ASP.NET中認證安全特征評述-英文

AnoverviewofauthenticationsecurityfeaturesinASP.NETAbstract:ThisarticlediscussestheauthenticationfeatureoftheASP.NETtosupportsecuritywhendesigningaserverapplication.BothMicrosoftInternetInformationServices(IIS)andASP.NETprovidesecuritymodelsthatwillallowwebdeveloperstoauthenticatetheyourusersappropriatelyandobtainthecorrectsecuritycontextwithintheapplication.ThreelevelsofauthenticationcoveredaretheFormsbased,passportandwindowsauthentications.Thearticleliteratureislimitedtothesethreeareas.Keywords:Forms2based;passport;windowsauthenticationCLCnumber:TP393108Documentcode:AArticleID:1000-1646(2021)03-0250-05Securityisoneoftheprimaryconcernsforbothdevelopersandapplicationarchitects.Astherearelotsofdifferenttypesofwebsiteswithvaryingsecurityneeds,thedevelopersneedtoknowhowthesecurityworksandchoosetheappropriatesecuritymodelfortheirapplications.Somewebsitescollectnoinformationfromtheusersandpublishtheinformationthatisavailablewidelysuchassearchengine.Thereareothersitesthatmayneedtocollectsensitiveinformationfromtheiruserslikecreditcardnumbers.Thesewebsitesneedmuchstrongersecurityimplementationtoavoidmaliciousattacksfromexternalentities.1FundamentalOperationsofASP.NETSecuritySecurityinthecontextofASP.NETapplicationinvolves3fundamentaloperationsnamelyAuthentication,AuthorizationandImpersonation.Authenticationistheprocessofvalidatingtheidentityofausertoallowordenyarequest.Thisinvolvesacceptingcredentials(e.g.usernameandpassword)fromtheusersandvalidatingitagainstadesignatedauthority.Aftertheidentityisverifiedandvalidated,theuserisconsideredtobelegalandtheresourcerequestisfulfilled.Futurerequestfromthesameuserideallyarenotsubjecttotheauthenticationprocessuntiltheuserlogsoutofthewebapplication.Authorizationistheprocessofensuringthatuserswithvalididentityareallowedtoaccessspecificresources.Impersonationistheprocessthatenablesanapplicationtoensuretheidentityoftheuser,andinturnmakerequesttotheotherresources.Accesstoresourceswillbegrantedordeniedbasedontheidentitythatisbeingimpersonated.2AuthenticationinASP.NETAuthenticationisoneoftheforemostfeaturesofwebapplication’ssecurity.InASP.NET,authenticationisdoneattwolevels.[2]First,InternetInformationServer(IIS)willperformtherequiredauthentication,thensendouttherequesttoASP.NET,asdescribedinFigure1.ForASP.NETapplication,theunderlyingwebserverisIIS.Therefore,everyASP.NETapplicationcancontinuetoleveragethesecurityoptionsprovidedbyIIS.Whentheuserrequestsaspecificresourceonthesystem,thatrequestwillcometoIIS.IISauthenticatestheuserrequestingtheresourceandthenhandsofftherequestandthesecuritytokenfortheauthenticatingusertoASP.NETworkerprocess.ASP.NETworkerprocesswilldecidewhethertoimpersonatetheauthenticatedusersuppliedbyIISornot.IfimpersonationisenabledintheconfigurationsettinginWeb.configfile,thenASP.NETworkerprocessimpersonatestheauthenticateduser.Otherwise,thethreadwillrunundertheASP.NETworkerprocessidentity.Afterall,ASP.NETcheckswhethertheauthenticateduserisauthorizedtoaccesstheseresources.Iftheyareallowedto,ASP.NETservestherequest;otherwiseitsendsan“accessdenied”errormessagebacktotheuser.Fig.1SecurityflowofIISandASP.NETASP.NETprovidesbuilt-insupportforuserauthenticationthroughseveralauthenticationproviders.