An overview of authentication security features in ASP. NET

An overview of authenticationsecurity features in ASP. NET

译：ASP. NET 中认证安全特征评述

Security is one of the primary concerns for both developers and application architects. As there are lot s of different types of websites with varying security needs , the developers need to know how the security works and choose the appropriate security model for their applications. Some websites collect no information from the users and publish the information that is available widely such as search engine. There are other sites that may need to collect sensitive information from the irusers like credit card numbers. These websites need much stronger security implementation to avoid malicious  attacks f rom external entities.

译：安全是开发人员和应用程序架构师首要关注的问题。由于不同类型的网站有不同的安全需要，开发人员需要知道需要什么程度的安全运行，并为他们的程序选择适当的安全模式。有些网站发布的信息不来自用户，而是通过搜索引擎等广泛渠道来收集。另外一些网站，可能要收集用户的敏感信息，比如信用卡号码，这些网站需要非常严格的安全措施，以避免来自外部的恶意攻击。

1 　Fundamental Operations of ASP. NET Security　  译：asp.net安全的基本操作

Security in the context of  ASP. NET application involves 3 fundamental operations namely Authentication ,Authorization and Impersonation. Authentication is the process of validating the identity of a user to allow or deny a request .This involves accepting credentials ( e. g. username and password) from the users and validating it against a designated authority. After the identity is verified and validated ,the user is considered to be legal and the resource request is fulfilled.Future request from the same user ideally are not subject to the authentication process until the user logs out of the web application. Authorization is the process of ensuring that users with valid identity are allowed to access specific resources. Impersonation is the process that enables an application to ensure the identity of the user , and in turn make request to the other resources.Access to resources will be granted or denied based on the identity that isbeing impersonated.

译：在ASP. NET应用程序的环境中安全的基本操作涉及三步即验证，授权和模拟。验证的过程中认证用户身份,允许或拒绝请求。这涉及到接受用户凭据（如用户名和密码）和凭证核对。经过身份验证，合法用户对资源的请求将得到满足。接下来一段时间，用户请求资源无需再进行身份验证，直到用户退出这个WEB应用程序。授权是给予用户访问特定资源的资格。模拟的过程，是使应用程序确认用户的身份，从而获得要求的其他资源。基于模拟的身份，请求资源将被授予或者拒绝。

2 　Authentication in ASP. NET     译：ASP.NET的验证

Authentication is one of the foremost features of web application’s security. In ASP. NET , authentication is done at two levels . First , Internet Information Server (IIS) will perform the required authentication , then send out the request to ASP. NET , as describedin Figure 1. For ASP. NET application , the underlying web server is IIS.Therefore , every ASP. NET application can continue to leverage the security options provided by IIS .When the user requests a specific resource on the system, that request will come to IIS. IIS authenticates the user requesting the resource and then hands off the request and the security token for the authenticating user to ASP. NET worker process. ASP. NET worker process will decide whether to impersonate the authenticated user supplied by IIS or not .If impersonation is enabled in the configuration setting in Web. config file ,then ASP. NET worker process impersonates the authenticated user. Otherwise ,the thread will run under the ASP. NET worker process identity. After all ,ASP.NET checks whether the authenticated user is authorized to access these resources. If they are allowed to , ASP. NET serves the request; otherwise it sends an “access denied” error message back to the user. 

译：验证是Web应用程序的安全一个重要的特征。在ASP.NET中，验证表现在两个层次上，首先， Internet信息服务（IIS ）将执行必要的验证，然后把用户请求发送到ASP.NET中，如图1所描述的。ASP.NET应用程序的Web服务器基本是IIS 。因此，每个ASP.NET应用程序可以继续利用IIS所提供的的安全性选项。当用户请求特定资源时，这一要求将发送到IIS 。 IIS验证用户的请求，然后把认证用户发送给ASP.NET工作进程。 ASP.NET工作进程将决定是否模拟验证IIS所提供的用户。如果Web.config文件中的模仿配置是启用的，ASP.NET工作进程将模拟验证使用者。否则， ASP.NET将自行验证用户身份。毕竟， ASP.NET决定用户是否有权访问这些资源。如果他们被允许，ASP.     NET提供请求的服务; 否者他将一个“ 拒绝登入”的错误讯息传回给用户。

Fig. 1 　Securityflow of IIS and ASP. NET  译：图1  IIS和ASP.NET的安全流程

ASP. NET provides built-in support for user authentication through several authentication providers. These are Forms based authentication , which is the application that is secured by using a custom authentication model with cookie support , Passport authentication , an application that is secured by using Microsoft  Passport authentication. Passport is a single sign on technology developed by Microsoft for use on the web and the Windows authentication which is an application secured by using integrated windows authentication where access to a web application is allowed only to those users who are able to verify their windows credentials.

