計算機(jī)專業(yè)畢業(yè)外文翻譯--asp. net 中認(rèn)證安全特征評述

1、<p>　　ASP. NET 中認(rèn)證安全特征評述</p><p>　　Narcisio Tumushabe ,譚冠正(音譯)</p><p>　　(中南大學(xué)計算機(jī)科學(xué)與信息技術(shù)學(xué)院, 湖南長沙410083)</p><p>　　摘　要: 討論了服務(wù)應(yīng)用時支持安全的ASP. NET 認(rèn)證特征,微軟的互聯(lián)網(wǎng)信息服務(wù)( IIS) 和ASP.NET 提供了安全模式

2、,使Web 開發(fā)者恰當(dāng)?shù)卣J(rèn)證其使用者,并在應(yīng)用過程中獲得正確的安全之本. 三個層次的認(rèn)證是基于表單的,身份證書和視窗認(rèn)證. 綜述文獻(xiàn)僅限于上述三個領(lǐng)域.</p><p>　　關(guān)　鍵　詞: 表單; 身份證書; 視窗認(rèn)證</p><p>　　中圖分類號: TP 393108 　文獻(xiàn)標(biāo)識碼: A 文章編號: 1000 - 1646 (2003) 03 - 0250 - 05</p>

3、;<p>　　安全是開發(fā)人員和應(yīng)用程序架構(gòu)師首要關(guān)注的問題。由于不同類型的網(wǎng)站有不同的安全需要，開發(fā)人員需要知道需要什么程度的安全運行，并為他們的程序選擇適當(dāng)?shù)陌踩Ｊ健Ｓ行┚W(wǎng)站發(fā)布的信息不來自用戶，而是通過搜索引擎等廣泛渠道來收集。另外一些網(wǎng)站，可能要收集用戶的敏感信息，比如信用卡號碼，這些網(wǎng)站需要非常嚴(yán)格的安全措施，以避免來自外部的惡意攻擊。</p><p>　　1 asp.net安全的基本

4、操作</p><p>　　在ASP . NET應(yīng)用程序的環(huán)境中安全的基本操作涉及三步即驗證，授權(quán)和模擬。驗證的過程中認(rèn)證用戶身份,允許或拒絕請求。這涉及到接受用戶憑據(jù)（如用戶名和密碼）和憑證核對。經(jīng)過身份驗證，合法用戶對資源的請求將得到滿足。接下來一段時間，用戶請求資源無需再進(jìn)行身份驗證，直到用戶退出這個WEB應(yīng)用程序。授權(quán)是給予用戶訪問特定資源的資格。模擬的過程，是使應(yīng)用程序確認(rèn)用戶的身份，從而獲得要求的其他資

5、源?；谀M的身份，請求資源將被授予或者拒絕。</p><p>　　2 ASP.NET的驗證</p><p>　　驗證是Web應(yīng)用程序的安全一個重要的特征。在ASP.NET中，驗證表現(xiàn)在兩個層次上，[2 ]首先， Internet信息服務(wù)（ IIS ）將執(zhí)行必要的驗證，然后把用戶請求發(fā)送到ASP.NET中，如圖1所描述的。ASP.NET應(yīng)用程序的Web服務(wù)器基本是IIS 。因此，每個A

6、SP.NET應(yīng)用程序可以繼續(xù)利用IIS所提供的的安全性選項。當(dāng)用戶請求特定資源時，這一要求將發(fā)送到IIS 。 IIS驗證用戶的請求，然后把認(rèn)證用戶發(fā)送給ASP.NET工作進(jìn)程。 ASP.NET工作進(jìn)程將決定是否模擬驗證IIS所提供的用戶。如果Web.config文件中的模仿配置是啟用的， ASP.NET工作進(jìn)程將模擬驗證使用者。否則， ASP.NET將自行驗證用戶身份。畢竟， ASP.NET決定用戶是否有權(quán)訪問這些資源。如果他們被允許，

7、ASP.NET提供請求的服務(wù); 否者他將一個“ 拒絕登入”的錯誤訊息傳回給用戶。</p><p>　　圖1 IIS和ASP.NET的安全流程</p><p>　　ASP.NET通過幾種認(rèn)證機(jī)制提供了內(nèi)置的用戶身份驗證， [1.4]它們是基于表單的身份驗證，應(yīng)用程序使用自定義身份驗證模式的Cookie支持來確保安全；身份證書，應(yīng)用程序使用微軟的身份證書來身份驗證，身份證書是微軟開發(fā)的一個

8、Web單點登錄技術(shù)，還有視窗驗證，Web應(yīng)用程序使用從集成視窗身份驗證中獲得的用戶名單來驗證用戶。</p><p>　　也有些應(yīng)用程序不使用身份驗證，或自行開發(fā)驗證機(jī)制。在這種情況下， 可以把ASP. NET中身份驗證模式設(shè)置為關(guān)閉。本文將簡要地涉及基于表單的,身份證書和視窗認(rèn)證。</p><p>　　2.1 基于表單的認(rèn)證 </p><p>　　基于表單的認(rèn)證驗證

9、是用定制邏輯執(zhí)行來驗證用戶，運用了Cookie而無需擔(dān)心Session管理。這使開發(fā)人員獲得更多的權(quán)限去指定哪些文件在網(wǎng)站上可獲取和由何人獲取，并可以識別的登錄頁。[3]這一機(jī)制將自動重定向未驗證用戶到登錄頁，并請他們提供適當(dāng)?shù)膽{據(jù)（例如，用戶名/密碼組合）。如果登錄成功，ASP.NET分配cookie給用戶，并重定向到他們原先請求的特定資源。此Cookie允許用戶反復(fù)訪問特定資源，而不必重新執(zhí)行登錄機(jī)制。顯示如下：</p>

10、<p>　　圖 2表單認(rèn)證流程</p><p>　　在上圖中，首先用戶請求資源。這一請求將先到達(dá)IIS，由IIS進(jìn)行用戶身份驗證的。如果IIS啟用匿名訪問，或者用戶已成功通過驗證，IIS會將把請求轉(zhuǎn)到ASP.NET應(yīng)用程序。ASP.NET中查看是否有有效的身份驗證cookie附加請求中。如果有，它意味著用戶先前已通過驗證。 ASP.NET將執(zhí)行授權(quán)檢查。如果用戶有訪問這些資源的權(quán)限，將被允許訪問。

11、否則返回登入失敗的信息。如果提出的請求沒有附帶任何Cookie，ASP.NET將重定向用戶登錄頁面，并要求用戶進(jìn)行身份驗證。應(yīng)用程序代碼檢查身份證書。如果身份驗證通過，ASP.NET將以附加驗證的形式返回Cookie。如果失敗了，用戶可以被重定向到登錄頁并告訴用戶，該用戶名/密碼無效。</p><p><b>　　建立基于表單的認(rèn)證</b></p><p>　　一般來

12、說，建立基于表單的認(rèn)證涉及4個步驟[2] ：（一）啟用匿名訪問IIS（二）配置Web.config文件中的<authentication>（三）設(shè)定Web.config文件中的<authorization>（四）創(chuàng)建登錄頁。</p><p>　?。ㄒ唬﹩⒂媚涿L問IIS：</p><p>　　這有許多工作要做，因為大多數(shù)的用戶被認(rèn)定為非視窗用戶，所以他們通過IIS進(jìn)

13、入ASP. NET ，ASP.NET將始終允許匿名訪問登入頁面。</p><p>　?。ǘ┡渲肳eb.config文件中的< authentication ></p><p>　　Web.config文件包含了一個Web應(yīng)用程序的等級和身份驗證服務(wù)的類型等相關(guān)信息。該表單驗證通過設(shè)置Web應(yīng)用程序的身份驗證模式屬性為表單來激活[3]:</p><p>

14、　　正如上面的代碼，name屬性為HTTP cookie的名稱。loginURL屬性設(shè)置為登錄頁面。如需，這是該網(wǎng)頁所使用的身份驗證的用戶憑據(jù)。如果用戶沒有通過驗證，請求將重定向到特定網(wǎng)址loginURL。保護(hù)屬性的有效值分為所有，無，加密和驗證。Cookie保護(hù)設(shè)置為所有，這導(dǎo)致ASP.NET運行時不僅加密Cookie的內(nèi)容，而且驗證Cookie的內(nèi)容。 [8]如果設(shè)置為無，它不使用任何加密或驗證。指定加密將使用DES或DES加密算法