[1,4]TheseareFormsbasedauthentication,whichistheapplicationthatissecuredbyusingacustomauthenticationmodelwithcookiesupport,Passportauthentication,anapplicationthatissecuredbyusingMicrosoftPassportauthentication.PassportisasinglesignontechnologydevelopedbyMicrosoftforuseonthewebandtheWindowsauthenticationwhichisanapplicationsecuredbyusingintegratedwindowsauthenticationwhereaccesstoawebapplicationisallowedonlytothoseuserswhoareabletoverifytheirwindowscredentials.Therearescenarioswheresomeapplicationsdonotusetheauthenticationatallorthedevelopermaywanttodevelopcustomauthenticationcode.Inthiscase,ASP.NETcansettheauthenticationmodetonone.ThisarticlewillbrieflycovertheFormsbased,passportandwindowsauthentications.2.1FormsBasedAuthenticationFormsbasedauthenticationisusedtoimplementcustomizedlogicforauthenticatinguserswithouthavingtoworryaboutsessionmanagementusingacookie.Itgivesadevelopermoreaccesstospecifywhichfilesonthesitecanbeaccessedandbywhom,andallowsidentificationofaloginpage.[3]Thismechanismwillautomaticallyredirecttheunauthenticatedusertologinpageandaskthemtoprovidepropercredentials(e.g.username/passwordcombination).Ifloginissuccessful,ASP.NETthenissuesthecookietotheuserandredirectthemtospecificresourcesthattheyoriginallyrequested.Thiscookieallowstheusertorevisitparticularprotectedresourceswithouthavingtorepeatedlylogin.Themechanismisshownasbelow:Fig.2FormauthenticationflowInfigureabove,theuserrequeststherestrictedresourcesfirst.ThisrequestwillgotoIISfirstandtheuserisauthenticatedbyIIS.IftheanonymousaccessisenabledinIISortheuserissuccessfullyauthenticated,itwillhandofftherequesttoASP.NETapplication.ASP.NETcheckstoseewhetheravalidauthenticationcookieisattachedtotherequest.Ifitis,itmeanstheusercredentialshasbeenpreviouslyauthenticated.ASP.NETwillthenperformtheauthorizationcheck.Iftheuserisauthorizedtoaccessthoseresources,theaccesswillbegranted.Otherwise,the“accessdenied”messageissent.Iftherequestdoesnothaveanycookieattached,ASP.NETredirectstheusertotheloginpageandsolicitsthecredentialsthenresubmitsforauthentication.Theapplicationcodechecksthosecredentials.Ifauthenticated,ASP.NETwillattachtheauthenticationticketintheformofcookietotheresponse.Iffailed,theusercanberedirectedbacktotheloginpagetellingtheuserthattheusername/passwordisinvalid.SetUpFormsBasedAuthenticationGenerally,settinguptheFormsbasedauthenticationinvolves4steps[2]namely(i)EnableanonymousaccessinIIS(ii)Configure<authentication>sectioninWeb.configfile(iii)Configure<authorization>sectioninWeb.configfileand(iv)CreateLoginPage.(i)EnableanonymousaccessinIIS:Thishastobedoneasmostoftheusersareconsideredtobenon-Windowsusers,sotheycangetthroughIIStogettoASP.NET.ASP.NETwillalwaysallowanonymousaccesstotheloginpagethough.(ii)Configure<authentication>sectioninWeb.configfile:Web.configfilecontainstheinformationrelatedtothelevelandtypeofauthenticationservicethatisprovidedforawebapplication.TheFormsbasedauthenticationisenabledforawebapplicationbysettingtheauthenticationmodeattributetoForms[3]:<authenticationmode=″<authenticationmode=″Forms″><formsname=″Login″loginURL=″Login.aspx″protection=″All″timeout=″10″path=″/″/></authentication>Asshownbythecodeabove,thenameattributeisthenameofHTTPcookie.TheattributeloginURLissettoLogin.aspx,whichisthewebpagethatisusedforauthenticatingusercredentials.TherequestsareredirectedtoparticularURLinloginURLiftheuserisnotauthenticated.ThecookieprotectionissettoAll.ThiscausestheASP.NETruntimetonotonlyencryptthecookiecontents,butalsovalidatethecookiecontents.ThevalidvaluesforprotectionattributeareAll,None,Encryption,andValidation.[8]IfthevalueisspecifiedtoNone,itdoesnotuseeitherencryptionorvalidation.SpecifyingEncryptionwillencryptthecookieusingtripleDESorDESencryptionalgorithm;thedatavalidationisnotdoneonthecookie.TheValidationspecifiestovalidatethatthecookiedatahasnotbeenalteredinthetransit,insteadofencryptingthecontentsofthecookie.Thetimeoutissetto10,whichmeansin10minutestheauthenticationcookiewillexpire.Theideabehindthisistoreducethechancesomeonestealingtheformauthenticationcookie.Byreducingthis,thecookiewillberegeneratedmoreoften.Thepathattributereferstothepathofcookietobesenttotheclient.Itissetto″/″whichmeansthecookiepathistherootdirectory.