In this article, Masoud discusses the cross-application verification of the Unified Identity Authentication Model in the application asp.net, including Membership Providers, web. config configuration, and configuration file encryption and decryption. At the end of the article, the author provides a program verified by asp.net login controls.
By Masoud Tabatabaei:
Generally, when you want to implement asp.net web application authentication, you need to create a login page for each application. Imagine that if you have two or more associated web applications, you may want to display only one logon page for all your associated applications through some mechanism. In this way, once you log on once, you can browse all associated programs without any additional logon. Single Sign-On SSO) is an access control mechanism that allows a user to access all software system resources through one verification.
Imagine that you have created two or more web sites on your server. Like other web sites, you only use the asp.net permission verification mechanism to verify your users. Therefore, you may need one or more logon pages for these sites. Now you are trying to prove how to achieve cross-program login by changing your configuration. In other words, we only want to configure a login page for our program, and once the user passes the verification, he can browse all other sites without another login. In the appendix of this article, you can also see how to encrypt your configuration file.
Introduction to single sign-on in ASP. NET2.0: What is single sign-on? How does it work?
In many companies, they have systems that use web sites or web applications as the presentation layer. Naturally, they will need to implement permission verification and permission verification systems through Membership Provider and Role Provider or custom based on asp.net 2.0. By default, all sites have a login that determines whether the user's ID and password are valid in the database. aspx "web form. when you only have one site or these sites are running independently, it is no problem to do so. But when you have two or more sites that are associated or linked together, you may ask: Why do you have to log on to each application once? Why can't you implement verification with only one "login. aspx" and truly unify all unrelated programs. Fortunately, in asp.net 2.0, you can use the same configuration to achieve cross-application access, whether it is your new site or an existing site.
In the asp.net configuration file (web. in the <system. (IN web) named <machineKey>, used to encrypt and decrypt forms that can read form permission verification cookies) cookie data for permission authentication and view-state data, it is also responsible for verifying the out-of-process session Status identifier. Therefore, once the user passes the verification and a cookie is saved to the local computer, other applications with the same <machineKey> configuration can also identify this cookie as a valid Permission ticket. Therefore, the second login is no longer required in other applications with the same <machineKey> configuration.
Because the <machineKey> information is sensitive, you need to encrypt the information in the configuration file. To achieve this goal, I will use the ConfigurationManager class and its methods. There is also a class of SectionInformation, which contains the metadata of a single configuration section in the configuration. There is a method ProtectSection () in this class to decrypt the configuration section of your configuration file.
Single Sign-On configuration in ASP. NET2.0: System Conditions
· A web server running on Windows 2000 or later
·. NET Framework 2.0
· Visual maxcompute 2005
· Microsoft SQL Server 2005 Express Edition
Now let's take a look at what happened in our project. I have a site (Aspalliance1) that contains a logon page "Login. aspx". You can use this page to verify permissions. There is also a page called "Default. aspx" in this site, which has a header and some text, and a link to the Aspalliance2 site. You will see that once this user logs on, he can navigate to other sites without the need for a second login. There is also a page "Encryption. aspx" with two buttons for Encryption and decryption to encrypt and decrypt the configuration file.
As I said before, you can achieve cross-application access by clicking a small configuration in your web configuration file. In the web. config file, there is a configuration section named <system. web>. We will make the same configuration for <system. web>, just put the configuration section <machineKey> and its value in the <system. web> Configuration section. <MachineKey> there are some attributes that I will configure. First, specify the encryption type used for verification. ValidationKey defines the key used to verify and decrypt data. decryptionKey defines the key used to encrypt and decrypt data, or the key generation process.
Listing 1: Configuring machineKey in web. config
- < machineKey
- validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
- 21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"
- decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"
- validation="SHA1"/>
This sample code is not encrypted and will not be published to the server. For security considerations, the <machineKey> encryption published to the server is very important. You can see the encrypted <machineKey> in Listing 2.
