لطفا منتظر باشید ...
C#® Developer''s Guide to ASP.NET, XML, and ADO.NET
By
Jeffrey P. McManus, Chris Kinsman
Publisher
: Addison Wesley
Pub Date
: March 29, 2002
ISBN
: 0-672-32155-6
Pages
: 608
Slots
: 1
Copyright
Forms Authentication
The previous section showed how easy it is to use Windows authentication in ASP.NET. ASP.NET provides another security mechanism as well: forms authentication. Why would you want to use it? One reason is because Windows authentication, although easy to use, makes a couple significant assumptions.
Windows Versus Forms Authentication
For one thing, Windows authentication assumes you have a scalable Windows domain implementation already in place. However, this is not always a safe assumption. Many Web site administrators prefer not to go to the trouble of designing, implementing, and maintaining the Active Directory implementation on which domain-based security rests. Others may not have the expertise or budget to figure out how to get Active Directory to scale into the millions of users. Without an Active Directory implementation, you can authenticate against the account database that every Windows 2000 server maintains. However, this approach means that this account database must be replicated in some fashion among servers in a cluster or you are limited to a single server.
Ultimately, what all of this comes down to is that you may want to authenticate users against a credential store other than a Windows 2000 domain. Forms authentication provides one way to do this.
Windows authentication also assumes you want only minimal control over the user interface presented to the user. By default, Windows-based authentication uses a standard browser dialog box to collect the user''s credentials. If you want to integrate the form to collect credentials into an existing Web page or provide your own login form, you are out of luck. Forms authentication provides a way for you, the developer, to determine what interface the user receives.
All the advantages of forms authentication are not free, however. First, forms authentication requires that the user has cookies enabled. Although ASP.NET has provided a way to track Session state without cookies, it has not provided a way to track forms authentication without cookies. Hopefully, this will come in a future version of ASP.NET. Second, you, the developer, need to create a login page and write some code to make this all work. ASP.NET provides the infrastructure, but you need to provide the specific implementation.
Other Advantages
Maybe you already do this type of authentication. So what''s the big deal with forms authentication? Perhaps the most common security mechanism in place today among ASP developers provides many of the same advantages. I provide a customized login page for my users and authenticate them against my credential store. After they are authenticated, I either write a cookie or save their authentication into a session variable. In every page, I have an include file that looks for the Session() value or cookie. If it isn''t there, I redirect the user back to the login page. This can be very effective but it has two big problems:
What if I forget the include file?
How do I protect PDF, ZIP, or JPG files? There is no place to put the code!
Forms authentication enables me to do all this without having to include code in every page to check whether the user was properly Chapter 2, "Page Framework"for example, a JPG or a ZIP file. If you add these file types to the ISAPI filter, they can participate in the security model.
Process
When forms authentication is enabled and a request is made for a page, ASP.NET first determines whether authentication is needed. If it is, ASP.NET then checks for an authentication cookie in the request. If it is not present, ASP.NET redirects the user to the login page and passes the URL of the original page as a query string parameter, named ReturnURL, to the login page.
NOTE
The user is sent to the login page using a 302 location-moved redirection. This means that any form data that may have been included with the request is lost.
The login page collects users'' credentials and is responsible for validating them against a credential store. This is where you as the developer get control. The credential store could consist of an LDAP directory, a database, or even something as simple as an XML file. When the credentials have been verified, RedirectFromLoginPage() is called to write an authentication ticket into a cookie and redirect the user to the original content that the user requested. A diagram of this process is shown in Figure 7.1.
Figure 7.1. A process flow for the forms authentication process.
NOTE
Forms authentication is implemented in ASP.NET, not IIS. This means that before forms authentication can even begin the authentication process, the request from the user must be passed to ASP.NET. For this to work, you need to make sure that anonymous authentication is enabled in IIS. If it is not, the user might first be asked to authenticate against a Windows-based account before your login page is shown!
