計(jì)算機(jī)專(zhuān)業(yè)畢業(yè)外文翻譯--asp. net 中認(rèn)證安全特征評(píng)述_第1頁(yè)
已閱讀1頁(yè),還剩16頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、<p>  ASP. NET 中認(rèn)證安全特征評(píng)述</p><p>  Narcisio Tumushabe ,譚冠正(音譯)</p><p>  (中南大學(xué)計(jì)算機(jī)科學(xué)與信息技術(shù)學(xué)院, 湖南長(zhǎng)沙410083)</p><p>  摘 要: 討論了服務(wù)應(yīng)用時(shí)支持安全的ASP. NET 認(rèn)證特征,微軟的互聯(lián)網(wǎng)信息服務(wù)( IIS) 和ASP.NET 提供了安全模式

2、,使Web 開(kāi)發(fā)者恰當(dāng)?shù)卣J(rèn)證其使用者,并在應(yīng)用過(guò)程中獲得正確的安全之本. 三個(gè)層次的認(rèn)證是基于表單的,身份證書(shū)和視窗認(rèn)證. 綜述文獻(xiàn)僅限于上述三個(gè)領(lǐng)域.</p><p>  關(guān) 鍵 詞: 表單; 身份證書(shū); 視窗認(rèn)證</p><p>  中圖分類(lèi)號(hào): TP 393108  文獻(xiàn)標(biāo)識(shí)碼: A 文章編號(hào): 1000 - 1646 (2003) 03 - 0250 - 05</p>

3、;<p>  安全是開(kāi)發(fā)人員和應(yīng)用程序架構(gòu)師首要關(guān)注的問(wèn)題。由于不同類(lèi)型的網(wǎng)站有不同的安全需要,開(kāi)發(fā)人員需要知道需要什么程度的安全運(yùn)行,并為他們的程序選擇適當(dāng)?shù)陌踩J健S行┚W(wǎng)站發(fā)布的信息不來(lái)自用戶,而是通過(guò)搜索引擎等廣泛渠道來(lái)收集。另外一些網(wǎng)站,可能要收集用戶的敏感信息,比如信用卡號(hào)碼,這些網(wǎng)站需要非常嚴(yán)格的安全措施,以避免來(lái)自外部的惡意攻擊。</p><p>  1 asp.net安全的基本

4、操作</p><p>  在ASP . NET應(yīng)用程序的環(huán)境中安全的基本操作涉及三步即驗(yàn)證,授權(quán)和模擬。驗(yàn)證的過(guò)程中認(rèn)證用戶身份,允許或拒絕請(qǐng)求。這涉及到接受用戶憑據(jù)(如用戶名和密碼)和憑證核對(duì)。經(jīng)過(guò)身份驗(yàn)證,合法用戶對(duì)資源的請(qǐng)求將得到滿足。接下來(lái)一段時(shí)間,用戶請(qǐng)求資源無(wú)需再進(jìn)行身份驗(yàn)證,直到用戶退出這個(gè)WEB應(yīng)用程序。授權(quán)是給予用戶訪問(wèn)特定資源的資格。模擬的過(guò)程,是使應(yīng)用程序確認(rèn)用戶的身份,從而獲得要求的其他資

5、源。基于模擬的身份,請(qǐng)求資源將被授予或者拒絕。</p><p>  2 ASP.NET的驗(yàn)證</p><p>  驗(yàn)證是Web應(yīng)用程序的安全一個(gè)重要的特征。在ASP.NET中,驗(yàn)證表現(xiàn)在兩個(gè)層次上,[2 ]首先, Internet信息服務(wù)( IIS )將執(zhí)行必要的驗(yàn)證,然后把用戶請(qǐng)求發(fā)送到ASP.NET中,如圖1所描述的。ASP.NET應(yīng)用程序的Web服務(wù)器基本是IIS 。因此,每個(gè)A

