ASP_NET中認證安全特征評述_畢業(yè)論文的中英文翻譯

1、畢業(yè)設(shè)計（論文）外文翻譯 An overview of authentication security features in ASP.NETASP.NET 中認證安全特征評述： 郭維雅 ： 本科 ： 電氣與信息工程學(xué)院 ： 計算機科學(xué)與技術(shù) ： 秦忠 ： 副教授 ： 2011年3 月17 日 學(xué)生姓名學(xué)歷層次所在院系所學(xué)專業(yè)指導(dǎo)教師教師職稱完成時間長 春 工 程 學(xué) 院An overview of authentication security features in ASP.NETSecurity is one of the primary concerns forboth develop

2、ers and application architect s.As there are lot s of different types of websites with varying security needs,the developers need to know how the security works and choose the appropriate security model for their applications.Some websites collect no information from the users and publish the inform

3、ation that is available widely such as search engine.There are other sites that may need to collect sensitive information f rom their users like credit card numbers.These websites need muchst ronger security implementation to avoid malicious attacks f rom external entities.1 Fundamental Operations o

4、f ASP.NET Security Security in the context of ASP.NET application involves 3 fundamental operations namely Authentication,Authorization and Impersonation.Authentication is the process of validating the identity of a user to allow or deny a request.This involves accepting credentials ( e.g.username a

5、nd password) from the users and validating it against adesignated authority.After the identity is verified and validated,the user is considered to be legal and the resource request is fulfilled.Future request from the same user ideally are not subject to the authentication process until the user log

6、s out of the web application.Authorization is the process of ensuring that users with valid identity are allowed to access specific resources.Impersonation is the process that enables an application to ensure the identity of the user,and in turn make request to the other resources.Access to resource

7、s will be granted or denied based on the identity that is being impersonated.2 Authentication in ASP.NETAuthentication is one of the foremost features of web applications security.In ASP.NET,authentication is done at two levels.First,Internet Information Server (IIS) will perform the required authen

8、tication,then send out the request to ASP.NET,as described in Figure 1.For ASP.NET application,the underlying web server is IIS.Therefore,every ASP.NET application can continue to leverage the security options provided by IIS.When the user requests a specific resource on the system,that request will

9、 come to IIS.IIS authenticates the user requesting the resource and then hands off the request and the security token for the authenticating user to ASP.NET worker process.ASP.NET worker process will decide whether to impersonate the authenticated user supplied by IIS or not.If impersonation is enab

10、led in the configuration setting in Web.config file,then ASP.NET worker process impersonates the authenticated user.Otherwise,the thread will run under the ASP.NET worker process identity.After all,ASP.NET checks whether the authenticated user is authorized to access these resources.If they are allo

11、wed to,ASP.NET serves the request; otherwise it sends an“access denied”error message back to the user.Fig.1 Security flow of IIS and ASP.NETASP.NET provides built-in support for user authentication through several authentication providers.1,4 These are Forms based authentication,which is the applica

12、tion that is secured by using a custom authentication model with cookie support,Passport authentication,an application that is secured by using Microsoft Passport authentication.Passport is a single sign on technology developed by Microsoft for use on the web and the Windows authentication which is

13、an application secured by using integrated windows authentication where access to a web application is allowed only to those users who are able to verify their windows credentials.There are scenarios where some applications do not use the authentication at all or the developer may want to develop cu

14、stom authentication code.In this case,ASP.NET can set the authentication mode to none.This article will briefly cover the Formsbased,passport and windows authentications.2.1 FormsBased AuthenticationFormsbased authentication is used to implement customized logic for authenticating users without havi

15、ng to worry about session management using a cookie.It gives a developer more access to specify which files on the site can be accessed and by whom,and allows identification of a login page.This mechanism will automatically redirect the unauthenticated user to login page and ask them to provide prop

16、er credentials ( e.g.username/ password combination).If login is successful,ASP.NET then issues the cookie to the user and redirect them to specific resources that they originally requested.This cookie allows the user to revisit particular protected resources without having to repeatedly login.The m

17、echanism is shown as below : Fig.2 Form authentication flowIn figure above,the user requests the restricted resources first.This request will go to IIS first and the user is authenticated by IIS.If the anonymous access is enabled in IIS or the user is successfully authenticated,it will hand off the

18、request to ASP.NET application.ASP.NET checks to see whether a valid authentication cookie is attached to the request.If it is,it means the user credentials has been previously authenticated.ASP.NET will then perform the authorization check.If the user is authorized to access those resources,the acc

19、ess will be granted.Otherwise,the“accessdenied”message is sent.If the request does not have any cookie attached,ASP.NET redirects the user to the login page and solicits the credentials then resubmits for authentication.The application code checks those credentials.If authenticated,ASP.NET will atta

