Http://support.microsoft.com/default.aspx?scid=kb;zh-cn;306590
This article refers to the following Microsoft .NET Framework class library namespace:
• System.web.security • System.web.principal
The following steps are briefly introduced by the following steps to the event sequence that occurs when the client is requested:
1. The client requests a .aspx page on the IIS server. 2. Pass the client credentials to IIS. 3.iis authenticate to the client, and then transfer the authenticated tag to the ASP.NET work process with the client request. 4. ASP.NET determines whether the user is simulated on the thread of the requesting request based on the authenticated tag and the configuration settings of the web application. The significant difference between Microsoft Active Server Pages (ASP) and ASP.NET is that ASP.NET is no longer simulating authenticated users by default. To enable analog, you must set the Impersonate property in the Identity section to True in the web.config file.
Related Configuration Settings IIS Save Configuration Settings related to security in the IIS configuration database. However, ASP.NET saves security (and other) configuration settings in Scalable Markup Language (XML) configuration files. Although from a security perspective, this usually simplifies the deployment of the application, but the security model adopted by the application requires the correct configuration of the IIS configuration database and the ASP.NET application through its configuration file (web.config).
The following configuration sections are related to ASP.NET security:
•
Authentication Authentication refers to the following procedure: Get identifier credentials (such as user names and passwords) and verify these credentials for a certain authority.
ASP.NET provides four authentication providers:
• Table Single Authentication • Windows Authentication • Passport Authentication • Default Authentication
Table Single authentication form single authentication refers to the following systems: Redirect unauthenticated requests to a hypertext tag language (HTML) form, enabled users to type their credentials. After the user provides credentials and submits the form, the application authenticates the request, and then the system will issue an authentication ticket in the form of cookie. This cookie contains credentials or keys for re-acquire identity. The subsequent request of the browser automatically contains this cookie.
Windows Authentication In Windows Authentication, IIS performs authentication and passes the authenticated tag to the ASP.NET work process. The advantage of using Windows authentication is that it is available at least. Before passing the request to the ASP.NET, you may need to use Windows authentication to simulate the Windows user account of the IIS. Passport Authentication Passport Authentication is a centralized authentication service provided by Microsoft, which provides a single sign-on and core profile service for the member site. Typically, when you need a single login function across multiple domains, Passport authentication will be used.
Default authentication When the web application does not require any security features, the default authentication is used; this security provider needs anonymous access. In all authentication providers, default authentication provides the highest performance for the application. You can also use this authentication provider when you use your own custom security module.
Authorization Authorization refers to the process of verifying whether the authenticated user can access request resources.
ASP.NET provides the following authorization providers:
• FileAuthorization • Urlauthorization
FileAuthorization
The FileAuthorizationModule class is authorized and is active when using Windows authentication.
FileAuthorizationModule is responsible for checking the Windows Access Control List (ACL) to determine if the user should have access.
URLAUTHORIZATION
The URLAUTHORIZATIONMODULE class performs a unified resource locator (URL) authorization, which is based on the URI namespace to control the authorization. The URI namespace may differ from the physical folder and file paths used by NTFS permissions.
UrlauthorizationModule implements an affirmative and negative authorized assertion; that is, you can selectively allow or reject any part of the URI namespace that allows or deniess access to user, roles, Tester, and Administrator, and predicates (such as GET and POST).
Role-based security ASP.NET-based security is similar to role-based security using Microsoft COM and Microsoft Transaction Server (MTS), but there is a big difference between them. Role-based security in ASP.NET is not limited to Windows accounts and groups. For example, if Windows authentication and analog, the user's identity is the Windows ID (user.Identity.name = "domain / username"). You can check the identity of a member in a specific role and limit its access rights accordingly. E.g:
Visual C # .NET code
IF (User.Isinrole ("Builtin // Administrators)))
Response.write ("you are an address");
Else IF (User.Isinrole ("Builtin // Users"))
Response.write ("You Are A User");
Else
Response.write ("Invalid User");
If you are using a single authentication, you will not assign roles for authenticated users; you must perform this task in programming. To assign roles for authenticated users, create a new genericPrincipal object using the onAuthenticate event of the authentication module (in this case for the format verification module) and assigns the User property of HTTPCONText. The following code has been made to this: Visual C # .NET code
Public void Application_AuthenticateRequest (Object S, Eventargs E)
{
IF (httpContext.current.user! = null)
{
IF (httpContext.current.user.Identity.AuthenticationType == "Forms")
{
System.Web.Security.FormSidentity ID = httpContext.current.user.Identity;
String [] Myroles = New String [3];
MYROLES [0] = "managers";
Myroles [1] = "testers";
MYROLES [2] = "developers";
HttpContext.current.user = new system.security.principal.GenericPrincipal (ID, myroles);
}
}
}
To check if the user belongs to a specific role and limits its access rights, use the following code (or similar code) in the .aspx page:
Visual C # .NET code
User.Isinrole ("managers"))
Response.write ("You Are A Manager");
Else IF (User.Isinrole ("Tester"))
Response.write ("You Are A Tester");
ELSE IF (User.Isinrole ("developers"))
Response.write ("You Are A Developer");