6、SP.NET應(yīng)用程序可以繼續(xù)利用IIS所提供的的安全性選項(xiàng)。當(dāng)用戶請(qǐng)求特定資源時(shí),這一要求將發(fā)送到IIS 。 IIS驗(yàn)證用戶的請(qǐng)求,然后把認(rèn)證用戶發(fā)送給ASP.NET工作進(jìn)程。 ASP.NET工作進(jìn)程將決定是否模擬驗(yàn)證IIS所提供的用戶。如果Web.config文件中的模仿配置是啟用的, ASP.NET工作進(jìn)程將模擬驗(yàn)證使用者。否則, ASP.NET將自行驗(yàn)證用戶身份。畢竟, ASP.NET決定用戶是否有權(quán)訪問(wèn)這些資源。如果他們被允許,

7、ASP.NET提供請(qǐng)求的服務(wù); 否者他將一個(gè)“ 拒絕登入”的錯(cuò)誤訊息傳回給用戶。</p><p>  圖1 IIS和ASP.NET的安全流程</p><p>  ASP.NET通過(guò)幾種認(rèn)證機(jī)制提供了內(nèi)置的用戶身份驗(yàn)證, [1.4]它們是基于表單的身份驗(yàn)證,應(yīng)用程序使用自定義身份驗(yàn)證模式的Cookie支持來(lái)確保安全;身份證書(shū),應(yīng)用程序使用微軟的身份證書(shū)來(lái)身份驗(yàn)證,身份證書(shū)是微軟開(kāi)發(fā)的一個(gè)

8、Web單點(diǎn)登錄技術(shù),還有視窗驗(yàn)證,Web應(yīng)用程序使用從集成視窗身份驗(yàn)證中獲得的用戶名單來(lái)驗(yàn)證用戶。</p><p>  也有些應(yīng)用程序不使用身份驗(yàn)證,或自行開(kāi)發(fā)驗(yàn)證機(jī)制。在這種情況下, 可以把ASP. NET中身份驗(yàn)證模式設(shè)置為關(guān)閉。本文將簡(jiǎn)要地涉及基于表單的,身份證書(shū)和視窗認(rèn)證。</p><p>  2.1 基于表單的認(rèn)證 </p><p>  基于表單的認(rèn)證驗(yàn)證

9、是用定制邏輯執(zhí)行來(lái)驗(yàn)證用戶,運(yùn)用了Cookie而無(wú)需擔(dān)心Session管理。這使開(kāi)發(fā)人員獲得更多的權(quán)限去指定哪些文件在網(wǎng)站上可獲取和由何人獲取,并可以識(shí)別的登錄頁(yè)。[3]這一機(jī)制將自動(dòng)重定向未驗(yàn)證用戶到登錄頁(yè),并請(qǐng)他們提供適當(dāng)?shù)膽{據(jù)(例如,用戶名/密碼組合)。如果登錄成功,ASP.NET分配cookie給用戶,并重定向到他們?cè)日?qǐng)求的特定資源。此Cookie允許用戶反復(fù)訪問(wèn)特定資源,而不必重新執(zhí)行登錄機(jī)制。顯示如下:</p>

10、<p>  圖 2表單認(rèn)證流程</p><p>  在上圖中,首先用戶請(qǐng)求資源。這一請(qǐng)求將先到達(dá)IIS,由IIS進(jìn)行用戶身份驗(yàn)證的。如果IIS啟用匿名訪問(wèn),或者用戶已成功通過(guò)驗(yàn)證,IIS會(huì)將把請(qǐng)求轉(zhuǎn)到ASP.NET應(yīng)用程序。ASP.NET中查看是否有有效的身份驗(yàn)證cookie附加請(qǐng)求中。如果有,它意味著用戶先前已通過(guò)驗(yàn)證。 ASP.NET將執(zhí)行授權(quán)檢查。如果用戶有訪問(wèn)這些資源的權(quán)限,將被允許訪問(wèn)。

11、否則返回登入失敗的信息。如果提出的請(qǐng)求沒(méi)有附帶任何Cookie,ASP.NET將重定向用戶登錄頁(yè)面,并要求用戶進(jìn)行身份驗(yàn)證。應(yīng)用程序代碼檢查身份證書(shū)。如果身份驗(yàn)證通過(guò),ASP.NET將以附加驗(yàn)證的形式返回Cookie。如果失敗了,用戶可以被重定向到登錄頁(yè)并告訴用戶,該用戶名/密碼無(wú)效。</p><p><b>  建立基于表單的認(rèn)證</b></p><p>  一般來(lái)

12、說(shuō),建立基于表單的認(rèn)證涉及4個(gè)步驟[2] :(一)啟用匿名訪問(wèn)IIS(二)配置Web.config文件中的<authentication>(三)設(shè)定Web.config文件中的<authorization>(四)創(chuàng)建登錄頁(yè)。</p><p>  (一)啟用匿名訪問(wèn)IIS:</p><p>  這有許多工作要做,因?yàn)榇蠖鄶?shù)的用戶被認(rèn)定為非視窗用戶,所以他們通過(guò)IIS進(jìn)

13、入ASP. NET ,ASP.NET將始終允許匿名訪問(wèn)登入頁(yè)面。</p><p>  (二)配置Web.config文件中的< authentication ></p><p>  Web.config文件包含了一個(gè)Web應(yīng)用程序的等級(jí)和身份驗(yàn)證服務(wù)的類(lèi)型等相關(guān)信息。該表單驗(yàn)證通過(guò)設(shè)置Web應(yīng)用程序的身份驗(yàn)證模式屬性為表單來(lái)激活[3]:</p><p>

14、  正如上面的代碼,name屬性為HTTP cookie的名稱。loginURL屬性設(shè)置為登錄頁(yè)面。如需,這是該網(wǎng)頁(yè)所使用的身份驗(yàn)證的用戶憑據(jù)。如果用戶沒(méi)有通過(guò)驗(yàn)證,請(qǐng)求將重定向到特定網(wǎng)址loginURL。保護(hù)屬性的有效值分為所有,無(wú),加密和驗(yàn)證。Cookie保護(hù)設(shè)置為所有,這導(dǎo)致ASP.NET運(yùn)行時(shí)不僅加密Cookie的內(nèi)容,而且驗(yàn)證Cookie的內(nèi)容。 [8]如果設(shè)置為無(wú),它不使用任何加密或驗(yàn)證。指定加密將使用DES或DES加密算法

15、加密Cookie;cookie中的數(shù)據(jù)驗(yàn)證不這樣做,指定驗(yàn)證cookie的數(shù)據(jù)未作改動(dòng)的,而不是加密Cookie的內(nèi)容。超時(shí)設(shè)置為10 ,這意味著在10分鐘后身份驗(yàn)證Cookie將過(guò)期。這樣做的目的是減少通過(guò)驗(yàn)證Cookie偷竊別人的機(jī)會(huì)。通過(guò)減少時(shí)鐘,cookie將被經(jīng)常地再生。路徑屬性是指cookie被發(fā)送到用戶端的路徑。它被設(shè)置為“ / ”這意味著在Cookie路徑是根目錄。</p><p> ?。ㄈ┡渲?/p>

16、Web.config文件中的< authorization ></p><p>  為ASP. NET Web應(yīng)用程序添加授權(quán)服務(wù)。要做到這一點(diǎn),添加Web.config文件中的< authorization >:</p><p>  如上面所解釋?zhuān)谟脩籼峁┝擞行У淖C書(shū)后,用戶將被重定向到特定的網(wǎng)頁(yè)。然而,授權(quán)在此代碼中將拒絕除“Narcis”外所有用戶的訪問(wèn)。

17、</p><p><b> ?。ㄋ模﹦?chuàng)建登錄頁(yè)</b></p><p>  這是重定向未經(jīng)驗(yàn)證用戶的最后一步,這樣他們就可以提供其身份證書(shū),通常是某種形式的用戶名和密碼,登錄到受保護(hù)的資源的授權(quán)。在登錄頁(yè),必須通過(guò)對(duì)比數(shù)據(jù)庫(kù)來(lái)驗(yàn)證遞交的身份證書(shū)。有效的用戶名和密碼可以存儲(chǔ)在web. config的憑據(jù)(credentials)節(jié):</p><p&g