Settings
Forms authentication is enabled in the web.config file by setting the mode attribute of the authentication element to Forms. When the authentication mode is set to Forms, the authentication element may contain a forms element with additional information specific to forms authentication.
<authentication mode="Forms">
<forms name="FORMURL" loginUrl="login.aspx" protection="All"
timeout="30" path="/" />
</authentication>
The path attributeFile Authorization." The web.config should look like Listing 7.3.
Listing 7.3 Web.config for Simple Forms Authentication
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<!-- AUTHENTICATION
This section sets the authentication policies of the application.
Possible modes are "Windows","Forms", "Passport" and "None"
-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="5" protection="All" />
</authentication>
<!-- AUTHORIZATION
This section sets the authorization policies of the application.
You can allow or deny access
to application resources by user or role. Wildcards:
"*" mean everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<deny users="?" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
</system.web>
</configuration>
Next, you need to create a login form. Listings 7.4 and 7.5 contain a sample login page that collects a username and password. If the username equals "Chris" and the password equals "Kinsman", the authentication ticket is written. The user is directed to the page she initially requested by calling RedirectFromLoginPage() and passing it the username.
Listing 7.4 Simple Login Page
<%@ Page language="c#" Codebehind="login.aspx.cs" AutoEventWireup="false"
Inherits="SimpleForm.login" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<meta name="GENERATOR" Content="Microsoft Visual Studio 7.0">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript (ECMAScript)">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/
intellisense/ie5">
</HEAD>
<body MS_POSITIONING="GridLayout">
<form id="login" method="post" runat="server">
<asp:Label id="Label1" style="Z-INDEX: 101; LEFT: 8px; POSITION:
absolute; TOP: 8px" runat="server">User Name:</asp:Label>
<asp:Button id="btnLogin" style="Z-INDEX: 105; LEFT: 254px; POSITION:
absolute; TOP: 7px" runat="server" Text="Login"></asp:Button>
<asp:TextBox id="txtPassword" style="Z-INDEX: 104; LEFT: 89px;
POSITION: absolute; TOP: 38px" runat="server"></asp:TextBox>
<asp:Label id="Label2" style="Z-INDEX: 103; LEFT: 8px; POSITION:
absolute; TOP: 41px" runat="server">Password:</asp:Label>
<asp:TextBox id="txtUserName" style="Z-INDEX: 102; LEFT: 89px;
POSITION: absolute; TOP: 5px" runat="server"></asp:TextBox>
<asp:Label id="lblMessage" style="Z-INDEX: 106; LEFT: 15px; POSITION:
absolute; TOP: 81px" runat="server" Width="281px" Height="19px" ForeColor="Red"
Visible="False">Invalid
Login!</asp:Label>
</form>
</body>
</HTML>
Listing 7.5 Class File for ASP.NET Page in Listing 7.4
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
namespace SimpleForm
{
/// <summary>
/// Summary description for login.
/// </summary>
public class login : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Button btnLogin;
protected System.Web.UI.WebControls.TextBox txtPassword;
protected System.Web.UI.WebControls.Label Label2;
protected System.Web.UI.WebControls.TextBox txtUserName;
protected System.Web.UI.WebControls.Label lblMessage;
public login()
{
Page.Init += new System.EventHandler(Page_Init);
}
private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
}
private void Page_Init(object sender, EventArgs e)
{
//
// CODEGEN: This call is required by the ASP.NET Web Form Designer.
//
InitializeComponent();
}
#region Web Form Designer generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.btnLogin.Click += new System.EventHandler(this.btnLogin_Click);
this.Load += new System.EventHandler(this.Page_Load);
}
#endregion
private void btnLogin_Click(object sender, System.EventArgs e)
{
if(txtUserName.Text == "Chris" && txtPassword.Text == "Kinsman")
{
// Authenticate the user
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
}
else
{
// Show the invalid login message
lblMessage.Visible = true;
}
}
}
}
Now, if you hit the URL for this application, you should be redirected to the login page. When you enter Username: Chris and Password: Kinsman, you will be redirected to the default page for the application.