15、加密Cookie；cookie中的數(shù)據(jù)驗證不這樣做，指定驗證cookie的數(shù)據(jù)未作改動的，而不是加密Cookie的內(nèi)容。超時設(shè)置為10 ，這意味著在10分鐘后身份驗證Cookie將過期。這樣做的目的是減少通過驗證Cookie偷竊別人的機(jī)會。通過減少時鐘，cookie將被經(jīng)常地再生。路徑屬性是指cookie被發(fā)送到用戶端的路徑。它被設(shè)置為“ / ”這意味著在Cookie路徑是根目錄。</p><p>　　（三）配置

16、Web.config文件中的< authorization ></p><p>　　為ASP. NET Web應(yīng)用程序添加授權(quán)服務(wù)。要做到這一點，添加Web.config文件中的< authorization >：</p><p>　　如上面所解釋，在用戶提供了有效的證書后，用戶將被重定向到特定的網(wǎng)頁。然而，授權(quán)在此代碼中將拒絕除“Narcis”外所有用戶的訪問。

17、</p><p><b>　?。ㄋ模﹦?chuàng)建登錄頁</b></p><p>　　這是重定向未經(jīng)驗證用戶的最后一步，這樣他們就可以提供其身份證書，通常是某種形式的用戶名和密碼，登錄到受保護(hù)的資源的授權(quán)。在登錄頁，必須通過對比數(shù)據(jù)庫來驗證遞交的身份證書。有效的用戶名和密碼可以存儲在web. config的憑據(jù)(credentials)節(jié)：</p><p&g

18、t;　　然而，以明文形式存儲密碼是很不安全的。此外，在Web.config文件中存儲數(shù)千個用戶名和密碼也是不現(xiàn)實的。[2 .7]為解決這個問題，用戶名和密碼都存儲在數(shù)據(jù)庫中，這個辦法使Web. config文件不再有< credentials >一節(jié)。同時Login. Aspx頁面也因為身份證書需比對用戶名和密碼存儲在數(shù)據(jù)庫中而發(fā)生一些改變。</p><p><b>　　2.2身份證書 &l

19、t;/b></p><p>　　如前所述，這個驗證機(jī)制提供了一個集中的認(rèn)證服務(wù)，可為會員提供特有的訪問權(quán)。在下列情況下使用身份認(rèn)證：[2]（一）用戶名/密碼數(shù)據(jù)庫或登入頁不易維護(hù);（二）希望提供個性化的內(nèi)容;（三）該網(wǎng)站將與其他認(rèn)證網(wǎng)站結(jié)合;（四）希望給用戶特有的訪問權(quán)。</p><p><b>　　創(chuàng)建身份證書 </b></p><p>

20、;　　為了實施這一身份認(rèn)證模式，必須在服務(wù)器上安裝身份證書SDK （軟件開發(fā)套件）和注冊微軟身份證書。[1,2]下面的代碼設(shè)置Web. config文件的身份認(rèn)證模式(authentication)設(shè)置為身份證書：</p><p>　　該身份證書的重導(dǎo)向地址（RedirectURL）屬性設(shè)置為內(nèi)部（internal），這意味著未經(jīng)驗證的請求能夠得到相同的錯誤信息。redirectURL的屬性還可以是除intern

21、al外的其他字符串，一般是URL，用來重定位未經(jīng)驗證的請求。</p><p><b>　　2.3 視窗認(rèn)證 </b></p><p>　　這種類型的身份認(rèn)證可能是最簡單的一種。視窗認(rèn)證可與IIS提供的除匿名身份驗證外的幾乎所有的驗證方法結(jié)合（如基本，摘要式，NTLM或Kerberos身份驗證），[2,4]這里無需寫任何代碼來驗證用戶的IIS已經(jīng)驗證自己的Windows

