The security problems of ASP.NET --ASP.NET security architecture, and how to rea

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

The ASP.NET security architecture, and how to realize the.NET security 

Objective: we are when using Forms authentication, often mixing many concept? Whether you really understand what is Principal, Identity, and IPrincipan...? A lot of literature rarely mentioned what are these, just how to use, the problem, leading to a lot of friends understand only stop at the surface, it also be bound hands and feet. Believe that after reading this article, will have some harvest.

The ASP.NET security architecture provides object model into safe mode to realize Web applications. Whether we choose the authentication mode which, many of the elements are the same. Log on to the user of the application they provide certificate according to be granted the Principal and Identity. The Principal object represents the user's current security context, including the user's identity and their role. The Identity object represents the current user. The Principal object is using Identity (user ID) is created, and it is to add some additional information, such as data or a custom role.

In short: the role of Principal=Identity+ + custom data 

We should pay attention to one point: authentication is happening in ASP.NET operation of the specific time, remember this point, specific will tell.   below we are specific talk:

A represents the security context

The Identity object represents an authenticated user. The Identity object depends on the type of authentication, the use of such as, Windows authentication using the WindowsIdentity object, while Froms is verified using a FormsIdentity object.

We begin to contact the Identity concept is a bit uncomfortable, in fact, Identity is a user's identity, what is? What is that users, user name is what it is, but here we say a little bit more professional.

In addition, the Principal object that is a member of the authenticated user group or role: is the current user security context. Said the security context information, said white is this object contains the identity of the user of a lot of. The Principal object is a IIS in the Windows authentication automatically created, but we can also create a common Principal object (everyone behind slowly understand).

Everyone in the programming time, more or less used the HttpContent.Currrent.User attribute, it said that a Principal object is a.Principal object that implements the IPrincipal interface.

  The IPrincipal interface

Context a different authentication mode of security have different requirements. We can say the security context for the current use of Principal objects. The IPrincipal interface defines the basic function of the Principal object. And we can also customize security context object, as long as the implementation of the System.Security.Principal interface:

Before the Identity attribute, can obtain the current Principal object Identity. said: Principal contains Identity is the reason.

IsInRole(string roleName)Method: to determine whether the current Principal object is in the specified role. We become too similar to the HttpContent.Current.User.Identity.IsInRole ("Admin") statement.

The Principal object to be accessed through the HttpContent.Current.User property, the following code everybody should be used:




  lblUserName.Text=HttpContext.Current.User.Identity.Name+"Already logged in";


 (Note: Identity is the identification of the user, including user name. We will talk) 

The following code is more common: the current judge whether the user is the administrator role





Then we will have a look the built-in ASP.NET object that implements the IPrincipal interface.:

 The GenericPrincipal class

The GenericPrincipal class implements the IPrincipal interface. Can be seen from the name GenericPrincipal object represents a general, security context based, it only defines the current user's role, it is said that the object is only part of the implementation of the IPrincipal interface. (after we put the object implementing the IPrincipal interface is called the main). For an authentication mode, such as Windows authentication, it is the use of WindowsPrincipal, because WindowsPrincipal is more specific implementation of the IPrincipal. In Forms verification, just use the general GenericPrincipal. That is to say, we can implement a custom Principal object in accordance with our requirements. Will be mentioned below.

IPrincipal interface for each implementation to override the Identity property and IsInRole method. The IsInRole method of the GenericPrincipal class is to compare the value and role definition in the string in the role, and the IsInRole method of the WindowsPrincipal class is the comparative role and was assigned to the Windows user account role.

We can create a are used for the current request throughout the life cycle of an instance of the GenericPrincipal class, and assign it to the HttpContent.Current.User property.

 The GenericPrincipal constructor with two parameters: GenericIdentity user (user ID GenericIdentity implementation of the IIdentity interface), and a representation of a string array of user roles. So we said before: the role of Principal=Identity+ that is why.

The GenericPrincipal object is created once, can be assigned to the HttpContent.Current.User property, used to represent the context for the current request user security.

The following code example is created:

//Create a general GenericPrincipal

 //We said: mark is that contains the user's name, the following   contains a "Xiaoyang" logo

 GenericIdentity identity=new GenericIdentity("xiaoyang");

 //Create GenericPrincipal

 //Note roles represents a string as an array of role=new characters string{"Admin","Customer"};

 GenericPrincipal principal=new GenericPrincipal(identity,roles);



  Note: the above code is written in a specific place, also is the life cycle of the specific time, behind us about.


Speaking of Principal, here to talk about what is the identity of the user, mentioned many times before.

The two user mark


The Identity object is used to identify the user's identity. Identification can only provide a small amount of security context information, such as user name. The Identity object can validate user.



The IIdentity interface

Like the IPrincipal interface, object representing the user ID have to implement this interface. The IIdentity interface defines the basic structure in Identity objects, are defined as follows:

AuthenticationType (string type) properties - it can type, authentication for use as, if Forms was verified using, this property returns the string "Forms", so we custom logo can return the string "CustomIdentity".


IsAuthenticated (bool type) whether attribute identifies the user authentication through. We can often use HttpContext.Current.User.Identity.IsAuthenticated to determine whether the user has logged in.

 Name (string type) properties - get the user name. Believe no stranger to HttpContext.Current.User.Identity.Name.

Below we have a look our own implementation of identified IIdentity like interface.

using System;

using System.Security.Principal;

public class CustomIdentity : IIdentity


private  string name;

//Constructor only receives an string parameter, you can have a look before we code: GenericIdentity identity=new GenericIdentity("xiaoyang");

public CustomIdentity(string name)

{ = name;



private string authenticateType = "CustomerIdentity";

public CustomIdentity(string name,string authenticateType)

{ = name;

this.authenticateType = authenticateType;


//The implementation of interface

private bool isAuthenticated = false;

public bool IsAuthenticated


get { return isAuthenticated; }


private string name;

public string Name


get { return name; }



The above code is a demonstration, we can expand according to their own requirements.

As before, we to have a look of the built-in Identity class ASP.NET:

  FormsIdentity--Use in Forms verification

PasswordIdentity--Use in Passport verification

GenericIdentity--Identification of common general

WindowsIdentity--Use Windows authentication


We'll have a look to the use of GenericIdentity, the use of other analogy.

In fact, the GenericIdentity logo is a basic Identity object. It is basic for Identity objects. We watched a GenericPrincipal example, in that case we create an instance of the GenericIdentity class,

GenericIdentity identity=new GenericIdentity("xiaoyang"); 

And we can also provide more specific Identity objects, such as the previously mentioned FormsIdentity, open to provide specific user information.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Caroline at November 15, 2013 - 11:53 AM