NETCF开发之移动Web网站安全性

1.1 移动Web网站安全性

ASP.NET中的安全性由三个不同的方面组成:身份验证、授权和加密。.NET FrameworkInternet信息服务(IIS)一起提供这方面的支持,以保护Web应用程序。要编写安全的Web应用程序,了解配置选择将影响应用程序的安全性是很重要的。ASP.NET依赖于IISASP.NET的基础结构来保护应用程序。

.NET Framework支持集成Windows身份验证与授权、Microsoft Passport身份验证和窗体身份验证。但是由于各种原因,目前只有窗体身份验证方式适合用于移动设备。本节介绍适合移动设备的窗体身份验证方案,以及为确保各种设备可以访问应用程序所必须采取的步骤。

1.1.1 窗体身份验证

ASP.NET提供的窗体身份验证支持在应用程序中创建登录页并管理身份验证,并且不需要使用计算机上或域中的单独帐户。窗体身份验证的基本思路是在每个请求中检查身份验证Cookie。如果未找到CookieCookie无效或Cookie过期,则用户被重定向到登录页(默认情况下,该页为login.aspx)。提供窗体身份验证的登录页与任何.aspx页相同。该登录页上有一个供用户提交凭据的窗体。当用户发送要求的数据时,将在代码中执行身份验证检查,然后用户将被重定向到当初请求的页,并且记录该Cookie

某些设备和设备网关在执行重定向时不记录Cookie。在这种情况下,再次发送原始请求时意味不带所需的身份验证Cookie,因此用户将被再次重定向到登录页。对于不支持Cookie的设备,解决方法是将身份验证添加到URL的查询字符串中。

为了演示窗体身份验证,需要修改web.config文件,并且添加默认登录页面login.aspx和一个测试登录的页面FormsAuth.aspx。在web.config文件需要添加以下配置:

<group id="_x0000_s1032" style="WIDTH: 414pt; HEIGHT: 62.4pt; mso-position-horizontal-relative: char; mso-position-vertical-relative: line" coordsize="7200,1088" coordorigin="2526,7642" editas="canvas"><lock aspectratio="t" v:ext="edit"></lock><shapetype id="_x0000_t75" coordsize="21600,21600" stroked="f" filled="f" path="m@4@5l@4@11@9@11@9@5xe" o:preferrelative="t" o:spt="75"><stroke joinstyle="miter"></stroke><formulas><f eqn="if lineDrawn pixelLineWidth 0"></f><f eqn="sum @0 1 0"></f><f eqn="sum 0 0 @1"></f><f eqn="prod @2 1 2"></f><f eqn="prod @3 21600 pixelWidth"></f><f eqn="prod @3 21600 pixelHeight"></f><f eqn="sum @0 0 1"></f><f eqn="prod @6 1 2"></f><f eqn="prod @7 21600 pixelWidth"></f><f eqn="sum @8 21600 0"></f><f eqn="prod @7 21600 pixelHeight"></f><f eqn="sum @10 21600 0"></f></formulas><path o:connecttype="rect" gradientshapeok="t" o:extrusionok="f"></path><lock aspectratio="t" v:ext="edit"></lock></shapetype><shape id="_x0000_s1033" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 1088px" o:preferrelative="f" type="#_x0000_t75"><font size="3"><font face="Times New Roman"><fill o:detectmouseclick="t"></fill><path o:connecttype="none" o:extrusionok="t"></path><lock v:ext="edit" text="t"></lock></font></font></shape><rect id="_x0000_s1034" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 1088px" strokecolor="#eaeaea" fillcolor="#eaeaea"><textbox style="mso-next-textbox: #_x0000_s1034"><table cellspacing="0" cellpadding="0" width="100%"><tbody><tr> <td style="BORDER-RIGHT: #d4d0c8; BORDER-TOP: #d4d0c8; BORDER-LEFT: #d4d0c8; BORDER-BOTTOM: #d4d0c8; BACKGROUND-COLOR: transparent"> <div> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">&lt;authentication mode="Forms" /&gt;<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">&lt;authorization&gt;<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 21pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">&lt;deny users="?" /&gt;<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">&lt;/authorization&gt;<p></p></font></span></p> </div> </td> </tr></tbody></table></textbox></rect><wrap type="none"></wrap><anchorlock></anchorlock></group>

login.aspx页面的窗体设计如图18-15所示,对应的login.aspx.vb文件代码如清单18-21所示。FormsAuth.aspx页面对应的FormsAuth.aspx.vb文件代码如清单18-22所示。

NETCF开发之移动Web网站安全性

<shape id="_x0000_i1028" style="WIDTH: 414.75pt; HEIGHT: 297.75pt" type="#_x0000_t75"><imagedata o:title="" src="file:///D:%5CDOCUME~1%5CADMINI~1%5CLOCALS~1%5CTemp%5Cmsohtml1%5C01%5Cclip_image002.png"><font face="Times New Roman" size="3"></font></imagedata></shape>

18-15login.aspx窗体设计

清单18-21login.aspx.vb

<group id="_x0000_s1029" style="WIDTH: 414pt; HEIGHT: 191.4pt; mso-position-horizontal-relative: char; mso-position-vertical-relative: line" coordsize="7200,3337" coordorigin="2526,7642" editas="canvas"><lock aspectratio="t" v:ext="edit"></lock><shape id="_x0000_s1030" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 3337px" o:preferrelative="f" type="#_x0000_t75"><font size="3"><font face="Times New Roman"><fill o:detectmouseclick="t"></fill><path o:connecttype="none" o:extrusionok="t"></path><lock v:ext="edit" text="t"></lock></font></font></shape><rect id="_x0000_s1031" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 3337px" strokecolor="#eaeaea" fillcolor="#eaeaea"><textbox style="mso-next-textbox: #_x0000_s1031"><table cellspacing="0" cellpadding="0" width="100%"><tbody><tr> <td style="BORDER-RIGHT: #d4d0c8; BORDER-TOP: #d4d0c8; BORDER-LEFT: #d4d0c8; BORDER-BOTTOM: #d4d0c8; BACKGROUND-COLOR: transparent"> <div> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">Partial Class WebSecurity<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Inherits System.Web.UI.MobileControls.MobilePage<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><p><font face="Times New Roman"></font></p></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Protected Sub cmdLogin_Click(ByVal sender As Object, _<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 21pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">ByVal e As System.EventArgs) Handles cmdLogin.Click<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>If UserEmail.Text = "software2002" And UserPass.Text = "123456" Then<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Mobile.MobileFormsAuthentication.RedirectFromLoginPage(UserEmail.Text, False)<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Else<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>message.Visible = True<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>message.Text = "</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">登录用户名和密码不正确</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">"<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>End If<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>End Sub<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">End Class<p></p></font></span></p> </div> </td> </tr></tbody></table></textbox></rect><wrap type="none"></wrap><anchorlock></anchorlock></group>

NETCF开发之移动Web网站安全性

<shape id="_x0000_i1029" style="WIDTH: 415.5pt; HEIGHT: 279.75pt" type="#_x0000_t75"><imagedata o:title="" src="file:///D:%5CDOCUME~1%5CADMINI~1%5CLOCALS~1%5CTemp%5Cmsohtml1%5C01%5Cclip_image005.png"><font face="Times New Roman" size="3"></font></imagedata></shape>

18-16FormsAuth.aspx窗体设计

清单18-22FormsAuth.aspx.vb

<group id="_x0000_s1026" style="WIDTH: 414pt; HEIGHT: 176.45pt; mso-position-horizontal-relative: char; mso-position-vertical-relative: line" coordsize="7200,3077" coordorigin="2526,7642" editas="canvas"><lock aspectratio="t" v:ext="edit"></lock><shape id="_x0000_s1027" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 3077px" o:preferrelative="f" type="#_x0000_t75"><font size="3"><font face="Times New Roman"><fill o:detectmouseclick="t"></fill><path o:connecttype="none" o:extrusionok="t"></path><lock v:ext="edit" text="t"></lock></font></font></shape><rect id="_x0000_s1028" style="LEFT: 2526px; WIDTH: 7200px; POSITION: absolute; TOP: 7642px; HEIGHT: 3077px" strokecolor="#eaeaea" fillcolor="#eaeaea"><textbox style="mso-next-textbox: #_x0000_s1028"><table cellspacing="0" cellpadding="0" width="100%"><tbody><tr> <td style="BORDER-RIGHT: #d4d0c8; BORDER-TOP: #d4d0c8; BORDER-LEFT: #d4d0c8; BORDER-BOTTOM: #d4d0c8; BACKGROUND-COLOR: transparent"> <div> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">Partial Class FormsAuth<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Inherits System.Web.UI.MobileControls.MobilePage<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Protected Sub formA_Load(ByVal sender As Object, _<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 21pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">ByVal e As System.EventArgs) Handles formA.Load<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>label1.Text = String.Format("Welcome {0}", User.Identity.Name)<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>End Sub<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Protected Sub cmdLoginOut_Click(ByVal sender As Object, _<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt 21pt; TEXT-INDENT: 21pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">ByVal e As System.EventArgs) Handles cmdLoginOut.Click<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>Mobile.MobileFormsAuthentication.SignOut()<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>ActiveForm = formB<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"><span style="mso-spacerun: yes"> </span>End Sub<p></p></font></span></p> <p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: 14pt; mso-line-height-rule: exactly"><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">End Class<p></p></font></span></p> </div> </td> </tr></tbody></table></textbox></rect><wrap type="none"></wrap><anchorlock></anchorlock></group>

清单 18-21 中演示了 MobileFormsAuthentication 的用法。在该示例中验证以 software2002 为用户名,以 123456 为密码的用户登录。清单 18-22 中的 System.Web.Mobile.MobileFormsAuthentication SignOut 方法,用于清除 Cookie 或额外的查询字符串参数。

你可能感兴趣的:(Web,ext,asp.net,vb,VB.NET)