22、憑據(jù)。基本上，視窗認(rèn)證使用IIS的身份驗證功能。IIS將先完成它的驗證功能，然后由ASP.NET決定是否給予授權(quán)或拒絕服務(wù)。</p><p>　　這種機(jī)制通常是在用戶是Windows域和通過身份驗證的用戶時使用，代碼執(zhí)行在安全性與用戶的Windows帳戶相同的環(huán)境中。[4]當(dāng)用戶請求具體的資源，這一要求將前往IIS。IIS中對用戶進(jìn)行身份驗證和發(fā)放安全令牌給它。然后，將通過認(rèn)證的要求和安全令牌轉(zhuǎn)發(fā)給ASP.NET

23、中。如果模擬啟用， ASP.NET模擬用戶使用安全令牌重視，并在Web.config文件的“授權(quán)< authorization >”一節(jié)中的查看使用者是否被授權(quán)訪問的資源。如果獲得批準(zhǔn)， ASP.NET將通過IIS發(fā)送用戶所要求的資源，否則，它發(fā)出的錯誤訊息給使用者。</p><p><b>　　設(shè)置視窗認(rèn)證</b></p><p>　　視窗認(rèn)證的唯一的步

24、驟是在Web.config文件中設(shè)置身份驗證模式為Windows和拒絕存取匿名用戶，如下所示：</p><p>　　模擬只有在代碼是在相同的安全環(huán)境中的用戶帳戶才能啟用。同樣，這也要在做配置文件中完成。</p><p><b>　　2.4結(jié)束語</b></p><p>　　ASP.NET安全認(rèn)證是Web應(yīng)用程序安全的最主要特征之一。它分為三個不

25、同的內(nèi)置服務(wù)：基于表單的，身份認(rèn)證和視窗認(rèn)證?；诒韱蔚恼J(rèn)證和身份認(rèn)證不要求用戶為Windows用戶。在視窗認(rèn)證是為Windows域用戶設(shè)計的?；诒韱蔚恼J(rèn)證提供了未經(jīng)認(rèn)證的用戶登錄頁面，要求他們提供憑據(jù)，并將對這些證書進(jìn)行驗證。如果用戶無權(quán)訪問特定的資源，它將把拒絕存取信息返回到用戶。在身份認(rèn)證中，身份的SDK只是在服務(wù)器上安裝和注冊微軟身份證書，提供了一個由Microsoft提供登入憑證的訪問會員網(wǎng)站的簡單的機(jī)制。視窗是最方便使用的

26、，因為它不需要寫任何代碼進(jìn)行驗證。</p><p><b>　　參考文獻(xiàn):</b></p><p>　　[1] Bell ,J . , et al ,2001 ,ASP. NET Programmer’s Reference ,Wrox Press Ltd. ,USA.</p><p>　　[2] Chilakala ,V. ,2001 ,Mi

27、crosoft ASP. NET Security ,Microsoft Support WebCasts.</p><p>　　[3] Gonzales ,J . ,2002 ,15 Seconds : Using Forms Authentication in ASP. NET Part 1</p><p>　　[4] Kercher ,J . ,2001 ,Authenticatio

28、n in ASP. NET : . NET, Security Guidance ,MSDN Magazine August 2001.</p><p>　　[5] Lassan ,R. ,Smith , E. ,2002 ,ASP. NET Bible ,Hungry ,Minds Inc. ,USA.</p><p>　　[6] Leinecker , R. , 2002 ,Using

29、 ASP. NET ,Que Corporation , Indiana.</p><p>　　[7] NET Framework Developer’s Guide : ASP. NET Web.Application Security ,Link.</p><p>　　[8] Kieley ,J . ,2001 ,Migrating to ASP. NET : Key Consid2e

30、ration ,MSDN Magazine November 2001.</p><p>　　An overview of authentication security features in ASP. NET</p><p>　　Narcisio Tumushabe , TAN Guan-zheng</p><p>　　(School of Computer S

31、cience and Information Technology , Central South University , Changsha 410083 , China)</p><p>　　Abstract : This article discusses the authentication feature of the ASP. NET to support security when designin