译：ASP.NET通过几种认证机制提供了内置的用户身份验证，它们是基于表单的身份验证，应用程序使用自定义身份验证模式的Cookie支持来确保安全；身份证书，应用程序使用微软的身份证书来身份验证，身份证书是微软开发的一个Web单点登录技术，还有视窗验证，Web应用程序使用从集成视窗身份验证中获得的用户名单来验证用户。

There are scenarios where some applications do not use the authentication at all or the developer may want to develop custom authentication code. In this case , ASP. NET can set the authentication mode to none. This article will briefly cover the Forms based ,passport and windows authentications.

译：也有些应用程序不使用身份验证，或自行开发验证机制。在这种情况下， 可以把ASP. NET中身份验证模式设置为关闭。本文将简要地涉及基于表单的,身份证书和视窗认证。

2.1 Forms Based Authentication    译：基于表单的认证

Forms based authenticationis used to implement customized logic for authenticating users without having to worry about session management using a cookie. It gives a developer more access to specify which files on the site can be accessed and by whom , and allows identification of a login page . This mechanism will automatically redirect the unauthenticated user to login page and ask them to provide proper credentials ( e. g. username/ password combination) . If login is successful ,ASP. NET then issues the cookie to the user and redirect them to specific resources that they originally requested. This cookie allows the user to revisit particular protected resources without having to repeatedly login. The mechanism is shown as below :

译： 基于表单的认证验证是用定制逻辑执行来验证用户，运用了Cookie而无需担心Session管理。这使开发人员获得更多的权限去指定哪些文件在网站上可获取和由何人获取，并可以识别的登录页。这一机制将自动重定向未验证用户到登录页，并请他们提供适当的凭据（例如，用户名/密码组合）。如果登录成功，ASP.NET分配cookie给用户，并重定向到他们原先请求的特定资源。此Cookie允许用户反复访问特定资源，而不必重新执行登录机制。显示如下：

 

Fig.2 　Form authentication flow   译：图  2表单认证流程

In figure above , the user requests the restricted resources first . This request will go to IIS first and the user is authenticated by IIS. If the anonymous access is enabled in IIS or the user is successfully authenticated , it will hand off the request to ASP.NET application. ASP. NET checks to see whether a valid authentication cookieis attached to the request . If it is , it means the user credentials has been previously authenticated. ASP. NET will then perform the authorization check.If the user is authorized to access those resources , the access will be granted. Otherwise , the “access denied” message is sent . If  the request does not have any cookie attached, ASP. NET redirects the user to the login page and solicits the credentials then resubmits for authentication. The application code checks thosecredentials. If authenticated , ASP. NET will attach the authentication ticket in the form of cookie to the response. If failed , the user can be redirected back to the login page telling the user that the username/ password is invalid.

译：在上图中，首先用户请求资源。这一请求将先到达IIS，由IIS进行用户身份验证的。如果IIS启用匿名访问，或者用户已成功通过验证，IIS会将把请求转到ASP.NET应用程序。ASP.NET中查看是否有有效的身份验证cookie附加请求中。如果有，它意味着用户先前已通过验证。 ASP.NET将执行授权检查。如果用户有访问这些资源的权限，将被允许访问。否则返回登入失败的信息。如果提出的请求没有附带任何Cookie，ASP.NET将重定向用户登录页面，并要求用户进行身份验证。应用程序代码检查身份证书。如果身份验证通过，ASP.NET将以附加验证的形式返回Cookie。如果失败了，用户可以被重定向到登录页并告诉用户，该用户名/密码无效。

Set Up FormsBased Authentication    译：建立基于表单的认证

Generally, setting up the Forms based authentication  involves  4 steps namely (i) Enable anonymous access in IIS (ii) Configure < authentication > section in Web. config file (iii) Configure <authorization > section in Web. config file and (iv) Create Login Page.

译：一般来说，建立基于表单的认证涉及4个步骤：（一）启用匿名访问IIS（二）配置Web.config文件中的<authentication>（三）设定Web.config文件中的<authorization>（四）创建登录页。

(i) Enable anonymous access in IIS :   译：启用匿名访问IIS：

This has to be done as most of the users are considered to be non-Windows users , so they can  get through IIS to get to ASP. NET . ASP. NET will always allow anonymous access to the login page though.

