ASP.NET Authentication Provider

ASP.NET Authentication Provider

Small gas god 2001-12-20

Article Type: Overview

Difficult Level: 3/9

Version: 1.12

ASP.NET provides some new models of Authentication and Authorzation, which will be in a different way for developers. Homeway is a variety of schemes provided by ASP.NET; it is unfortunately this solution is based on IIS. I know that some people don't like IIS and think it is easily attacked. Just don't like the way ASP, mixing code in messy HTML tags, is difficult to maintain, it is difficult to debug. Now there is a new solution, let's take a look.

New ASP.NET Authentication Provider (I will use ASP.NET AP below) only occurs when calling the ASP.NET engine execution .aspx file, this also means that when the .asp file will not call ASP.NET when calling .asp files. engine. All Authentication options are placed in an XML file. Whenever you create an ASP.NET's Project, you can discover a config.Web file in the Project directory, you can set and control in this XML file , , , etc. You can set and control . The default is: , which means that ASP.NET will not use any Authentication Provider, then in this mode, the underlying implementation of ASP.NET and the original ASP and IIS 4/5 will Otamed.

A typical config.web generally will be the following:

THIS Section Sets The Authentication Policies of the Application. Possible Modes Are "Windows", "Forms", "Passport" and "none"

->

We will examine all possible values ​​in , but as an open personnel, my focus will be placed on "forms", and finally determine our platform environment: W2K ADV, VS.NET RCX, IE 6. (Vs.Net beta2 should also be, because my system has risen from Beta 2 when writing this article, so I can only say: I want to beta 2 too. But we will not discuss Mode = "cookie" The situation, this tag only occurs in the case of ASP , there should be no in the ASP.NET after Beta 2), and then we will use the example of SDK, because it is the best starting point.

Then we need a simple setting, first create a directory c: / inetpub / wwwroot / security, then Copy originally the files of the SDK FrameworkSDK / Samples / QuickStart / aspplus / Samples / Security in the new directory (you can also Unzip the included file into this directory)

1. Mode = "none"

This mode is the default, as mentioned above, its behavior and the original ASP have no difference.

But when you use vs.net to generate an ASP.NET Project, this mode is generated by default. 2. Mode = "windows"

In this mode, every page we have access will need Authentication through the system, visitors may see some authentication windows that are confused and unique in the Windows environment, honestly say that I prefer to see Window XP, it is more Cute. Using this model means you don't have to write any code, soon, but I think your business users will not like it, and as a developer, you can't customize it.

Now you will make this way very simple.

1. Set in the config.web file

2. To the IIS control management interface Set your Application property. As shown below:

3. Then visit your page, you will see this dialog, it is very interesting but absolutely confuses non-professionals.

4. We use the page of WindowAuth. Note Mode = "Windows", there is no advance to only use Mode =, you can implement Windows Authentication.

The result is as shown:

3. Mode = "Passport"

In this mode, the ASP.NET engine uses Microsoft Passport's Authentication mechanism. This mode will be the most OK and effort, but according to current, I want to implement Passport under ASP.NET is not a relaxed. Things, VS.NET Beta 2 class libraries do not fully implement PassportIndentity. Microsoft is currently uniquely displayed on the MSDN, and the basic Passport 1.4 is implemented, and like DirectX, A special one DLL. There is a profile to display the class library after VS.NET RC2 has implemented the original function, but the information on this area is now lacking, so this information is left to Microsoft and Passport 3.0, and we will Take another visit, I have confidence in Passport, and as long as we are in the Microsoft platform, we may not evade the face of Passport.

For information about the ColdStorage Passport, see the article below:

Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncold/html/storageAuthentication.asp

4. Mode = "forms"

In this mode, I think each open personnel will get the greatest flexibility and control, and from now, this is the most practical and feasible way. First look at a relatively simple example:

1. Perform the following settings in the config.Web file:

Loginurl = "string" indicates that the request that is not passed through Authentication will be oriented, you can set it.