(iii)Configure<authorization>sectioninWeb.configfileAddauthorizationsupporttosectionofASP.NETwebapplication.Todoso,addthe<authorization>sectioninWeb.configfile:<configuration><configuration><system.web><authorization><allowusers=″Narcis″/><denyusers=″3″/></authorization></system.web></configuration>Asexplainedabove,aftertheuserprovidesthevalidcredentials,theuserisredirectedtothespecificprotectedpage.However,Theauthorizationsectioninthiscodewilldenyaccesstoallusers,butexclusivelyallowaccesstoNarcis.(iv)CreateLoginPageThisisthelaststepforredirectingunauthenticatedusers,sotheycanprovidertheircredentials,usuallyinaformofusernameandpasswordandlogontoprotectedresources.Theloginpagemustvalidatethesubmittedcredentialsagainstadatabaseofsomecustommethod.ValidusernamesandpasswordscanbestoredintheWeb.configfileincredentialssection:<credentialspasswordFormat=″<credentialspasswordFormat=″Clear″><username=″Narcis″password=″nar″><username=″Marion″password=″mar″><username=″Lauren″password=″lau″></credentials>However,storingpasswordincleartextisunreasonableforsecurity.Moreover,itisunrealistictostorethousandsofnamesandpasswordsinWeb.configfile.[2,7]Toaddressthisproblem,theusernamesandpasswordsarestoredinthedatabase.ThisapproachmakestheWeb.configfilenolongerhavethe<credentials>section.TherewillbealsosomechangesinLogin.aspxsincethecredentialswillbetestedtomatchagainstresultqueryfromdatabasethatstorestheusernamesandpasswords.2．2PassportAuthenticationAsstatedabove,thisauthenticationmechanismprovidesacentralizedauthenticationservicethatofferssinglesign-inforaccessthemembersites.ThefollowingscenariossupporttheuseofPassportAuthentication:[2](i)Theusernameandpassworddatabaseorloginpageisnotmaintained;(ii)Willingtoprovidepersonalizedcontent;(iii)thesitewillbeusedinconjunctionwithotherPassportsites;and(iv)Willingtogivesinglesign-incapabilitytotheusersSetUpPassportAuthenticationToimplementthisauthenticationmode,PassportSDK(SoftwareDevelopmentKit)hastobeinstalledontheserverandregisterwithMicrosoft(r)Passport.[1,2]ThefollowingcodeisspecifiedintheWeb.configfilewheretheauthenticationmodeissettoPassport:<authenticationmode=″<authenticationmode=″Passport″><passportredirectURL=″internal″/></authentication>TheredirectURLattributeofPassportsectionissettointernal,whichmeanstheunauthenticatedrequestwillreceivecommonerrormessage.ThevalueofredirectURLmaycontainastringotherthaninternal,whichisconsideredtobeaURL,whichtheunauthenticatedrequestwillbesentto.2.3WindowsAuthenticationThistypeofauthenticationispossiblytheeasiestofalltoimplement.WindowsauthenticationcanbeusedinconjunctionwithalmostallauthenticationmethodsprovidedbyIIS(e.g.Basic,Digest,NTLMorKerberosAuthentication),exceptAnonymousAuthentication.[2,4]ThereisnoneedtowriteanycodetovalidatetheuserasIIShasalreadyauthenticatedtheirWindowscredentials.Basically,WindowsauthenticationmakesuseoftheauthenticationcapabilitiesofIIS.IISwillcompleteitsauthenticationfirstthenASP.NETwillusetheauthenticatedidentity’stokentodecidewhethertheaccessisgrantedordenied.ThismechanismisusuallyimplementedwhentheusersarepartofWindowsdomainandtheauthenticatedusersaretobeimpersonatedsothatthecodeisexecutedinthesamesecuritycontextoftheuser’sWindowsaccount.[4]Whenauserrequestsspecificresources,thisrequestwillgotoIIS.IISauthenticatestheuserandattachesthesecuritytokentoit.ItwillthenpasstheauthenticatedrequestandsecuritytokentoASP.NET.Ifimpersonationisenabled,ASP.NETimpersonatestheuserusingthesecuritytokenattachedandseeswhethertheuserisauthorizedtoaccesstheresourcesinthe<authorization>sectioninWeb.configfile.Iftheaccessisgranted,ASP.NETwillsendtherequestedresourcesthroughIIS,orelse,itsendserrormessagetotheuser.