18、t;  然而,以明文形式存儲(chǔ)密碼是很不安全的。此外,在Web.config文件中存儲(chǔ)數(shù)千個(gè)用戶名和密碼也是不現(xiàn)實(shí)的。[2 .7]為解決這個(gè)問(wèn)題,用戶名和密碼都存儲(chǔ)在數(shù)據(jù)庫(kù)中,這個(gè)辦法使Web. config文件不再有< credentials >一節(jié)。同時(shí)Login. Aspx頁(yè)面也因?yàn)樯矸葑C書(shū)需比對(duì)用戶名和密碼存儲(chǔ)在數(shù)據(jù)庫(kù)中而發(fā)生一些改變。</p><p><b>  2.2身份證書(shū) &l

19、t;/b></p><p>  如前所述,這個(gè)驗(yàn)證機(jī)制提供了一個(gè)集中的認(rèn)證服務(wù),可為會(huì)員提供特有的訪問(wèn)權(quán)。在下列情況下使用身份認(rèn)證:[2](一)用戶名/密碼數(shù)據(jù)庫(kù)或登入頁(yè)不易維護(hù);(二)希望提供個(gè)性化的內(nèi)容;(三)該網(wǎng)站將與其他認(rèn)證網(wǎng)站結(jié)合;(四)希望給用戶特有的訪問(wèn)權(quán)。</p><p><b>  創(chuàng)建身份證書(shū) </b></p><p>

20、;  為了實(shí)施這一身份認(rèn)證模式,必須在服務(wù)器上安裝身份證書(shū)SDK (軟件開(kāi)發(fā)套件)和注冊(cè)微軟身份證書(shū)。[1,2]下面的代碼設(shè)置Web. config文件的身份認(rèn)證模式(authentication)設(shè)置為身份證書(shū):</p><p>  該身份證書(shū)的重導(dǎo)向地址(RedirectURL)屬性設(shè)置為內(nèi)部(internal),這意味著未經(jīng)驗(yàn)證的請(qǐng)求能夠得到相同的錯(cuò)誤信息。redirectURL的屬性還可以是除intern

21、al外的其他字符串,一般是URL,用來(lái)重定位未經(jīng)驗(yàn)證的請(qǐng)求。</p><p><b>  2.3 視窗認(rèn)證 </b></p><p>  這種類(lèi)型的身份認(rèn)證可能是最簡(jiǎn)單的一種。視窗認(rèn)證可與IIS提供的除匿名身份驗(yàn)證外的幾乎所有的驗(yàn)證方法結(jié)合(如基本,摘要式,NTLM或Kerberos身份驗(yàn)證),[2,4]這里無(wú)需寫(xiě)任何代碼來(lái)驗(yàn)證用戶的IIS已經(jīng)驗(yàn)證自己的Windows

22、憑據(jù)?;旧希暣罢J(rèn)證使用IIS的身份驗(yàn)證功能。IIS將先完成它的驗(yàn)證功能,然后由ASP.NET決定是否給予授權(quán)或拒絕服務(wù)。</p><p>  這種機(jī)制通常是在用戶是Windows域和通過(guò)身份驗(yàn)證的用戶時(shí)使用,代碼執(zhí)行在安全性與用戶的Windows帳戶相同的環(huán)境中。[4]當(dāng)用戶請(qǐng)求具體的資源,這一要求將前往IIS。IIS中對(duì)用戶進(jìn)行身份驗(yàn)證和發(fā)放安全令牌給它。然后,將通過(guò)認(rèn)證的要求和安全令牌轉(zhuǎn)發(fā)給ASP.NET

23、中。如果模擬啟用, ASP.NET模擬用戶使用安全令牌重視,并在Web.config文件的“授權(quán)< authorization >”一節(jié)中的查看使用者是否被授權(quán)訪問(wèn)的資源。如果獲得批準(zhǔn), ASP.NET將通過(guò)IIS發(fā)送用戶所要求的資源,否則,它發(fā)出的錯(cuò)誤訊息給使用者。</p><p><b>  設(shè)置視窗認(rèn)證</b></p><p>  視窗認(rèn)證的唯一的步

24、驟是在Web.config文件中設(shè)置身份驗(yàn)證模式為Windows和拒絕存取匿名用戶,如下所示:</p><p>  模擬只有在代碼是在相同的安全環(huán)境中的用戶帳戶才能啟用。同樣,這也要在做配置文件中完成。</p><p><b>  2.4結(jié)束語(yǔ)</b></p><p>  ASP.NET安全認(rèn)證是Web應(yīng)用程序安全的最主要特征之一。它分為三個(gè)不

25、同的內(nèi)置服務(wù):基于表單的,身份認(rèn)證和視窗認(rèn)證?;诒韱蔚恼J(rèn)證和身份認(rèn)證不要求用戶為Windows用戶。在視窗認(rèn)證是為Windows域用戶設(shè)計(jì)的?;诒韱蔚恼J(rèn)證提供了未經(jīng)認(rèn)證的用戶登錄頁(yè)面,要求他們提供憑據(jù),并將對(duì)這些證書(shū)進(jìn)行驗(yàn)證。如果用戶無(wú)權(quán)訪問(wèn)特定的資源,它將把拒絕存取信息返回到用戶。在身份認(rèn)證中,身份的SDK只是在服務(wù)器上安裝和注冊(cè)微軟身份證書(shū),提供了一個(gè)由Microsoft提供登入憑證的訪問(wèn)會(huì)員網(wǎng)站的簡(jiǎn)單的機(jī)制。視窗是最方便使用的

26、,因?yàn)樗恍枰獙?xiě)任何代碼進(jìn)行驗(yàn)證。</p><p><b>  參考文獻(xiàn):</b></p><p>  [1] Bell ,J . , et al ,2001 ,ASP. NET Programmer’s Reference ,Wrox Press Ltd. ,USA.</p><p>  [2] Chilakala ,V. ,2001 ,Mi

27、crosoft ASP. NET Security ,Microsoft Support WebCasts.</p><p>  [3] Gonzales ,J . ,2002 ,15 Seconds : Using Forms Authentication in ASP. NET Part 1</p><p>  [4] Kercher ,J . ,2001 ,Authenticatio

28、n in ASP. NET : . NET, Security Guidance ,MSDN Magazine August 2001.</p><p>  [5] Lassan ,R. ,Smith , E. ,2002 ,ASP. NET Bible ,Hungry ,Minds Inc. ,USA.</p><p>  [6] Leinecker , R. , 2002 ,Using

29、 ASP. NET ,Que Corporation , Indiana.</p><p>  [7] NET Framework Developer’s Guide : ASP. NET Web.Application Security ,Link.</p><p>  [8] Kieley ,J . ,2001 ,Migrating to ASP. NET : Key Consid2e

30、ration ,MSDN Magazine November 2001.</p><p>  An overview of authentication security features in ASP. NET</p><p>  Narcisio Tumushabe , TAN Guan-zheng</p><p>  (School of Computer S

31、cience and Information Technology , Central South University , Changsha 410083 , China)</p><p>  Abstract : This article discusses the authentication feature of the ASP. NET to support security when designin

32、g a server application. Both Microsoft Internet Information Services ( IIS) and ASP. NET provide security models that will allow web developers to authenticate the your users appropriately and obtain the correct security

33、 context within the application. Three levels of authentication covered are the Formsbased , passport and windows authentications. The article literature is limited to th</p><p>  Key words : Forms2based; pa

34、ssport ; windows authentication</p><p>  CLC number : TP 393108 Document code : A Article ID : 1000 - 1646 (2003) 03 - 0250 - 05</p><p>  Security is one of the primary concerns forboth devel

35、opers and application architect s. As there are lot s of different types of websites with varying security needs , the developers need to know how the security works and choose the appropriate security model for their ap

36、plications. Some websites collect no information from the users and publish the information that is available widely such as search engine. There are other sites that may need to collect sensitive information f rom their

37、 users </p><p>  1  Fundamental Operations of ASP. NET Security  </p><p>  Security in the context of ASP. NET application involves 3 fundamental operations namely Authentication , Authorizatio

38、n and Impersonation. Authentication is the process of validating the identity of a user to allow or deny a request .This involves accepting credentials ( e. g. username and password) from the users and validating it agai

