Security
Get flash to fully experience Pearltrees
Custom Membership Provider. Часть 2 « shiftnotes
На прошлом уроке было создано стандартное asp.net mvc 2 веб-приложение, содержащее базовый функционал, и кастомный membership provider, в котором есть пустые методы из стандартного провайдера, для реализации собственной логики. В этой части урока будет освещен процесс создания базы данных с таблицей для пользователей, а также реализация всех методов нашего провайдера, даже если они будут возвращать предустановленные значения. Будет добавлена система проверки email, которая генерирует специальную ссылку для активации аккаунта или сброса пароля. После всего этого мы сделаем кастомный RoleProvider и секцию приложения для администрирования. Теперь вернемся к уроку. Для начала, нам нужна база данных, которая будет хранить всю membership информацию.
During a friendly code review discussion a week or so ago I realized I’d forgotten my favorite lore of custom authentication/authorization functionality in lieu of ASP.NET P&M. Though I definitely prefer P&M to rolling my own from scratch to the extent that I’ve gone as far as to use it as a pass-through there are some times when P&M is too much – or too little – so custom schemes must be developed.
Custom Authentication with MVC 3.0
Executive Overview You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [ Authorize ] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. In ASP.NET MVC 2, it was recommended that you create a base controller with an [ Authorize ] attribute, and derive each controller (except the Account/Login controller) from that base class. That strategy has one big flaw: nothing prevents you from adding a new controller that doesn't derive from the [ Authorize ] protected base controller.
Securing your ASP.NET MVC 3 Application - Ricka on MVC and related Web Technologies
ScottHa has a great blog Working with SSL at Development Time is easier with IISExpress , but I’ve got what I think is a better approach. Please weigh in. In this blog entry I’ll show you how to test SSL on your ASP.NET MVC & WebForms applications using IIS 7. You should make sure you have IIS 7 set up on your Windows 7 computer before proceeding. See my blog Test your ASP.NET MVC or WebForms Application on IIS 7 in 30 seconds for instructions.
Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms - Ricka on MVC and related Web Technologies
Update: Since the Release Candidate of ASP.NET MVC, these anti-forgery helpers have been promoted to be included in the core ASP.NET MVC package (and not in the Futures assembly). Cross-site scripting (XSS) is widely regarded as the number one security issue on the web. But since XSS gets all the limelight, few developers pay much attention to another form of attack that’s equally destructive and potentially far easier to exploit.
Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVC’s AntiForgeryToken() helper
404 error: Page Not Found We're sorry, but the page you've requested can't be found. It may have been removed, had its name changed, or it's temporarily unavailable. Please try the following:
