C#4 ASP.net *非MVC *自定义验证 [英] C# 4 ASP.net *NON MVC* Custom Authentication
问题描述
我知道这个问题是被问了无数次,但请相信我,我已经搜查谷歌几个小时,一无所获。无论是在那里,它是MVC,这我没有使用。
I know this question as been asked countless times, but believe me I've searched Google for hours and got nothing. Whatever is out there, it's for MVC, which I'm not using.
我的要求很简单。我不希望使用asp.net中提供的默认认证。我会保存在我的自定义的SQL Server表中的用户名/密码/角色。我会提供用户名/密码和一个按钮来验证2个输入。在验证时,他被允许进入到管理领域。这只能由管理员家伙在我的子域名中使用管理员的 * 的.COM。他们将使用此页面将内容添加到日常的网站。
My requirement is simple. I do not want to use the default authentication provided in asp.net. I would store the username/password/role in my custom SQL Server table. I'll provide 2 inputs for username/password and a button to validate. On validation, he is allowed access to the admin areas. This will only be used by admin guys at my subdomain "admin.*.com". They will use this page to add content to the website on daily basis.
- 如何实现它。该教程链接就足够了。
- 是否安全生产?我不希望一些新手黑客获得到我的网站,并搞砸了。如果没有安全,我有什么其他的选择。
谢谢,
开发
推荐答案
根据我们的意见,鉴于你不愿意实施的 ASP.Net会员 提供商(这是值得探讨的时候 - 你可能不觉得这是现在,但它可以很方便,我觉得同样的方式在第一,但维护自己的code和基础设施的成本很快就被证明是虚假的经济),你至少有两个其他选择:
As per our comments, given your reluctance to implement an ASP.Net Membership provider (and it is worth the time to investigate - you may not feel that it is right now, but it can be handy. I felt the same way at first, but the cost of maintaining your own code and infrastructure soon proves to be false economy) you have at least two other choices:
1)简单易用的表单验证
1) Straightforward Forms Authentication
把你所有的管理页面的一个文件夹下,例如/管理员,然后使用的表单验证来保护访问此文件夹。只有在数据库或的 Web.Config中将有机会获得这些页面。这比ASP.Net成员不太灵活,但可能给你你最想要的东西。在安全方面,这将是一样安全可靠,您的网站,是行之有效的,而且是有据可查的。
Put all of your admin pages under a single folder, for example, /Admin, then use Forms Authentication to protect access to this folder. Only users defined in the database or Web.Config will have access to these pages. This is less flexible than ASP.Net membership, but may give you most of what you want. In terms of security, this will be as secure as your website is, is well tested, and is well documented.
2)使用Facebook的OAuth
2) Use Facebook OAuth
您提到您的使用具有访问Facebook。你可以使用的Facebook做认证的为您服务。虽然你不会是能够抓住用户名和密码,就可以得到令牌回来,你就可以验证对已知的权限集。这比1更大量的工作),但并会配合你的未来Facebook的API中的潜在变化。但是,它也被很好的测试和安全好处,但你几乎没有超过实际的用户信息无法控制的。
You mentioned that your use has access to Facebook. You could use Facebook to do the authentication for you. Although you wont be able to grab the username and password, you can get a token back, that you can then validate against a known permission set. This is a lot more work than 1) though and will tie you to potential future changes in the Facebook API. However, it also benefits from being well tested, and secure, but you have little to no control over the actual user information.
顺便说一句,请还认为是更好的为谷歌!
As an aside, please also consider being nicer to Google!
这篇关于C#4 ASP.net *非MVC *自定义验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