20、ch the authentication ticket in the form of cookie to the response.If failed,the user can be redirected back to the login page telling the user that the username/ password is invalid.Set Up FormsBased AuthenticationGenerally,setting up the Formsbased authentication involves 4 steps 2 namely (i) Enab

21、le anonymous access in IIS (ii) Configure < authentication > section in Web.config file (iii) Configure < authorization > section in Web.config file and (iv) Create Login Page.(i) Enable anonymous access in IIS : This has to be done as most of the users are considered to be non-Windows u

22、sers,so they can get through IIS to get to ASP.NET.ASP.NET will always allow anonymous access to the login page though. (ii) Configure <authentication> section in Web.config file : Web.config file contains the information related to the level and type of authentication service that is provided

23、 for a web application.The Formsbased authentication is enabled for a web application by setting the authentication mode attribute to Forms: < authentication mode =Forms>< forms name =LoginloginURL =Login.aspxprotection =Alltimeout =10path =/ / >< / authentication > As shown by the

24、 code above,the name attribute is the name of HTTP cookie.The attribute loginURL is set to Login.aspx,which is the web page that is used for authenticating user credentials.The requests are redirected to particular URL in loginURL if the user is not authenticated.The cookie protection is set to All.

25、This causes the ASP.NET runtime to not only encrypt the cookie contents,but also validate the cookie contents.The valid values for protection attribute are All,None,Encryption,and Validation.8 If the value is specified to None,it does not use either encryption or validation.Specifying Encryption wil

26、l encrypt the cookie using triple DES or DES encryption algorithm ; the data validation is not done on the cookie.The Validation specifies to validate that the cookie data has not been altered in the transit,instead of encrypting the content s of the cookie.The timeout is set to 10,which means in 10

27、 minutes the authentication cookie will expire.The idea behind this is to reduce the chance someone stealing the form authentication cookie.By reducing this,the cookie will be regenerated more often.The path attribute refers to the path of cookie to be sent to the client.It is set to / which means t

28、he cookie path is the root directory.(iii) Configure < authorization > section in Web.config fileAdd authorization support to section of ASP.NET web application.To do so,add the <authorization> section in Web.config file : < configuration >< system.web >< authorization >

29、;< allow users =Narcis/ >< deny users =3 / >< / authorization >< / system.web >< / configuration >As explained above,after the user provides the valid credentials,the user is redirected to the specific protected page.However,The authorization section in this code will d

30、eny access to all users,but exclusively allow access to Narcis.(iv) Create Login PageThis is the last step for redirecting unauthenticated users,so they can provider their credentials,usually in a form of username and password and logon to protected resources.The login page must validate the submitt

31、ed credentials against a database of some custom method.Valid usernames and passwords can be stored in the Web.config file in credentials section :< credentials passwordFormat =Clear>< user name =Narcispassword =nar>< user name =Marionpassword =mar>< user name =Laurenpassword =l

32、au>< / credentials >However,storing password in clear text is unreasonable for security.Moreover,it is unrealistic to store thousands of names and passwords in Web.config file.2,7To address this problem,the usernames and passwords are stored in the database.This approach makes the Web.confi

33、g file no longer have the < credentials > section.There will be also some changes in Login.aspx since the credentials will be tested to match against result query from database that stores the usernames and passwords.22 Passport AuthenticationAs stated above,this authentication mechanism provi

34、des a centralized authentication service that offers single sign-in for access the member sites.The following scenarios support the use of Passport Authentication : (i) The username and password database or login page is not maintained ; (ii) Willing to provide personalized content ; ( iii) the site

35、 will be used in conjunction with other Passport sites ; and (iv) Willing to give single sign-in capability to the users Set Up Passport AuthenticationTo implement this authentication mode,Passport SDK ( Software Development Kit ) has to be installed on the server and register with Microsoft (r) Pas

36、sport.The following code is specified in the Web.config file where the authentication mode is set to Passport :< authentication mode =Passport>< passport redirectURL =internal/ >< / authentication > The redirectURL attribute of Passport section is set to internal,which means the un

37、authenticated request will receive common error message.The value of redirectURL may contain a string other than internal,which is considered to be a URL,which the unauthenticated request will be sent to.2.3 Windows AuthenticationThis type of authentication is possibly the easiest of all to implemen

38、t.Windows authentication can be used in conjunction with almost all authentication methods provided by IIS (e.g.Basic,Digest,NTLM or Kerberos Authentication),except Anonymous Authentication.2,4 There is no need to write any code to validate the user as IIS has already authenticated their Windows cre

39、dentials.Basically,Windows authentication makes use of the authentication capabilities of IIS.IIS will complete it s authentication first then ASP.NET will use the authenticated identitys token to decide whether the access is granted or denied. This mechanism is usually implemented when the users ar

