安全和身份

  • 防止利用表单(form)进行的跨域(CSRF)攻击
  • 使用 HTTPS(TLS),避免在 Internet 上传输的数据被窃取
  • 确保用户 输入密码 或者 通过社交媒体授权 登录时的安全性

ASP.NET Core 有助于实现这些功能。前两个(防止SQL注入和跨域攻击)功能已经内置了,要开启 HTTPS,只需寥寥数行代码即可。本章主要关注安全性的 身份验证(identity) 方面:管理用户的账号(注册、登录),安全地验证用户(登录),并在验证后做出授权决策。

你搭建项目的时候,应用了 MVC + Individual验证 项目模板,该模板中带有几个类,构建在 ASP.NET Core Identity(一个验证和身份系统,属于 ASP.NET Core 的一部分)之上。安装后,默认添加了通过 email 和密码进行登录的功能。

ASP.NET Core Identity 处理用户账号的存储、散列并保存密码、还负责管理用户的角色。它支持 邮箱地址/密码 登录、多重身份验证、集成以 Google 和 Facebook 之类的身份提供者的 社交账号登录、以及借助 OAuth 2.0 和 OpenID Connect 等协议连接到其它的服务。

MVC + Individual验证 项目模板中的 Register 和 Login 视图 已经从 ASP.NET Core Identity 中受益,而且已经正常工作了,请试着注册一个账号并用它登录。

Security and identity

Security is a major concern of any modern web application or API. It’s important to keep your user or customer data safe and out of the hands of attackers. This is a very broad topic, involving things like:

  • Sanitizing data input to prevent SQL injection attacks
  • Preventing cross-domain (CSRF) attacks in forms
  • Using HTTPS (connection encryption) so data can’t be intercepted as it travels over the Internet
  • Designing password reset, account recovery, and multi-factor authentication flows

Authentication and authorization are distinct ideas that are often confused. Authentication deals with whether a user is logged in, while authorization deals with what they are allowed to do after they log in. You can think of authentication as asking the question, “Do I know who this user is?” While authorization asks, “Does this user have permission to do X?”

The MVC + Individual Authentication template you used to scaffold the project includes a number of classes built on top of ASP.NET Core Identity, an authentication and identity system that’s part of ASP.NET Core. Out of the box, this adds the ability to log in with an email and password.

What is ASP.NET Core Identity?

ASP.NET Core Identity is the identity system that ships with ASP.NET Core. Like everything else in the ASP.NET Core ecosystem, it’s a set of NuGet packages that can be installed in any project (and are already included if you use the default template).

The Register and Login views that ship with the MVC + Individual Authentication template already take advantage of ASP.NET Core Identity, and they already work! Try registering for an account and logging in.