authentication, and no Authentication (none), totalling 4. When authenticated, ASP. NET checks to see if identity emulation is enabled. If enabled, the ASP. NET application uses the client identity to selectively execute as a client. Otherwise, ASP. NET applications run using native identities (typically using the local ASPNET account), as shown in the following illustration:

Figure 12.1 Authentication Process

In this chapter, we will describe in detail the forms authentication and Windows validation that are commonly used and implemented. Before we learn these two kinds of validation, we need to understand the Web.config file first.