39、nst adesignated authority. After the identity is verified and validated , the user is considered to be legal and the resource request is fulfilled. Future request</p><p>  2  Authentication in ASP. NET</p

40、><p>  Authentication is one of the foremost features of web application’s security. In ASP. NET , authentication is done at two levels . [2]First , Internet Information Server (IIS) will perform the required a

41、uthentication , then send out the request to ASP. NET , as described in Figure 1. For ASP. NET application , the underlying web server is IIS. Therefore , every ASP. NET application can continue to leverage the security

42、options provided by IIS .When the user requests a specific resource on the sy</p><p>  Fig. 1  Security flow of IIS and ASP. NET</p><p>  ASP. NET provides built-in support for user authenticati

43、on through several authentication providers. [1,4] These are Forms based authentication , which is the application that is secured by using a custom authentication model with cookie support , Passport authentication , an

44、 application that is secured by using Microsoft Passport authentication. Passport is a single sign on technology developed by Microsoft for use on the web and the Windows authentication which is an application secured b

45、y us</p><p>  There are scenarios where some applications do not use the authentication at all or the developer may want to develop custom authentication code. In this case , ASP. NET can set the authenticat

46、ion mode to none. This article will briefly cover the Formsbased , passport and windows authentications.</p><p>  2.1 FormsBased Authentication</p><p>  Formsbased authentication is used to impl

47、ement customized logic for authenticating users without having to worry about session management using a cookie. It gives a developer more access to specify which files on the site can be accessed and by whom , and allow

48、s identification of a login page . [3 ]This mechanism will automatically redirect the unauthenticated user to login page and ask them to provide proper credentials ( e. g. username/ password combination) . If login is su

49、ccessful , ASP. NET</p><p>  Fig. 2  Form authentication flow</p><p>  In figure above , the user requests the restricted resources first . This request will go to IIS first and the user is auth

50、enticated by IIS. If the anonymous access is enabled in IIS or the user is successfully authenticated , it will hand off the request to ASP. NET application. ASP. NET checks to see whether a valid authentication cookie i

51、s attached to the request . If it is , it means the user credentials has been previously authenticated. ASP. NET will then perform the authorization check. I</p><p>  Set Up FormsBased Authentication</p&g

52、t;<p>  Generally, setting up the Formsbased authentication involves 4 steps [2] namely (i) Enable anonymous access in IIS (ii) Configure < authentication > section in Web. config file (iii) Configure <

53、; authorization > section in Web. config file and (iv) Create Login Page.</p><p>  (i) Enable anonymous access in IIS : </p><p>  This has to be done as most of the users are considered to be

54、 non-Windows users , so they can get through IIS to get to ASP. NET . ASP. NET will always allow anonymous access to the login page though. </p><p>  (ii) Configure <authentication> section in Web. co

55、nfig file : </p><p>  Web. config file contains the information related to the level and type of authentication service that is provided for a web application. The Formsbased authentication is enabled for a

56、web application by setting the authentication mode attribute to Forms[3]: </p><p>  As shown by the code above , the name attribute is the name of HTTP cookie. The attribute loginURL is set to Login. aspx ,

57、which is the web page that is used for authenticating user credentials. The requests are redirected to particular URL in loginURL if the user is not authenticated. The cookie protection is set to All. This causes the ASP

58、. NET runtime to not only encrypt the cookie contents , but also validate the cookie contents. The valid values for protection attribute are All , None , Enc</p><p>  (iii) Configure < authorization >

59、section in Web. config file</p><p>  Add authorization support to section of ASP. NET web application. To do so , add the <authorization> section in Web. config file : </p><p>  As explain

60、ed above , after the user provides the valid credentials , the user is redirected to the specific protected page. However , The authorization section in this code will deny access to all users , but exclusively allow acc

61、ess to Narcis.</p><p>  (iv) Create Login Page</p><p>  This is the last step for redirecting unauthenticated users , so they can provider their credentials , usually in a form of username and p

62、assword and logon to protected resources. The login page must validate the submitted credentials against a database of some custom method. Valid usernames and passwords can be stored in the Web. config file in credential