译：这有许多工作要做，因为大多数的用户被认定为非视窗用户，所以他们通过IIS进入ASP. NET ，ASP.NET将始终允许匿名访问登入页面。

 (ii) Configure <authentication> section in Web. config file :     译：配置Web.config文件中的<authentication >

Web. config file contains the information related to the level and type of authentication service that is provided for a web application. The Forms based authentication is enabled for a web application by setting the authentication mode attribute to Forms:

译：Web.config文件包含了一个Web应用程序的等级和身份验证服务的类型等相关信息。该表单验证通过设置Web应用程序的身份验证模式属性为表单来激活。

As shown by the code above, the name attribute is the name of  HTTP cookie. The attribute loginURL is set to Login. aspx , which is the web page that is used for authenticating usercredentials. The requests are redirected to particular URL in loginURL if the user is not authenticated. The cookie protection is set to All. This causes the ASP. NET runtime to not only encrypt the cookie contents , but also validate the cookie contents. The valid values for protection attribute are All , None ,Encryption , and Validation. If the value is specified to None , it does not use either encryption or validation. Specifying Encryption will encrypt the cookie using triple DES or DES encryption algorithm ; the data validation is not done on the cookie. The Validation specifies to validate that the cookie data has not been altered in the transit , instead of encrypting the contents of the cookie. The timeout is set to 10 , which means in 10 minutes the authentication cookie will expire. The idea behind this is to reduce the chance someone stealing the form authentication cookie. By reducing this , the cookie will be regenerated more often. The path attribute refers to the path of cookieto be sent to the client . It is set to ″/ ″which means the cookie path is the root directory.

译：正如上面的代码，name属性为HTTP cookie的名称。loginURL属性设置为登录页面。如需，这是该网页所使用的身份验证的用户凭据。如果用户没有通过验证，请求将重定向到特定网址loginURL。保护属性的有效值分为所有，无，加密和验证。Cookie保护设置为所有，这导致ASP.NET运行时不仅加密Cookie的内容，而且验证Cookie的内容。如果设置为无，它不使用任何加密或验证。指定加密将使用DES或DES加密算法加密Cookie；cookie中的数据验证不这样做，指定验证cookie的数据未作改动的，而不是加密Cookie的内容。超时设置为10 ，这意味着在10分钟后身份验证Cookie将过期。这样做的目的是减少通过验证Cookie偷窃别人的机会。通过减少时钟，cookie将被经常地再生。路径属性是指cookie被发送到用户端的路径。它被设置为“ / ”这意味着在Cookie路径是根目录。

(iii) Configure < authorization > section in Web.config file   译：配置Web.config文件中的<authorization >

Add authorization support to section of  ASP. NET web application. To do so , add the<authorization> section in Web. config file :

译：为ASP. NET  Web应用程序添加授权服务。要做到这一点，添加Web.config文件中的<authorization >：

As explained above , after the user provides the valid credentials , the user is redirected to the specific protected page. However , The authorization section in this code will deny access to all users , but exclusively allow access to Narcis.

译：如上面所解释，在用户提供了有效的证书后，用户将被重定向到特定的网页。然而，授权在此代码中将拒绝除“Narcis”外所有用户的访问。

(iv) Create Login Page    译：创建登录页

This is the last step for redirecting unauthenticated users , so they can provider their credentials ,usually in a form of username and password and logon to protected resources.The login page must validate the submitted credentials against a database of some custom method. Valid usernames and passwords can be stored in the Web.config file in credentials section :

译：这是重定向未经验证用户的最后一步，这样他们就可以提供其身份证书，通常是某种形式的用户名和密码，登录到受保护的资源的授权。在登录页，必须通过对比数据库来验证递交的身份证书。有效的用户名和密码可以存储在web. config的凭据(credentials)节：

However , storing password in clear text is unreasonable for security. Moreover , it is unrealistic to store thousands of names and passwords in Web.config file. To address this problem , the usernames and passwords are stored in the database.This approach makes the Web. config file no longer have the < credentials > section.There will be also some changes in Login. aspx since the credentials will be tested to match against result query from database that stores the usernames and passwords.

译：然而，以明文形式存储密码是很不安全的。此外，在Web.config文件中存储数千个用户名和密码也是不现实的。为解决这个问题，用户名和密码都存储在数据库中，这个办法使Web. config文件不再有< credentials >一节。同时Login.Aspx页面也因为身份证书需比对用户名和密码存储在数据库中而发生一些改变。

2．2  Passport Authentication   译： 身份证书

As stated above , this authentication mechanism provides a centralized authentication service that offers single sign-in for access the member sites. The following scenarios support the use of Passport Authentication : (i) The username and password database or login page is not maintained ; (ii) Willing to provide personalized content ; ( iii) the site will be used in conjunction with other Passport sites; and (iv) Willing to give single sign-in capability to the users

译：  如前所述，这个验证机制提供了一个集中的认证服务，可为会员提供特有的访问权。在下列情况下使用身份认证：（一）用户名/密码数据库或登入页不易维护;（二）希望提供个性化的内容;（三）该网站将与其他认证网站结合;（四）希望给用户特有的访问权。

Set Up Passport Authentication    译： 创建身份证书

To implement this authentication mode , Passport SDK ( Software Development Kit ) has to be installed on the server and register with Microsoft Passport. The following code is specified in the Web. config file where the authentication mode is set to Passport :

 译：为了实施这一身份认证模式，必须在服务器上安装身份证书SDK （软件开发套件）和注册微软身份证书。下面的代码设置Web.config文件的身份认证模式(authentication)设置为身份证书：

The redirectURL attribute of Passport section is set to internal , which means the unauthenticated request will receive common error message. The value of redirectURL may contain a string other than internal , which is considered to be a URL , which the unauthenticated request will be sent to.