40、e part of Windows domain and the authenticated users are to be impersonated so that the code is executed in the same security context of the users Windows account.4When a user requests specific resources,this request will go to IIS.IIS authenticates the user and attaches the security token to it.It

41、will then pass the authenticated request and security token to ASP.NET.If impersonation is enabled,ASP.NET impersonates the user using the security token attached and sees whether the user is authorized to access the resources in the < authorization > section in Web.config file.If the access i

42、s granted,ASP.NET will send the requested resources through IIS,or else,it sends error message to the user.  Set Up Windows AuthenticationThe only step in implementing the Windows Authentication is to set the authentication mode to Windows and deny access to anonymous user in Web.config file as

43、 shown below :< authentication mode =Windows>< / authentication >< authorization >< deny users =?/ >< / authorization >The impersonation is enabled only if the code is to be under same security context as that of the user account.Again,this is done in the configuration

44、file.24 ConclusionAuthentication in ASP.NET is one of the best features of the web applications security.It is divided into 3 different built-in providers : Formsbased,Passport and Windows Authentication.The Forms-based and passport authentication do not require the users to be as Windows users.The

45、windows authentication is designed for users that are part of Windows domain.Formsbased authentication provides the unauthenticated users with the login page to ask them for their credentials,and it will validate those credentials against the designated authority.If the users are not authorized to a

46、ccess specific resources,it will send the access denied message back to the users.For Passport authentication,the Passport SDK is simply installed on the server and registered with Microsoft Passport.This mechanism offers a single sign-in provided by Microsoft to allow access to the member sites.The

47、 Windows authentication is the easiest to implement,as it does not require writing any code for authentication.ASP.NET 中認證安全特征評述安全是開發(fā)人員和應(yīng)用程序架構(gòu)師首要關(guān)注的問題。由于不同類型的網(wǎng)站有不同的安全需要，開發(fā)人員需要知道需要什么程度的安全運行，并為他們的程序選擇適當(dāng)?shù)陌踩Ｊ?。有些網(wǎng)站發(fā)布的信息不來自用戶，而是通過搜索引擎等廣泛渠道來收集。另外一些網(wǎng)站，可能要收集用戶的敏感信息，比如信用卡號碼，這些網(wǎng)站需要非常嚴格的安全措施，以避免來自外部的惡意攻擊。1 安全的

48、基本操作在ASP.NET應(yīng)用程序的環(huán)境中安全的基本操作涉及三步即驗證，授權(quán)和模擬。驗證的過程中認證用戶身份,允許或拒絕請求。這涉及到接受用戶憑據(jù)（如用戶名和密碼）和憑證核對。經(jīng)過身份驗證，合法用戶對資源的請求將得到滿足。接下來一段時間，用戶請求資源無需再進行身份驗證，直到用戶退出這個WEB應(yīng)用程序。授權(quán)是給予用戶訪問特定資源的資格。模擬的過程，是使應(yīng)用程序確認用戶的身份，從而獲得要求的其他資源?；谀M的身份，請求資源將被授予或者拒絕。2 ASP.NET的驗證驗證是Web應(yīng)用程序的安全一個重要的特征。在ASP.NET中，驗證表現(xiàn)在兩個層次上，首先， Internet信息服務(wù)（ IIS ）將執(zhí)行

49、必要的驗證，然后把用戶請求發(fā)送到ASP.NET中，如圖1所描述的。ASP.NET應(yīng)用程序的Web服務(wù)器基本是IIS 。因此，每個ASP.NET應(yīng)用程序可以繼續(xù)利用IIS所提供的的安全性選項。當(dāng)用戶請求特定資源時，這一要求將發(fā)送到IIS 。 IIS驗證用戶的請求，然后把認證用戶發(fā)送給ASP.NET工作進程。 ASP.NET工作進程將決定是否模擬驗證IIS所提供的用戶。如果Web.config文件中的模仿配置是啟用的， ASP.NET工作進程將模擬驗證使用者。否則， ASP.NET將自行驗證用戶身份。畢竟， ASP.NET決定用戶是否有權(quán)訪問這些資源。如果他們被允許，ASP.NET提供請求的服務(wù);

50、 否者他將一個“ 拒絕登入”的錯誤訊息傳回給用戶。圖1 IIS和ASP.NET的安全流程ASP.NET通過幾種認證機制提供了內(nèi)置的用戶身份驗證， 1.4它們是基于表單的身份驗證，應(yīng)用程序使用自定義身份驗證模式的Cookie支持來確保安全；身份證書，應(yīng)用程序使用微軟的身份證書來身份驗證，身份證書是微軟開發(fā)的一個Web單點登錄技術(shù)，還有視窗驗證，Web應(yīng)用程序使用從集成視窗身份驗證中獲得的用戶名單來驗證用戶。也有些應(yīng)用程序不使用身份驗證，或自行開發(fā)驗證機制。在這種情況下， 可以把ASP.NET中身份驗證模式設(shè)置為關(guān)閉。本文將簡要地涉及基于表單的,身份證書和視窗認證。2.1 基于表單的認證 基于表單