32、g a server application. Both Microsoft Internet Information Services ( IIS) and ASP. NET provide security models that will allow web developers to authenticate the your users appropriately and obtain the correct security

33、 context within the application. Three levels of authentication covered are the Formsbased , passport and windows authentications. The article literature is limited to th</p><p>　　Key words : Forms2based; pa

34、ssport ; windows authentication</p><p>　　CLC number : TP 393108 Document code : A Article ID : 1000 - 1646 (2003) 03 - 0250 - 05</p><p>　　Security is one of the primary concerns forboth devel

35、opers and application architect s. As there are lot s of different types of websites with varying security needs , the developers need to know how the security works and choose the appropriate security model for their ap

36、plications. Some websites collect no information from the users and publish the information that is available widely such as search engine. There are other sites that may need to collect sensitive information f rom their

37、 users </p><p>　　1 　Fundamental Operations of ASP. NET Security　 </p><p>　　Security in the context of ASP. NET application involves 3 fundamental operations namely Authentication , Authorizatio

38、n and Impersonation. Authentication is the process of validating the identity of a user to allow or deny a request .This involves accepting credentials ( e. g. username and password) from the users and validating it agai

39、nst adesignated authority. After the identity is verified and validated , the user is considered to be legal and the resource request is fulfilled. Future request</p><p>　　2 　Authentication in ASP. NET</p

40、><p>　　Authentication is one of the foremost features of web application’s security. In ASP. NET , authentication is done at two levels . [2]First , Internet Information Server (IIS) will perform the required a

41、uthentication , then send out the request to ASP. NET , as described in Figure 1. For ASP. NET application , the underlying web server is IIS. Therefore , every ASP. NET application can continue to leverage the security

42、options provided by IIS .When the user requests a specific resource on the sy</p><p>　　Fig. 1 　Security flow of IIS and ASP. NET</p><p>　　ASP. NET provides built-in support for user authenticati

43、on through several authentication providers. [1,4] These are Forms based authentication , which is the application that is secured by using a custom authentication model with cookie support , Passport authentication , an

44、 application that is secured by using Microsoft Passport authentication. Passport is a single sign on technology developed by Microsoft for use on the web and the Windows authentication which is an application secured b

45、y us</p><p>　　There are scenarios where some applications do not use the authentication at all or the developer may want to develop custom authentication code. In this case , ASP. NET can set the authenticat

46、ion mode to none. This article will briefly cover the Formsbased , passport and windows authentications.</p><p>　　2.1 FormsBased Authentication</p><p>　　Formsbased authentication is used to impl

47、ement customized logic for authenticating users without having to worry about session management using a cookie. It gives a developer more access to specify which files on the site can be accessed and by whom , and allow

48、s identification of a login page . [3 ]This mechanism will automatically redirect the unauthenticated user to login page and ask them to provide proper credentials ( e. g. username/ password combination) . If login is su

49、ccessful , ASP. NET</p><p>　　Fig. 2 　Form authentication flow</p><p>　　In figure above , the user requests the restricted resources first . This request will go to IIS first and the user is auth

50、enticated by IIS. If the anonymous access is enabled in IIS or the user is successfully authenticated , it will hand off the request to ASP. NET application. ASP. NET checks to see whether a valid authentication cookie i

51、s attached to the request . If it is , it means the user credentials has been previously authenticated. ASP. NET will then perform the authorization check. I</p><p>　　Set Up FormsBased Authentication</p&g

52、t;<p>　　Generally, setting up the Formsbased authentication involves 4 steps [2] namely (i) Enable anonymous access in IIS (ii) Configure < authentication > section in Web. config file (iii) Configure <

53、; authorization > section in Web. config file and (iv) Create Login Page.</p><p>　　(i) Enable anonymous access in IIS : </p><p>　　This has to be done as most of the users are considered to be

54、 non-Windows users , so they can get through IIS to get to ASP. NET . ASP. NET will always allow anonymous access to the login page though. </p><p>　　(ii) Configure <authentication> section in Web. co

55、nfig file : </p><p>　　Web. config file contains the information related to the level and type of authentication service that is provided for a web application. The Formsbased authentication is enabled for a

