ASP.NET中的身份验证方式
为什么需要身份验证?
在B/S系统开发中,经常需要使用“身份验证”。因为web应用程序非常特殊,和传统的C/S程序不同,默认情况下(不采用任何身份验证方式和权限控制手段),当你的程序在互联网/局域网上公开后,任何人都能够访问你的web应用程序的资源,这样很难保障应用程序安全性。通俗点来说:对于大多数的内部系统、业务支撑平台等而言,用户必须登录,否则无法访问和操作任何页面。而对于互联网(网站)而言,又有些差异,因为通常网站的大部分页面和信息都是对外公开的,只有涉及到注册用户个人信息的操作,或者网站的后台管理等才需要提示登录。(如果不做严格验证,后果将很严重,人家一旦猜出你web目录下面的页面名,可以随意访问。
asp.net提供了三种验证方式:windows身份验证, Forms验证和Passport验证
windows身份验证: IIS根据应用程序的设置执行身份验证.要使用这种验证方式,在IIS中必须禁用匿名访问.
Forms验证:用Cookie来保存用户凭证,并将未经身份验证的用户重定向到自定义的登录页.
Passport验证:通过Microsoft的集中身份验证服务执行的,他为成员站点提供单独登录和核心配置文件服务.
一. 配置windows身份验证
1)配置IIS设置
2)设置Web.config
<system.web>
<authentication mode = "Windows">
<!--通知操作系统将当前登录的用户的信任书传递给浏览器-->
<authorization>
<!--禁止匿名用户访问-->
<deny users = "?"/>
</authorization>
</system.web>
二.配置Forms身份认证
1)配置web.config
<?xml version="1.0"?> <!-- Note: As an alternative to hand editing this file you can use the web admin tool to configure settings for your application. Use the Website->Asp.Net Configuration option in Visual Studio. A full list of settings and comments can be found in machine.config.comments usually located in /Windows/Microsoft.Net/Framework/v2.x/Config --> <configuration> <appSettings/> <connectionStrings/> <!--允许匿名用户登录register.aspx页--> <location path="register.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <system.web> <!-- Set compilation debug="true" to insert debugging symbols into the compiled page. Because this affects performance, set this value to true only during development. --> <compilation debug="true"/> <!-- The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <authentication mode="Forms"> <forms name="auth" loginUrl="login.aspx" timeout="30" protection="All" path="/"></forms> </authentication> <!--禁止匿名用户登录--> <authorization> <deny users="?"/> </authorization> <!-- The <customErrors> section enables configuration of what to do if/when an unhandled error occurs during the execution of a request. Specifically, it enables developers to configure html error pages to be displayed in place of a error stack trace. <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors> --> </system.web> </configuration>
2)登录页面代码
login.aspx
1<%@ Page Language="C#" AutoEventWireup="true" CodeFile="login.aspx.cs" Inherits="login" %> 2 3<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 4 5<html xmlns="http://www.w3.org/1999/xhtml" > 6<head runat="server"> 7 <title>Untitled Page</title> 8</head> 9<body> 10 <form id="form1" runat="server"> 11 <div> 12 <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> 13 <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="登陆" /></div> 14 </form> 15</body> 16</html> 1using System; 2using System.Data; 3using System.Configuration; 4using System.Collections; 5using System.Web; 6using System.Web.Security; 7using System.Web.UI; 8using System.Web.UI.WebControls; 9using System.Web.UI.WebControls.WebParts; 10using System.Web.UI.HtmlControls; 11 12public partial class login : System.Web.UI.Page 13{ 14 protected void Page_Load(object sender, EventArgs e) 15 { 16 17 } 18 protected void Button1_Click(object sender, EventArgs e) 19 { 20 FormsAuthentication.RedirectFromLoginPage(this.TextBox1.Text, false); 21 } 22} 23
三.配置Passport身份认证
需要安装Passport Software Developer Kit.这种认证方式适合于跨站之间的应用,用户只有一个用户名和密码可以访问任何成员站。
浙公网安备 33010602011771号