Preface
In B/S system development, "authentication" is often required ". Because web applications are very special and different from traditional C/S programs, by default (no authentication or permission control measures are used ), when your application is made public on the Internet/LAN, anyone can access the resources of your web application, which makes it difficult to ensure application security. In general: For most internal systems and business support platforms, users must log on. Otherwise, they cannot access or operate any pages. There are some differences between the Internet (website), because most of the pages and information of the website are open to the outside, only operations involving personal information of registered users are involved, or the background management of the website. (If you do not perform strict verification, the consequences will be very serious. Once someone guesses the Page name under your web directory, they can access it at will. Of course, General developers do not make such low-IQ mistakes ).
How to Implement "authentication"
I remember that when I first came into contact with Servlet + JSP development N years ago, there was something called "Filter", which was amazing. With this magic, I no longer need to judge what "session" or "cookie" is on every page, so that I can bring up a non-logged-on user (with limited horizontal implementation ). Of course, in traditional webform development, you can also write a "BasePage chicken ribs" to make judgments in this class, so that the corresponding classes on each page can implement this "chicken ribs ", I think many companies have done this before.
In asp.net, Microsoft actually provides a complete set of mechanisms to implement "member role management ". Including: "Logon control", "membership", and "personalized Database. But most developers never use this (for example, I used Microsoft's asp.net in year 34, and I have never seen what the "Login control" looks like ). There are three types of authentication in asp.net. Because some authentication methods depend on IIS and windows operating systems, there are still some differences between different versions of operating systems and IIS. Because I am currently using the windows 7 operating system, take IIS 7.5 as an example.
Start IIS and double-click "authentication" on the right side. All authentication methods supported by IIS are displayed, in "security", I checked all ). We can see that
It can be roughly divided into the following types:
1. client certificates in the Active Directory (this is likely to be charged), which are not commonly used and are not described in detail.
2. ASP. NET simulation (MSDN: To Run ASP. NET Applications in non-default security context of ASP. NET applications, use ASP. NET simulation .), I don't understand what robots say.
3. Form authentication: This is used in many cases and will be detailed later.
4. windows Authentication: the authentication is based on the identity of a windows operating system user or a domain user.
5. Basic Identity Authentication: it is also based on windows operating system account authentication.
6. Anonymous Authentication: anyone can access the service by specifying a user account for a specific windows system.
7. Digest authentication: Use the Windows Domain Controller to authenticate the user requesting access to the Web server content.
Let's take a look at the Classic IIS 6:
Note:. NET Passport can be understood as Microsoft's "Single Sign-on" Implementation solution, which is not described here. As a web programmer, if you have never heard of "single sign-on ", please purchase a dynamic ticket to Fuzhou on your own.
First, Test Basic Authentication on IIS 7:
First, disable all other authentication methods, and then only enable "Basic Authentication ". There is a picture with the truth:
Open IE, FireFox, chrome, and other browsers, type localhost, and wait for the default website on IIS to be opened. You will find that the prompt box information is displayed on the browser side, and the style and format of the pop-up box on different browsers are also different. (I Don't Need Internet Explorer for a long time. I found that the old hooligans of 360 changed my brother's homepage and called it "secure Internet access". This is obviously a tampering. Do not understand .)
In FireFox:
If you enter the correct windows account and password in the pop-up box, you can view the requested webpage normally. If you do not lose or lose an error, it will be 401 errors (401, you know ).
"If SSL is not enabled for the website, it will be in plain text via cables...". What the robot said sounds awkward. Here, I will explain it.
When you do not spend money to buy an SSL Certificate (Secure Sockets Layer, you can simply understand that normal http requests are transmitted in plain text. After using SSL, You can automatically Encrypt http packets, even if someone intercepts it on the Internet, it cannot be decrypted. When we occasionally visit some websites, the "https://www.xxx.com" we see is most likely a form based on an SSL certificate ). As for "in plaintext via cable... ", in fact, this sentence is very wrong. First, the cable is just a transmission medium, which only transmits electric pulses, optical signals, and so on, instead of network protocol packets (anyone who has learned about computer networks knows ). It is not correct to say that "the form is in plain text". In fact, "basic identity authentication" uses Base64 encoding for the user name and password. Interested readers, you can use tools such as httpwatch or Fiddler to monitor http requests. I will not describe them here. It is only because Base 64 encoding is very easy to decode, so there is no difference with plain text. In this way, you will find that there are many insecure factors in the "basic identity authentication" method.
Test windows authentication on IIS 7:
Similar to the previous basic authentication, I will not demonstrate it any more. If you enter the correct windows user name and password, you can access the website normally. If the input is incorrect, 401.1 is returned (the first basic authentication is 401.2 ). It is worth mentioning that a previously-mentioned asp.net MVP once told me that windows authentication can only be accessed by users in IE browsers. In this case, it is not in the form of http message transmission, but the browser Directly Interacts with the operating system to verify the user name and password. It has been confirmed that the last half of this sentence is correct, and the http entity content cannot be monitored. But it is not limited to IE browser, and I can access and use it normally in firefox.
Anonymous Authentication:
The so-called anonymous identity authentication can be understood as "not verified ". That is, anonymous users can access resources without any restrictions. Generally, anonymous authentication must be enabled for our website to integrate windows authentication. It is not difficult to find that in fact, anonymous identity authentication is also verified by a specific user in the windows user group ,:
Last, Form authentication:
The authentication methods mentioned above are not directly related to asp.net. They are both IIS and OS-level authentication methods. Form authentication requires the support of asp.net. Generally, website authentication and member management are complex, rather than simply implementing a verification method. For most Internet websites, users can access some pages, but some pages must be logged on before they can access and operate. In addition, different user roles log on with different operation permissions. This involves many aspects of knowledge, and there are also many implementation methods.