Shulou(Shulou.com)06/03 Report--

This article will explain in detail about the authentication methods commonly used in asp.net. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Preface

"Authentication" is often needed in the development of Bhand S system. Because the web application is very special, unlike the traditional Cmax S program, by default (without any authentication and access control), when your program is open on the Internet / LAN, anyone can access the resources of your web application, so it is difficult to ensure the security of the application. Popular point: for most internal systems, business support platforms, etc., users must log in, otherwise they can not access and operate any page. For the Internet (website), there are some differences, because usually most of the pages and information of the website are open to the public, only the operation related to the personal information of registered users, or the background management of the website need to be prompted to log in. If you do not do strict verification, the consequences will be very serious, once people guess the name of the page under your web directory, you can visit it at will. Of course, the average developer will not make such a low IQ mistake.

How to realize "authentication"

I remember when I first came into contact with Servlet + JSP development N years ago, there was something called "Filter". It was amazing. With this amazing thing, I no longer need to go to every page to judge what "session" or "cookie" is, to be able to pop up unlogged-in users (level implementation is limited). Of course, in traditional webform development, you can also write a "chicken rib of BasePage", in this class to make a judgment, let the corresponding class of each page to achieve this "chicken rib", I think many companies have done this before.

In asp.net, Microsoft actually provides a complete set of mechanisms to implement "member role management". Include: "login control", "membership", "personalized database" and so on. But most developers never use these (for example, I've been using Microsoft asp.net for three or four years, and I've never seen what the login control looks like). There are three or four main types of asp.net authentication. Because some authentication methods depend on the IIS and windows operating systems, there are some differences between different versions of the operating system and IIS. Since the author is temporarily using the windows 7 operating system, I will take IIS 7.5 as an example.

Open IIS first, and then double-click "Authentication" on the right, which shows all the authentication methods currently supported by IIS (because I checked all of them in "Security" when I installed IIS). You can see the figure as follows:

It is roughly divided into the following categories:

1. The client certificate of the active directory (this is likely to be paid for) is not commonly used and does not go into details.

2.ASP.NET impersonation (MSDN: if you want to run an ASP.NET application in a non-default security context, use ASP.NET impersonation. ), I don't understand what the robot said.

3.Form authentication: this is used a lot, which will be discussed later.

4.windows authentication: authentication of users or domain users based on the windows operating system.

5. Basic authentication: in fact, it is also based on account authentication of the windows operating system.

6. Anonymous authentication: anyone can access it, and it is accessed internally by specifying the user account of a specific windows system.

7. Digest authentication: use Windows domain controllers to authenticate users who request access to the content of the Web server.

Let's take a look at the screenshot of the classic IIS 6:

Note: NET Passport can be understood as an implementation of "single sign-on" by Microsoft, which will not be discussed in detail here. Today, with the popularity of "Open API", "SOA" and "cloud computing", as a web programmer, if you haven't heard of "single sign-on", please buy your own train ticket to Fuzhou.

First test basic authentication on IIS 7:

First disable all other authentication methods, and then enable only basic authentication. There is a picture and the truth:

Then open browsers such as IE, FireFox, chrome, etc., type in localhost, and wait for the default website on IIS to open. You will find that the prompt box will pop up on the browser side, and the style and presentation of the pop-up box will vary from browser to browser. After using IE for a long time, I found that the old rascal had changed my home page and claimed to be "safe to surf the Internet", which was obviously an act of tampering. I don't understand. )

In FireFox:

If you enter the correct windows account and password in the pop-up box, you can browse the web page you requested normally. If you don't lose or lose wrong, what awaits you will be 401 error (401, you know).

"if SSL is not enabled for the website, it will be in plain text via cable." what the robot said sounded awkward. Here, let me explain.

When you do not spend money to buy a SSL certificate (secure socket layer, you can simply understand that normal http requests are sent in clear text. After using SSL, you can automatically encrypt http messages, even if someone intercepts them on the Internet. When we occasionally visit some websites, we see that "https://www.xxx.com", is most likely in the form of a SSL certificate." As for "plaintext through the cable.", in fact, this sentence is very wrong. First of all, cable is only a transmission medium, which transmits only electrical pulses, optical signals, etc., rather than network protocol messages (anyone who has studied computer networks knows it). As for saying "in plain text", it is also wrong. In fact, in "basic authentication", the user name and password are encoded by Base64. Interested readers can use tools such as httpwatch or Fiddler to monitor http requests. I will not demonstrate them here. Just because Base64 coding is easy to reverse coding, it is no different from plaintext. In this way, you will find that there are indeed many unsafe factors in the way of "basic authentication".

Test windows authentication on IIS 7:

Similar to the previous basic authentication, I won't take any more screenshots to demonstrate. If the user enters the correct windows username and password, they will be able to access the site normally. If you enter it incorrectly, 401.1 is returned (the previous basic authentication is 401.2). It's worth mentioning that I remember an asp.net MVP once told me that when using windows authentication, users can only access it properly when using an IE browser. Because in this case, instead of using the form of http message transmission, the browser directly interacts with the operating system to verify the user name and password. After confirmation, it is found that the second half of this sentence is correct, and it is true that the http entity content cannot be monitored. But it's not limited to IE browsers. I can also access and use it normally in firefox.

Anonymous authentication:

The so-called anonymous authentication can actually be understood as "no authentication". Even anonymous users can access resources without any restrictions. Usually, our website should enable anonymous authentication and integrate windows authentication. It is not difficult to find that anonymous authentication is also authenticated by a specific user in the windows user group, as shown in the figure:

Finally, Form authentication:

In fact, none of the authentication methods mentioned above are directly related to asp.net, they are all authentication methods at the IIS and operating system level. Form authentication requires support from asp.net. Because usually the authentication and member management of the website are very complex, rather than through a simple way of authentication. For most Internet sites, users can access some pages, but some pages must be logged in before they can access and operate, and different user roles log in, the operation rights are not the same. This will involve a lot of knowledge, and there are many ways to achieve it.

This is the end of this article on "what authentication methods are commonly used in asp.net". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.