SetUpWindowsAuthenticationTheonlystepinimplementingtheWindowsAuthenticationistosettheauthenticationmodetoWindowsanddenyaccesstoanonymoususerinWeb.configfileasshownbelow:<authenticationmode=<authenticationmode=″Windows″>??</authentication><authorization><denyusers=″?″/></authorization>Theimpersonationisenabledonlyifthecodeistobeundersamesecuritycontextasthatoftheuseraccount.Again,thisisdoneintheconfigurationfile.2．4ConclusionAuthenticationinASP.NETisoneofthebestfeaturesofthewebapplication’ssecurity.Itisdividedinto3differentbuilt-inproviders:Formsbased,PassportandWindowsAuthentication.TheForms-basedandpassportauthenticationdonotrequiretheuserstobeasWindowsusers.ThewindowsauthenticationisdesignedforusersthatarepartofWindowsdomain.Formsbasedauthenticationprovidestheunauthenticateduserswiththeloginpagetoaskthemfortheircredentials,anditwillvalidatethosecredentialsagainstthedesignatedauthority.Iftheusersarenotauthorizedtoaccessspecificresources,itwillsendtheaccessdeniedmessagebacktotheusers.ForPassportauthentication,thePassportSDKissimplyinstalledontheserverandregisteredwithMicrosoftPassport.Thismechanismoffersasinglesign-inprovidedbyMicrosofttoallowaccesstothemembersites.TheWindowsauthenticationistheeasiesttoimplement,asitdoesnotrequirewritinganycodeforauthentication.References:[1]Bell,J.,etal,2021,ASP.NETProgrammer’sReference,WroxPressLtd.,USA.[2]Chilakala,V.,2021,MicrosoftASP.NETSecurity,MicrosoftSupportWebCasts.[3]Gonzales,J.,2021,15Seconds:UsingFormsAuthenticationinASP.NETPart1[4]Kercher,J.,2021,AuthenticationinASP.NET:.NET,SecurityGuidance,MSDNMagazineAugust2021.[5]Lassan,R.,Smith,E.,2021,ASP.NETBible,Hungry,MindsInc.,USA.[6]Leinecker,R.,2021,UsingASP.NET,QueCorporation,Indiana.[7]NETFrameworkDeveloper’sGuide:ASP.NETWeb.ApplicationSecurity,Link.[8]Kieley,J.,2021,MigratingtoASP.NET:KeyConsid2eration,MSDNMagazineNovember2021.

論大學生寫作能力寫作能力是對自己所積累的信息進行選擇、提取、加工、改造并將之形成為書面文字的能力。積累是寫作的基礎，積累越厚實，寫作就越有基礎，文章就能根深葉茂開奇葩。沒有積累，胸無點墨，怎么也不會寫出作文來的。寫作能力是每個大學生必須具備的能力。從目前高校整體情況上看，大學生的寫作能力較為欠缺。一、大學生應用文寫作能力的定義那么，大學生的寫作能力究竟是指什么呢？葉圣陶先生曾經說過，“大學畢業(yè)生不一定能寫小說詩歌，但是一定要寫工作和生活中實用的文章，而且非寫得既通順又扎實不可。”對于大學生的寫作能力應包含什么，可能有多種理解，但從葉圣陶先生的談話中，我認為：大學生寫作能力應包括應用寫作能力和文學寫作能力，而前者是必須的，后者是“不一定”要具備，能具備則更好。眾所周知，對于大學生來說，是要寫畢業(yè)論文的，我認為寫作論文的能力可以包含在應用寫作能力之中。大學生寫作能力的體現，也往往是在撰寫畢業(yè)論文中集中體現出來的。本科畢業(yè)論文無論是對于學生個人還是對于院系和學校來說，都是十分重要的。如何提高本科畢業(yè)論文的質量和水平，就成為教育行政部門和高校都很重視的一個重要課題。如何提高大學生的寫作能力的問題必須得到社會的廣泛關注，并且提出對策去實施解決。二、造成大學生應用文寫作困境的原因：（一）大學寫作課開設結構不合理。就目前中國多數高校的學科設置來看，除了中文專業(yè)會系統(tǒng)開設寫作的系列課程外，其他專業(yè)的學生都只開設了普及性的《大學語文》課。學生寫作能力的提高是一項艱巨復