Seven authentication methods and solutions for ASP. NET

Seven authentication methods and solutions for ASP. NET

In B/S system development, "authentication" is often required ". Because web applications are very special, unlike traditional C/S programs, no authentication and permission control methods are used by default ), when your application is made public on the Internet/LAN, anyone can access the resources of your web application, which makes it difficult to ensure application security. In general: For most internal systems and business support platforms, users must log on. Otherwise, they cannot access or operate any pages. For Internet websites), there are some differences, because most of the pages and information of websites are open to the outside, only operations involving personal information of registered users are involved, or the background management of the website. If you do not perform strict verification, the consequences will be very serious. Once you guess the Page name under your web directory, you can access it at will. Of course, General developers do not make such low-IQ mistakes ).

How to Implement "authentication"

I remember that when I first came into contact with Servlet + JSP development N years ago, there was something called "Filter". It was amazing. With this magical thing, I no longer need to judge what "session" or "cookie" is on every page, so that I can bring up a non-logged-on user to the pop-up horizontally to be limited ). Of course, in traditional webform development, you can also write a "BasePage chicken ribs" to make judgments in this class, so that the corresponding classes on each page can implement this "chicken ribs ", I think many companies have done this before.

In asp.net, Microsoft actually provides a complete set of mechanisms to implement "member role management ". Including: "Logon control", "membership", and "personalized Database. However, most developers never use this. For example, I used Microsoft's asp.net in year 34, and I have never seen a "Login control ). There are three types of authentication in asp.net. Because some authentication methods depend on IIS and windows operating systems, there are still some differences between different versions of operating systems and IIS. Because I am currently using the windows 7 operating system, take IIS 7.5 as an example.

Start IIS and double-click "authentication" on the right side. All authentication methods supported by IIS are displayed, in "security", I checked all ). We can see that

It can be roughly divided into the following types:

1. The client certificate of the Active Directory is likely to be charged). It is not commonly used and is not detailed.

2. ASP. NET simulation MSDN: If you want to run ASP. NET Applications in non-default security context of ASP. NET applications, use ASP. NET simulation .), I don't understand what robots say.

3. Form authentication: This is used in many cases and will be detailed later.

4. windows Authentication: the authentication is based on the identity of a windows operating system user or a domain user.

5. Basic Identity Authentication: it is also based on windows operating system account authentication.

6. Anonymous Authentication: anyone can access the service by specifying a user account for a specific windows system.

7. Digest authentication: Use the Windows Domain Controller to authenticate the user requesting access to the Web server content.

Let's take a look at the Classic IIS 6:

Note:. NET Passport can be understood as Microsoft's "Single Sign-on" Implementation solution, which is not described here. For more information, see http://baike.baidu.com/view/1110818.htm. As a web programmer, if you have never heard of "single sign-on ", please purchase a dynamic ticket to Fuzhou on your own.

First, Test Basic Authentication on IIS 7:

First, disable all other authentication methods, and then only enable "Basic Authentication ". There is a picture with the truth:

Open IE, FireFox, chrome, and other browsers, type localhost, and wait for the default website on IIS to be opened. You will find that the prompt box information is displayed on the browser side, and the style and format of the pop-up box on different browsers are also different. I have not used IE for a long time. I found that the old hooligans of 360 have changed my brother's homepage and are also known as "secure Internet access". This is obviously a tampering. Do not understand .)

In FireFox:

If you enter the correct windows account and password in the pop-up box, you can view the requested webpage normally. If you do not lose or lose an error, you will be able to wait for 401 error 401. You know ).

"If SSL is not enabled for the website, it will be in plain text via cables...". What the robot said sounds awkward. Here, I will explain it.

When you do not spend money to buy an SSL Certificate for the Secure Sockets Layer, you can simply understand that normal http requests are transmitted in plain text. After using SSL, You can automatically Encrypt http packets, even if someone intercepts it on the Internet, it cannot be decrypted. When we occasionally visit some websites, the "https://www.xxx.com" we see is most likely a form based on an SSL certificate ). As for "in plaintext via cable... ", in fact, this sentence is very wrong. First of all, the cable is only a transmission medium, which only transmits electric pulses, optical signals, and so on, rather than network protocols that have been known to any computer networks ). It is not correct to say that "the form is in plain text". In fact, "basic identity authentication" uses Base64 encoding for the user name and password. Interested readers, you can use tools such as httpwatch or Fiddler to monitor http requests. I will not describe them here. It is only because Base 64 encoding is very easy to decode, so there is no difference with plain text. In this way, you will find that there are many insecure factors in the "basic identity authentication" method.

Test windows authentication on IIS 7:

Similar to the previous basic authentication, I will not demonstrate it any more. If you enter the correct windows user name and password, you can access the website normally. If the input is incorrect, the basic authentication before 401.1 is returned ). It is worth mentioning that a previously-mentioned asp.net MVP once told me that windows authentication can only be accessed by users in IE browsers. In this case, it is not in the form of http message transmission, but the browser Directly Interacts with the operating system to verify the user name and password. It has been confirmed that the last half of this sentence is correct, and the http entity content cannot be monitored. But it is not limited to IE browser, and I can access and use it normally in firefox.

Anonymous Authentication:

The so-called anonymous identity authentication can be understood as "not verified ". That is, anonymous users can access resources without any restrictions. Generally, anonymous authentication must be enabled for our website to integrate windows authentication. It is not difficult to find that in fact, anonymous identity authentication is also verified by a specific user in the windows user group ,:

Last, Form authentication:

The authentication methods mentioned above are not directly related to asp.net. They are both IIS and OS-level authentication methods. Form authentication requires the support of asp.net. Generally, website authentication and member management are complex, rather than simply implementing a verification method. For most Internet websites, users can access some pages, but some pages must be logged on before they can access and operate. In addition, different user roles log on with different operation permissions. This involves many aspects of knowledge, and there are also many implementation methods.

Due to space limitations and time constraints, we are here today. In the future, I will describe in detail about Form authentication, member management, and permission management.

This article from http://www.cnblogs.com/dinglang.