Web program security mechanism and web Mechanism

Web program security mechanism and web Mechanism

ASP. NET provides a multi-layer security model that can easily protect Web applications.

Security policies do not need to be complex, but they are widely used. Programmers must ensure that their applications cannot be defrauded and send private information.

Types of restricted files

ASP. NET automatically provides a basic security policy to block access requests to specific files. ASP. NET registers these file types with IIS and configures them to an HttpForbiddenHandler class in IIS. This class has only one function in its lifecycle, it is to reject all requests sent to the files configured in it.

The types of restricted files are as follows:

1. asax: A Global file that provides methods to respond to application-level or module-level events at a central location.

2. asc: Web service file to provide Web services.

3. config: configuration file that provides application configuration.

4.. cs: source code file written by C.

5. csproj: C # project file to control the generation of C # projects.

6. vb: source code file written by VB.

7. vbproj: VB project file to control the generation of VB projects.

8. resx: resource file, mainly used to store resources of various versions.

9. resources: Controlled resource files that can store resources such as bitmaps, substrings, and custom data.

Security Concept

Security has three basic concepts.

1. Authentication: this process is to determine the identity of a user and force the user to prove who they are. These Windows user accounts are usually stored in a file or backend database.

2. Authorization: Once a user passes authentication, the Authorization process is to determine whether the user has sufficient permissions to execute a row. Generally, Windows sets authorization detection.

3. Impersonation: All code runs under a fixed account, which is defined in the machine. config file. The simulation allows some code to run under a different identity. Authorization and authentication are two cornerstones for creating a secure website.

Security Policy

IIS and ASP. NET Security Settings can interact in several ways. In practice, programmers can add the following two central policies to the ASP. NET Security Mechanism:

Form Authentication

ASP. NET supports cutting-edge verification algorithms that Prevent Users From defrauding their cookies or attempting to trick applications into accessing them.

To implement form-based security, follow these three steps:

1. Set the authentication model in the Web. config file.

2. restrict unauthenticated users to access specific pages or addresses in the application.

3. Create a logon page.

　　　　Web. config settings

You can use the <authentication> section in the Web. config file to define website security.

1 <configuaration> 2 <system. web> 3 <authentication mode = "Forms"> 4 <forms name = "myCookies" loginUrl = ".. /Login. aspx "protection =" All "timeout =" 50 "path ="/> 5 </authentication> 6 </system. web> 7 </configuaration>View Code

Set attributes of form authentication:

1. name: Set the Cookie name. The default value is ASPXAUTH.

2. loginUrl: Set the client logon page address. If the user does not authenticate the address, it will jump to the address. The Default value is Default. aspx.

3. protection: Set the Encryption and verification type of the secure Cookie. The type value can be All, None, Encryption, or Validation.

4. timeout: Set the Cookie expiration time.

5. path: Specifies the path to which the Cookie applies. The default value is "/".

　　　　Authorization Rules

To control website logon permissions, you must set access control rules in the <authorization> section of the Web. config file.

1 <configuaration> 2 <system. web> 3 <authorization> 4 <allow users = "*"/> 5 </authorization> 6 </system. web> 7 </configuaration>View Code

Set restrictive rules

To prevent any user from accessing the application, you must set a more restrictive rule.

1 <configuaration> 2 <system. web> 3 <authorization> 4 <allow users = "?" /> 5 </authorization> 6 </system. web> 7 </configuaration>View Code

　　　　Control access to a specific directory address

In application design, files are usually stored in a separate file directory that requires authentication. Using the ASP. NET configuration file, you can easily complete these settings. Strict security directory settings can be performed in the <authorization> section of the Web. config file, so that the application will simply reject all unauthenticated users.

1 <configuaration> 2 <system. web> 3 <authorization> 4 <deny users = "?" /> 5 </authorization> 6 </system. web> 7 </configuaration>View Code

　　　Restrict specific users

You can use the <allow> section to set a list of users that are allowed to access the application, and use the <deny> section to set a list of users that are denied access to the application.

1 <authorization> 2 <deny users = "?" /> 3 <deny users = "admi, shine"/> 4 <deny users = "light"/> 5 <allow users = "*"> 6 </authorization>View Code

　　Control access to specific files

Generally, setting file access permissions through directories is the simplest and easiest way. However, programmers can also use the <location> flag to restrict access to specific files.

1 <configuration> 2 <system. web> 3 <authorization> 4 <allow users = "*"/> 5 </authorization> 6 </system. web> 7 <location path = "Page1.aspx"> 8 <system. web> 9 <authorization> 10 <deny users = "? "> 11 </authorization> 12 </system. web> 13 </location> 14 </configuration>View Code

　　Windows Authentication

If you use Windows authentication, IIS will be in charge of the authentication process. If the virtual directory uses the default settings, the user will be authorized under the IUSER _ [ServerName] account without an identity, however, when using Windows authentication, users must be forced to log on to IIS before they are allowed to access the Secure Content of the website.

User login information can be converted in several ways, but the final result is to use a local Windows Account to authenticate the user. In general, this makes Windows Authentication the most suitable solution for the Internet, where a limited number of known users are registered on a network server.

To implement a Windows-based security policy for known users, follow these steps:

1. Set the authentication model in the Web. config file.

2. Use Authorization rules to deny all unauthenticated users from accessing the website.

3. configure a Windows user account on the server.

　　　　IIS settings

To Deny Access From unauthenticated users, you need to set IIS.

　　　　Web. config settings

Once appropriate virtual directory security settings are adopted, you should configure the Authentication Mode in the Web. config file as Windows authentication. In a VS. NET project, the default authentication mode is Windows authentication. The sample code is as follows:

1 <configuration> 2 <system. web> 3 <authentication mode = "Windows"/> 4 </system. web> 5 </configuration>View Code

You can use the <allow> and <deny> elements to allow or restrict users to access specific files or directories. You can also use the roles attribute to restrict a certain type of users who have the same account provided by the Windows Group.

1 <authentication> 2 <deny users = "?" /> 3 <allow roles = "Administrator, Light"/> 4 <deny users = "light"/> 5 </authentication>View Code

If you use Windows authentication. You must use clear syntax to describe your domain name or server.

Default Windows role:

1. AccountOperator: responsible for managing users of a computer or intra-domain user account.

2. Administrator: users who enter the computer or domain completely and without restriction.

3. BackupOperator: the user used for backup operations.

4. Guest: users with user roles but more restrictions.

5. PowerUser: similar to Administrator but with some restrictions.

6. PrintOperator: Responsible for printer users.

7. Replicator: the user responsible for file copying in a domain.

8. SystemOperator: similar to Administrator but with some restrictions.

9. User: users who cannot change the system settings can use the system.