A
Sp.net verification mechanism
ASP.NET provides some new verification and authorization programs that will be a different way for developers. Homeway is a variety of schemes provided by ASP.NET; it is unfortunately this solution is based on IIS. I know that some people don't like IIS and think it is easily attacked. Just don't like the way ASP, mixing code in messy HTML tags, is difficult to maintain, it is difficult to debug. Now there is a new solution, let's take a look. New ASP.NET Verification Mechanism (I will use ASP.NET AP below) only occurs when calling the ASP.NET engine execution .aspx file, this means that asp.net will not be called when calling .asp files engine. All verification options are placed in an XML file. Whenever you create an ASP.NET's Project, you can discover a config.web file in the Project directory, in this XML file
,
,
You can set and control in the like. The default is:
This means that ASP.NET will not use any Authentication Provider, then in this mode, the underlying implementation of ASP.NET and the original ASP and IIS 4/5 will be exactly the same.
A typical config.web generally will be the following:
We will examine one by one
Each possible value, but as an open personnel, my focus will be placed on "Forms", and finally determine our platform environment: W2K ADV, VS.NET RCX, IE 6. (Vs.Net beta2 should also be, because my system has risen from Beta 2 when writing this article, so I can only say: I want to beta 2 too. But we will not discuss Mode = "cookie" The situation, this tag only occurs in the case of ASP , there should be no in the ASP.NET after Beta 2), and then we will use the example of SDK, because it is the best starting point.
Then we need a simple setting, first create a directory c: / inetpub / wwwroot / security, then Copy originally the files of the SDK FrameworkSDK / Samples / QuickStart / aspplus / Samples / Security in the new directory (you can also Unzip the included file into this directory)
1. Mode = "none"
This mode is the default, as mentioned above, its behavior and the original ASP have no difference.
But when you use vs.net to generate an ASP.NET Project, this mode is generated by default.
2. Mode = "windows"
In this mode, every page we have access will need Authentication through the system, visitors may see some authentication windows that are confused and unique in the Windows environment, honestly say that I prefer to see Window XP, it is more Cute. Using this model means you don't have to write any code, soon, but I think your business users will not like it, and as a developer, you can't customize it.
Now you will make this way very simple.
1. Set in the config.web file
2. To the IIS control management interface Set your Application property. As shown below:
3. Then visit your page, you will see this dialog, it is very interesting but absolutely confuses non-professionals.
4. We use the page of WindowAuth. Note Mode = "Windows", there is no advance to only use Mode =, you can implement Windows Authentication. The result is as shown:
3. Mode = "Passport"
In this mode, the ASP.NET engine uses Microsoft Passport's Authentication mechanism. This mode will be the most OK and effort, but according to current, I want to implement Passport under ASP.NET is not a relaxed. Things, VS.NET Beta 2 class libraries do not fully implement PassportIndentity. Microsoft is currently uniquely displayed on the MSDN, and the basic Passport 1.4 is implemented, and like DirectX, A special one DLL. There is a profile to display the class library after VS.NET RC2 has implemented the original function, but the information on this area is now lacking, so this information is left to Microsoft and Passport 3.0, and we will Take another visit, I have confidence in Passport, and as long as we are in the Microsoft platform, we may not evade the face of Passport.
For information about the ColdStorage Passport, see the article below:
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncold/html/storageAuthentication.asp
4. Mode = "forms"
In this mode, I think each open personnel will get the greatest flexibility and control, and from now, this is the most practical and feasible way. First look at a relatively simple example:
1. Perform the following settings in the config.Web file:
Loginurl = "string" indicates that the request that is not passed through Authentication will be oriented, you can set it.