2. Then click or write to the following code in the Click button of the Login button of the login.aspx file: void login_click (Object sender, Eventargs e) {

// Authenticate User: This Samples Accepts Only One User with

// a name of new2001@msn.com and a password of 'ccboy'

IF ((UseRemail.Value == "new2001@msn.com") && (userpass.value == "ccboy")) {

Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);

}

Else {

Msg.Text = "Invalid Credentials: Please try";

}

}

Here we use hardcodes, currently only allow new2001@msn.com and ccboy as a user login. When we test, we don't directly access the login.aspx but request the default.aspx page, ASP.NET uses its Authentication mechanism, will reordbound to login.aspx, when the user entered by the information is accepted, returned to the original request to default.aspx In the way, because we use the DOTNET's WebUI control, it is more object, and when it is judged through the FormSauthentication method, this function issues a cookie and realligates the user to the initial request. In this way, the ASP.NET AP has made half of the work, in fact it is passive, RedirectFromLoginPage

The result is as shown:

Below we modify the config.web file so that Authentication gets information and happening from config.Web.

1. Set up config.Web files first

Specifies the username and password of the system resource, and can customize and manage the encrypted password (not to put the username and password in this actual application)

PasswordFormat can be "Clear", "SHA1", "MD5" equivalents.

CLEAR: Save your password with plain text. Users and passwords do not need further conversion to compare directly and users

SHA1: Save the password with the hash classification of SHA1. The user password will be hashed with the SHA1 algorithm and then compare it with this value.

MD5: Similar to SHA1, just use different algorithms.

When using SHA1 and MD5, there is also a special API (HashPasswordforStoringInfigFile) to perform encryption and then the result is saved to the config.Web file. Specifically, you can refer to the link below: http://msdn.microsoft.com/library/default.asp? Url = / library / en-us / cpguidnf / html / cpconformsauthenticationUtilities.asp

2. Then click or write to the following code in the CLICK of the login button of the login.aspx file:

Void login_click (Object sender, Eventargs E) {

IF (FormSauthentication.Authenticate (usemail.value, userpass.value)

{

Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);

}

Else {

Msg.Text = "Invalid Credentials: Please try";

}

}

The results were the same as the previous one, but this time we handed the judgment to the ASP.NET AP, we only pass both the usemail, userpass, the Authenticate method will complete the Authentication process, this user will be in config.Web settings in the same.

The MS document "Forms Authentication Using An XML Users File" shows another way to get username and password, in which in order to be safe, users and passwords are placed in a separate XML file. Refer to the link below:

Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguidnf/html/cpconformsauthenticationUtilities.asp

The same reason you can put users and passwords in the database table like you have made the same as you have made it like you.

Void login_click (Object sender, Eventargs E) {

IF (page.issalid)

{

SqlDataReader DR;

// connect to the database

SqlConnection CN = New SQLCONNECTION ("Server = localhost;

UID = mypassport; pwd = 123; database = clientpassword; ");

Cn.open ();

// Create a command to get the question

SQLCommand cmdquestion = new sqlcommand ("SELECT Password;

From users where email = '" usremail.value "' ", cn);

Cmdquestion.execute (OUT DR);

IF (Dr.Read ())

IF (DR ["Password"]. TOSTRING () == Userpass.value)

Formsauthentication.RedirectFromLoginPage (useMail.Value, persistCookie.checked);

Else

Msg.Text = "Invalid Password. Please try again"; Else

Msg.text = "email address not found.";

}

}

It can also be pushed to this process can also be done with the business logic .NET component, or call another web service to complete, and it has been partially identical to MS Passport as from this perspective. Compared to Microsoft's way is heavyweight.

5. Mode = "MyMode"

This will be in the future, ASP.NET supports us to use our own AP to implement the Authentication and Authorization scenarios. This will be a more advanced way, in fact, ASP.NET is more flexible and diverse than the previous version. select. Keith Brown has discussion on the security issues related to ASP.NET on the MSDN Magazine of 11 and December.

In summary, we can see a basic situation about ASP.NET Authentication, which is obvious, but if you don't like IIS itself, then you will also consider using other authentication schemes. Jeff Kercher's "Authentication in ASP .NET: .NET Security Guide" will be a more macro-directed manner you start and in-depth.

http://www.microsoft.com/china/msdn/library/dnbda/html/authaspdotnet.asp

This article specifically tells the environment and advantages of various verification programs, which helps you choose and determine the best authentication method.