Website Security 网站安全（译自：《Apress.Beginning.ASP.NET.2.0.in.C.Sharp.2005.From.Novice.to.Professional》）

最新推荐文章于 2021-07-02 08:35:21 发布

andylaufzf

最新推荐文章于 2021-07-02 08:35:21 发布

阅读量842

点赞数

分类专栏： .NET学习文章标签： security website asp.net authentication internet user

.NET学习专栏收录该内容

172 篇文章 0 订阅

订阅专栏

----------------------- 页面 740-----------------------

MacDonald.book Page 705 Wednesday, December 21, 2005 9:06 PM

P A R T 4

■ ■ ■

Website Security

网站安全

----------------------- 页面 741-----------------------

MacDonald.book Page 706 Wednesday, December 21, 2005 9:06 PM

----------------------- 页面 742-----------------------

MacDonald.book Page 707 Wednesday, December 21, 2005 9:06 PM

C H A P T E R 1 8

■ ■ ■

Security Fundamentals

安全基本原理

By default your ASP.NET applications are available to any user who can connect to your server (whether it’s over a local network or the Internet). Although this is ideal for many web applications (and it suits the original spirit of the Internet), it isn’t always appropriate. For example, an e-commerce site needs to provide a secure shopping experience to win customers. A subscription-based site needs to limit content or site access to extract a fee. Even a wide-open public site may provide some resources or features (such as an administrative report or configuration page) that shouldn’t be available to all users.

在默认的情况下你的ASP.NET项目对可以连接到你的服务器所有用户都是开放的（不管是跨越了一个局域网还是因特网）。尽管这样很适合一些应用（适合因特网的原始应用），但是经常是不适用的。例如，一个商务网站需要提供一个安全的购物体验来赢得用户。一个订阅类的网站需要限制内容或者网站的访问来盈利。尽管一些开放的网站可以提供一些资源或者特征（如管理公告或者配置文件），这些不能适应所有用户的需求。

ASP.NET provides a multilayered security model that makes it easy to protect your web applications. Although this security is powerful and profoundly flexible, it can appear somewhat confusing because of, in large part, the number of layers where security can be applied. Much of the work in applying security to your application doesn’t come from writing code but from determining the appropriate places to implement your strategy. In this chapter, you’ll sort out the different security subsystems and consider how you can use Windows, IIS, and ASP.NET services to protect your application. You’ll also look at some examples that use ASP.NET forms-based security, which provides a quick and easy model for adding a database-backed user authentication system.

ASP.NET提供一个多层安全模型可以很容易的保护你的网站项目。尽管这些安全是非常强大和灵活的，因为它看来容易混淆一些东西，在大的方面，安全可以应用到层的数量上。应用安全策略到你的项目不需要写代码而是设置适当的位置来完成你的策略。在这章里，你会挑选出不同的子系统和考虑怎样使用Windows,IIS,和ASP.NET 服务来保护你的项目。你也会看到一些使用了ASP.NET窗体安全验证的可以提供快速简洁模型来添加一个基于数据库的用户签别系统。

Determining Security Requirements

决定安全请求

The first step in securing your applications is deciding where you need security and what it needs to protect. For example, you may need to block access in order to protect private information, or maybe you just need to enforce a subscription policy. Perhaps you don’t need any sort of security at all, but you want a login system to provide personalization for frequent visitors. These requirements will determine the approach you use. Security doesn’t need to be complex, but it does need to be wide-ranging. For example, even if you force users to log into a part of your site, you still need to make sure the infor- mation is stored in the database under a secure account with a password that couldn’t easily be guessed by a user on your local network. You also need to guarantee your appli- cation can’t be tricked into sending private information (a possibility if the user modifies a page or a query string to post back different information than you expect).

对你的项目实施安全事略的第一步是决定哪里你需要安全和什么需要保护。例如：你需要堵塞请求受保护信息的通道，或者你只是想建立一个共享策略。或许你根本就不需要任何类型的安全策略，但是你想拥有一个可以保护请求访问者的隐私的登录系统。这些需求将要决定你的方法。安全策略不需要太复杂，也不需要太广泛。例如，即使你强制用户访问你的网站的一部分，你仍然要保证存储在数据库里的信息有密码保护并且不能轻易的被本地网络的用户访问。你还要保证你的项目不会被欺骗而发送隐私信息（如果用户修改一个页面或者一个查询字符来返回不是你所期望的信息的可能性）

707