译：该身份证书的重导向地址（RedirectURL）属性设置为内部（internal），这意味着未经验证的请求能够得到相同的错误信息。redirectURL的属性还可以是除internal外的其他字符串，一般是URL，用来重定位未经验证的请求。

2.3 　Windows Authentication   译：视窗认证

This type of authentication is possibly the easiest of all to implement . Windows authentication can be used in conjunction with almost all authenticationmethods provided by IIS (e. g. Basic , Digest , NTLM or KerberosAuthentication) , except Anonymous Authentication . [2 ,4] There is no need to writeany code to validate the user as IIS has already authenticated their Windowscredentials. Basically , Windows authentication makes use of the authenticationcapabilities of IIS. IIS will complete it s authentication first then ASP. NETwill use the authenticated identity’s token to decide whether the accessis granted or denied. 

译：这种类型的身份认证可能是最简单的一种。视窗认证可与IIS提供的除匿名身份验证外的几乎所有的验证方法结合（如基本，摘要式，NTLM或Kerberos身份验证），这里无需写任何代码来验证用户的IIS已经验证自己的Windows凭据。基本上，视窗认证使用IIS的身份验证功能。IIS将先完成它的验证功能，然后由ASP.NET决定是否给予授权或拒绝服务。

This mechanism is usually implemented when the users are part of  Windows domain and the authenticated users are to be impersonated so that the code is executed in the same security context of  the user’s Windows account.When a user requests specific resources , this request will go to IIS. IIS authenticatesthe user and attaches the security token to it . It will then pass theauthenticated request and security token to ASP. NET. If impersonation isenabled , ASP. NET impersonates the user using the security token attached andsees whether the user is authorized to access the resources in the <authorization > section in Web. config file. If the access is granted , ASP.NET will send the requested resources through IIS , or else , it sends errormessage to the user.  

译：这种机制通常是在用户是Windows域和通过身份验证的用户时使用，代码执行在安全性与用户的Windows帐户相同的环境中。当用户请求具体的资源，这一要求将前往IIS。IIS中对用户进行身份验证和发放安全令牌给它。然后，将通过认证的要求和安全令牌转发给ASP.NET中。如果模拟启用， ASP.NET模拟用户使用安全令牌重视，并在Web.config文件的“授权< authorization >”一节中的查看使用者是否被授权访问的资源。如果获得批准， ASP.NET将通过IIS发送用户所要求的资源，否则，它发出的错误讯息给使用者。

Set Up WindowsAuthentication     译：设置视窗认证

The only step inimplementing the Windows Authentication is to set the authentication mode to Windows and deny access to anonymous user in Web. config file as shown below

译：视窗认证的唯一的步骤是在Web.config文件中设置身份验证模式为Windows和拒绝存取匿名用户，如下所示：

The impersonation is enabled only if the code is to be under same security context as that of the user account . Again , this is done in the configuration file.

译：模拟只有在代码是在相同的安全环境中的用户帐户才能启用。同样，这也要在做配置文件中完成。

2．4 　Conclusion   译：结束语

Authentication in ASP. NET is one of the best features of the web application’s security. It is divided into 3 different built-in providers : Forms based , Passport and Windows Authentication. The Forms-based and passport authentication do not require theusers to be as Windows users. The windows authentication is designed for users that are part of Windows domain. Forms based authentication provides the unauthenticated users with the login page to ask them for their credentials ,and it will validate those credentials against the designated authority. If the users are not authorized to access specific resources , it will send the access denied message back to the users. For Passport authentication , the PassportSDK is simply installed on the server and registered with Microsoft Passport.This mechanism offers a single sign-in provided by Microsoft to allow access to the member sites. The Windows authentication is the easiest to implement , asit does not require writing any code for authentication.

译：ASP.NET安全认证是Web应用程序安全的最主要特征之一。它分为三个不同的内置服务：基于表单的，身份认证和视窗认证。基于表单的认证和身份认证不要求用户为Windows用户。在视窗认证是为Windows域用户设计的。基于表单的认证提供了未经认证的用户登录页面，要求他们提供凭据，并将对这些证书进行验证。如果用户无权访问特定的资源，它将把拒绝存取信息返回到用户。在身份认证中，身份的SDK只是在服务器上安装和注册微软身份证书，提供了一个由Microsoft提供登入凭证的访问会员网站的简单的机制。视窗是最方便使用的，因为它不需要写任何代码进行验证。