List 2: Encrypted machineKey in web. config
- < machineKeyconfigProtectionProvider="RsaProtectedConfigurationProvider">
- < EncryptedDataType="http://www.w3.org/2001/04/xmlenc#Element"
- xmlns="http://www.w3.org/2001/04/xmlenc#">
- < EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
- < KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#">
- < EncryptedKeyxmlns="http://www.w3.org/2001/04/xmlenc#">
- < EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
- < KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#">
- < KeyName>Rsa Key< /KeyName>
- < /KeyInfo>
- < CipherData>
- < CipherValue>
- lm3mfPX/94Zm3HgdbsmKiIxbrWM14t3/ugxs40BFOAHbIaCtwQ3gVQusFtOFVUoNVny01kgBCeh10rVEId
- djNZ/8luBNoCbHm8OLjgPLHVrT+G0c/LRpESJk2ni/Jy2sWKXlgejgSQ1W5NE53GZtG3s9hu+nk4OWxntS
- 6z3v7AM=
- < /CipherValue>
- < /CipherData>
- < /EncryptedKey>
- < /KeyInfo>
- < CipherData>
- < CipherValue>
- BCEGUV/dh1Imbcm5vn0Kn8NrD+EX+KemenR7x+VekwT1ZO6y5+jRyF4RDWMJCfJ1jHC36+MAfCdHuXN0rP
- B6hu5YUtX9VA5q5N0NGrs9AIpG+0ihuuS3HDzQe3P6nlI30m1h0pmL1yJBovY0i6fbCA6++GT2MdwCLERk
- +PVWmoq7p1q97n5pNzNqhVKCX45lhS5ySVS+MjJXVeTrcatftpvaUcjLsNcL2kMerzf5w/SU3AbLEuY04w
- dgYWX5tWzxqeUcghdlWLD0tQi8qyyfVfzXPYozR5sspWHdgqmAycrACHN2dcONWPjT4BanRWb1ouKuP8K+
- 0CEFE/Hj2ChpYw==
- < /CipherValue>
- < /CipherData>
- < /EncryptedData>
- < /machineKey>
You can encrypt your Configuration files through the Configuration and SectionInformation classes. To encrypt and decrypt your <machineKey>, let's write some code. The SectionInformation class has a method ProtectSection (). You can obtain a string describing the Protection Provider, such as "RSAProctedConfigurationProvider", and encrypt this configuration section. There is also a Boolean type attribute ForceSave, which needs to be set to true when the save method of the configuration class is required to save the configuration file. The Code on the "Encryption. aspx" page contains two buttons to encrypt and decrypt the configuration file.
Listing 3: web configuration file encryption code
- protected void btnEncrypt_Click(object sender, EventArgs e)
- {
- try
- {
- Configuration config = WebConfigurationManager.OpenWebConfiguration(
- "/Aspalliance1 ");
- ConfigurationSection machineKeySection = config.GetSection(
- "system.web/machineKey");
- machineKeySection.SectionInformation.ProtectSection(
- "RSAProtectedConfigurationProvider");
- machineKeySection.SectionInformation.ForceSave = true;
- config.Save();
- Response.Write("< h2 style='color:red'>Encryption Succeed< /h2>");
- }
- catch (Exception ex)
- {
- Response.Write("< h2 style='color:red'>Error while encrypting< /h2>< br/>");
- Response.Write(ex.Message);
- }
- }
Listing 4: decryption code of the web configuration file
- protected void btnDecrypt_Click(object sender, EventArgs e)
- {
- try
- {
- Configuration config = WebConfigurationManager.OpenWebConfiguration(
- "/Aspalliance1 ");
- ConfigurationSection machineKeySection = config.GetSection(
- "system.web/machineKey");
- machineKeySection.SectionInformation.UnprotectSection();
- machineKeySection.SectionInformation.ForceSave = true;
- config.Save();
- Response.Write("< h2 style='color:red'>Decryption Succeed< /h2>");
- }
- catch (Exception ex)
- {
- Response.Write("< h2 style='color:red'>Error while decrypting< /h2>< br/>");
- Response.Write(ex.Message);
- }
- }
Now you must set the same configuration in this site. First, you need to change the loginUrl of your Form Verification Section. This form will be used to redirect anonymous users to the "Login. aspx" page. But now it will redirect the user to the "Login. aspx" page in the Aspalliance1 site.
Listing 5: Setting the Verification Section in web. config
- < authentication mode="Forms">
- < forms loginUrl="http://localhost/Aspalliance1/login.aspx"name=".ASPXAUTH"/>
- < /authentication>
If you want to achieve cross-program login to many of your sites, the most important thing is that you must configure your two or more sites as the same <machineKey>. Therefore, I only need to copy and paste the <machineKey> Configuration section in the Aspalliance1 site to the Aspalliance2 site. Now you are ready to test your website.
Listing 6: Setting machineKey in web. config
- < machineKey
- validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
- 21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141"
- decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"
- validation="SHA1"/>
[Download]
To test this site, you can use the username: Admin Password: 123456 & to log on.
This attachment contains a VS 2005 project, which contains two sites: aspalliance1 and aspalliance2.
To install this instance, you need to create two IIS virtual directories named aspalliance1 and aspalliance2, and point the address to the corresponding folder. You can also open the site through Visual Studio 2005.
It is troublesome for a user to log on to multiple sites. Therefore, it would be great if you only log on once. To achieve this, you only need to add the <machineKey> configuration with the same value to your "web. config" file. For security considerations, I suggest you encrypt this configuration section. This encryption method is overwritten in the SectionInformation class through the ProtectSection () method. The preceding figure shows how to implement Single-point logon in ASP. NET2.0.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