51、的認證驗證是用定制邏輯執(zhí)行來驗證用戶，運用了Cookie而無需擔(dān)心Session管理。這使開發(fā)人員獲得更多的權(quán)限去指定哪些文件在網(wǎng)站上可獲取和由何人獲取，并可以識別的登錄頁。3這一機制將自動重定向未驗證用戶到登錄頁，并請他們提供適當(dāng)?shù)膽{據(jù)（例如，用戶名/密碼組合）。如果登錄成功，ASP.NET分配cookie給用戶，并重定向到他們原先請求的特定資源。此Cookie允許用戶反復(fù)訪問特定資源，而不必重新執(zhí)行登錄機制。顯示如下： 圖 2表單認證流程在上圖中，首先用戶請求資源。這一請求將先到達IIS，由IIS進行用戶身份驗證的。如果IIS啟用匿名訪問，或者用戶已成功通過驗證，IIS會將把請求轉(zhuǎn)到ASP

52、.NET應(yīng)用程序。ASP.NET中查看是否有有效的身份驗證cookie附加請求中。如果有，它意味著用戶先前已通過驗證。 ASP.NET將執(zhí)行授權(quán)檢查。如果用戶有訪問這些資源的權(quán)限，將被允許訪問。否則返回登入失敗的信息。如果提出的請求沒有附帶任何Cookie，ASP.NET將重定向用戶登錄頁面，并要求用戶進行身份驗證。應(yīng)用程序代碼檢查身份證書。如果身份驗證通過，ASP.NET將以附加驗證的形式返回Cookie。如果失敗了，用戶可以被重定向到登錄頁并告訴用戶，該用戶名/密碼無效。建立基于表單的認證一般來說，建立基于表單的認證涉及4個步驟：（一）啟用匿名訪問IIS（二）配置Web.config文件中

53、的<authentication>（三）設(shè)定Web.config文件中的<authorization>（四）創(chuàng)建登錄頁。（一）啟用匿名訪問IIS：這有許多工作要做，因為大多數(shù)的用戶被認定為非視窗用戶，所以他們通過IIS進入ASP.NET ，ASP.NET將始終允許匿名訪問登入頁面。（二）配置Web.config文件中的< authentication >Web.config文件包含了一個Web應(yīng)用程序的等級和身份驗證服務(wù)的類型等相關(guān)信息。該表單驗證通過設(shè)置Web應(yīng)用程序的身份驗證模式屬性為表單來激活:< authentication mode =For

54、ms>< forms name =LoginloginURL =Login.aspxprotection =Alltimeout =10path =/ / >< / authentication >正如上面的代碼，name屬性為HTTP cookie的名稱。loginURL屬性設(shè)置為登錄頁面。如需，這是該網(wǎng)頁所使用的身份驗證的用戶憑據(jù)。如果用戶沒有通過驗證，請求將重定向到特定網(wǎng)址loginURL。保護屬性的有效值分為所有，無，加密和驗證。Cookie保護設(shè)置為所有，這導(dǎo)致ASP.NET運行時不僅加密Cookie的內(nèi)容，而且驗證Cookie的內(nèi)容。 8如果設(shè)置為無，

55、它不使用任何加密或驗證。指定加密將使用DES或DES加密算法加密Cookie；cookie中的數(shù)據(jù)驗證不這樣做，指定驗證cookie的數(shù)據(jù)未作改動的，而不是加密Cookie的內(nèi)容。超時設(shè)置為10 ，這意味著在10分鐘后身份驗證Cookie將過期。這樣做的目的是減少通過驗證Cookie偷竊別人的機會。通過減少時鐘，cookie將被經(jīng)常地再生。路徑屬性是指cookie被發(fā)送到用戶端的路徑。它被設(shè)置為“ / ”這意味著在Cookie路徑是根目錄。（三）配置Web.config文件中的< authorization >為ASP.NET Web應(yīng)用程序添加授權(quán)服務(wù)。要做到這一點，添加Web.

56、config文件中的< authorization >：< configuration >< system.web >< authorization >< allow users =Narcis/ >< deny users =3 / >< / authorization >< / system.web >< / configuration >如上面所解釋，在用戶提供了有效的證書后，用戶將被重定向到特定的網(wǎng)頁。然而，授權(quán)在此代碼中將拒絕除“Narcis”外所有用戶的訪問。（四）創(chuàng)建登錄頁這是重定向未經(jīng)驗證用戶的最后一步，這樣他們就可以提供其身份證書，通常是某種形式