63、s section :</p><p>  However , storing password in clear text is unreasonable for security. Moreover , it is unrealistic to store thousands of names and passwords in Web.config file. [2 ,7]To address this pr

64、oblem , the usernames and passwords are stored in the database.This approach makes the Web. config file no longer have the < credentials > section. There will be also some changes in Login. aspx since the credentia

65、ls will be tested to match against result query from database that stores the usernames and password</p><p>  2.2 Passport Authentication</p><p>  As stated above , this authentication mechanis

66、m provides a centralized authentication service that offers single sign-in for access the member sites. The following scenarios support the use of Passport Authentication : [2](i) The username and password database or lo

67、gin page is not maintained ; (ii) Willing to provide personalized content ; ( iii) the site will be used in conjunction with other Passport sites ; and (iv) Willing to give single sign-in capability to the users </p&g

68、t;<p>  Set Up Passport Authentication</p><p>  To implement this authentication mode , Passport SDK ( Software Development Kit ) has to be installed on the server and register with Microsoft (r) Pass

69、port. [1 ,2]The following code is specified in the Web. config file where the authentication mode is set to Passport :</p><p>  The redirectURL attribute of Passport section is set to internal , which means

70、the unauthenticated request will receive common error message. The value of redirectURL may contain a string other than internal , which is considered to be a URL , which the unauthenticated request will be sent to.</

71、p><p>  2.3  Windows Authentication</p><p>  This type of authentication is possibly the easiest of all to implement . Windows authentication can be used in conjunction with almost all authenticati

72、on methods provided by IIS (e. g. Basic , Digest , NTLM or Kerberos Authentication) , except Anonymous Authentication . [2 ,4] There is no need to write any code to validate the user as IIS has already authenticated thei

73、r Windows credentials. Basically , Windows authentication makes use of the authentication capabilities of IIS. IIS will complete</p><p>  This mechanism is usually implemented when the users are part of Wind

74、ows domain and the authenticated users are to be impersonated so that the code is executed in the same security context of the user’s Windows account. [4]When a user requests specific resources , this request will go to

75、 IIS. IIS authenticates the user and attaches the security token to it . It will then pass the authenticated request and security token to ASP. NET. If impersonation is enabled , ASP. NET impersonates the user u</p>

76、;<p>  Set Up Windows Authentication</p><p>  The only step in implementing the Windows Authentication is to set the authentication mode to Windows and deny access to anonymous user in Web. config fil

77、e as shown below :</p><p>  The impersonation is enabled only if the code is to be under same security context as that of the user account . Again , this is done in the configuration file.</p><p&g

78、t;  2.4  Conclusion</p><p>  Authentication in ASP. NET is one of the best features of the web application’s security. It is divided into 3 different built-in providers : Formsbased , Passport and Windows Au

79、thentication. The Forms-based and passport authentication do not require the users to be as Windows users. The windows authentication is designed for users that are part of Windows domain. Formsbased authentication provi

80、des the unauthenticated users with the login page to ask them for their credentials , and it will vali</p><p>  References :</p><p>  [1] Bell ,J . , et al ,2001 ,ASP. NET Programmer’s Reference

81、 ,Wrox Press Ltd. ,USA.</p><p>  [2] Chilakala ,V. ,2001 ,Microsoft ASP. NET Security ,Microsoft Support WebCasts.</p><p>  [3] Gonzales ,J . ,2002 ,15 Seconds : Using Forms Authentication in AS

82、P. NET Part 1</p><p>  [4] Kercher ,J . ,2001 ,Authentication in ASP. NET : . NET, Security Guidance ,MSDN Magazine August 2001.</p><p>  [5] Lassan ,R. ,Smith , E. ,2002 ,ASP. NET Bible ,Hungry

83、 ,Minds Inc. ,USA.</p><p>  [6] Leinecker , R. , 2002 ,Using ASP. NET ,Que Corporation , Indiana.</p><p>  [7] NET Framework Developer’s Guide : ASP. NET Web.Application Security ,Link.</p>

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 眾賞文庫(kù)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論