2. Then click or write to the following code in the CLICK of the login button of the login.aspx file:
Void login_click (Object sender, Eventargs e) {
// Authenticate User: This Samples Accepts Only One User with
// a name of new2001@msn.com and a password of 'ccboy'
IF ((UseRemail.Value == "new2001@msn.com") && (userpass.value == "ccboy")) {
Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);
}
Else {
Msg.Text = "Invalid Credentials: Please try";
}
}
Here we use hardcodes, currently only allow new2001@msn.com and ccboy as a user login. When we test, we don't directly access the login.aspx but request the default.aspx page, ASP.NET uses its Authentication mechanism, will reordbound to login.aspx, when the user entered by the information is accepted, returned to the original request to default.aspx In the way, because we use the DOTNET's WebUI control, it is more object, and when it is judged through the FormSauthentication method, this function issues a cookie and realligates the user to the initial request. In this way, the ASP.NET AP has been working hard, in fact it is passive, the redirectFromLoginPage results are shown in the figure:
Below we modify the config.web file so that Authentication gets information and happening from config.Web.
1. Set up config.Web files first
Specify the username and password of the access system resource, and can customize and manage the encrypted password (it is recommended not to put the username and password here in the actual application)
PasswordFormat can be "Clear", "SHA1", "MD5" equivalents.
CLEAR: Save your password with plain text. Users and passwords do not need further conversion to compare directly and users
SHA1: Save the password with the hash classification of SHA1. The user password will be hashed with the SHA1 algorithm and then compare it with this value.
MD5: Similar to SHA1, just use different algorithms.
When using SHA1 and MD5, there is also a special API (HashPasswordforStoringInfigFile) to perform encryption and then the result is saved to the config.Web file. Specifically, you can refer to the link below:
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguidnf/html/cpconformsauthenticationUtilities.asp
2. Then click or write to the following code in the CLICK of the login button of the login.aspx file:
Void login_click (Object sender, Eventargs e) {
IF (FormSauthentication.Authenticate (usemail.value, userpass.value)
{
Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);
}
Else {
Msg.Text = "Invalid Credentials: Please try";
}
}
The results were the same as the previous one, but this time we handed the judgment to the ASP.NET AP, we only pass the useMail, userpass two parameters, the Authenticate method will complete the Authentication process, this user will be in config.Web
The same is set.
The MS document "Forms Authentication Using An XML Users File" shows another way to get username and password, in which in order to be safe, users and passwords are placed in a separate XML file. Refer to the link below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguidnf/html/cpconFormsAuthenticationUtilities.asp The same truth You can put users and passwords into the database like you In the table, for example:
Void login_click (Object sender, Eventargs E) {
IF (page.issalid)
{
SqlDataReader DR;
// connect to the database
SqlConnection CN = New SQLCONNECTION ("Server = localhost;
UID = mypassport; pwd = 123; database = clientpassword; ");
Cn.open ();
// Create a command to get the question
SQLCommand cmdquestion = new sqlcommand ("SELECT Password;
From users where email = '" usremail.value "' ", cn);
Cmdquestion.execute (OUT DR);
IF (Dr.Read ())
IF (DR ["Password"]. TOSTRING () == Userpass.value)
Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);
Else
Msg.Text = "Invalid Password. Please try again";
Else
Msg.text = "email address not found.";
}
}
It can also be pushed to this process can also be done with the business logic .NET component, or call another web service to complete, and it has been partially identical to MS Passport as from this perspective. Compared to Microsoft's way is heavyweight.
5. Mode = "MyMode"
This will be in the future, ASP.NET supports us to use our own AP to implement the Authentication and Authorization scenarios. This will be a more advanced way, in fact, ASP.NET is more flexible and diverse than the previous version. select. Keith Brown has discussion on the security issues related to ASP.NET on the MSDN Magazine of 11 and December.
In summary, we can see a basic situation about ASP.NET Authentication, which is obvious, but if you don't like IIS itself, then you will also consider using other authentication schemes. Jeff Kercher's "Authentication in ASP .NET: .NET Security Guide" will be a more macro-directed manner you start and in-depth.