56、web application by setting the authentication mode attribute to Forms[3]: </p><p>　　As shown by the code above , the name attribute is the name of HTTP cookie. The attribute loginURL is set to Login. aspx ,

57、which is the web page that is used for authenticating user credentials. The requests are redirected to particular URL in loginURL if the user is not authenticated. The cookie protection is set to All. This causes the ASP

58、. NET runtime to not only encrypt the cookie contents , but also validate the cookie contents. The valid values for protection attribute are All , None , Enc</p><p>　　(iii) Configure < authorization >

59、section in Web. config file</p><p>　　Add authorization support to section of ASP. NET web application. To do so , add the <authorization> section in Web. config file : </p><p>　　As explain

60、ed above , after the user provides the valid credentials , the user is redirected to the specific protected page. However , The authorization section in this code will deny access to all users , but exclusively allow acc

61、ess to Narcis.</p><p>　　(iv) Create Login Page</p><p>　　This is the last step for redirecting unauthenticated users , so they can provider their credentials , usually in a form of username and p

62、assword and logon to protected resources. The login page must validate the submitted credentials against a database of some custom method. Valid usernames and passwords can be stored in the Web. config file in credential

63、s section :</p><p>　　However , storing password in clear text is unreasonable for security. Moreover , it is unrealistic to store thousands of names and passwords in Web.config file. [2 ,7]To address this pr

64、oblem , the usernames and passwords are stored in the database.This approach makes the Web. config file no longer have the < credentials > section. There will be also some changes in Login. aspx since the credentia

65、ls will be tested to match against result query from database that stores the usernames and password</p><p>　　2．2 Passport Authentication</p><p>　　As stated above , this authentication mechanis

66、m provides a centralized authentication service that offers single sign-in for access the member sites. The following scenarios support the use of Passport Authentication : [2](i) The username and password database or lo

67、gin page is not maintained ; (ii) Willing to provide personalized content ; ( iii) the site will be used in conjunction with other Passport sites ; and (iv) Willing to give single sign-in capability to the users </p&g

68、t;<p>　　Set Up Passport Authentication</p><p>　　To implement this authentication mode , Passport SDK ( Software Development Kit ) has to be installed on the server and register with Microsoft (r) Pass

69、port. [1 ,2]The following code is specified in the Web. config file where the authentication mode is set to Passport :</p><p>　　The redirectURL attribute of Passport section is set to internal , which means

70、the unauthenticated request will receive common error message. The value of redirectURL may contain a string other than internal , which is considered to be a URL , which the unauthenticated request will be sent to.</

71、p><p>　　2.3 　Windows Authentication</p><p>　　This type of authentication is possibly the easiest of all to implement . Windows authentication can be used in conjunction with almost all authenticati

72、on methods provided by IIS (e. g. Basic , Digest , NTLM or Kerberos Authentication) , except Anonymous Authentication . [2 ,4] There is no need to write any code to validate the user as IIS has already authenticated thei

73、r Windows credentials. Basically , Windows authentication makes use of the authentication capabilities of IIS. IIS will complete</p><p>　　This mechanism is usually implemented when the users are part of Wind

74、ows domain and the authenticated users are to be impersonated so that the code is executed in the same security context of the user’s Windows account. [4]When a user requests specific resources , this request will go to

75、 IIS. IIS authenticates the user and attaches the security token to it . It will then pass the authenticated request and security token to ASP. NET. If impersonation is enabled , ASP. NET impersonates the user u</p>

76、;<p>　　Set Up Windows Authentication</p><p>　　The only step in implementing the Windows Authentication is to set the authentication mode to Windows and deny access to anonymous user in Web. config fil

77、e as shown below :</p><p>　　The impersonation is enabled only if the code is to be under same security context as that of the user account . Again , this is done in the configuration file.</p><p&g

78、t;　　2．4 　Conclusion</p><p>　　Authentication in ASP. NET is one of the best features of the web application’s security. It is divided into 3 different built-in providers : Formsbased , Passport and Windows Au

79、thentication. The Forms-based and passport authentication do not require the users to be as Windows users. The windows authentication is designed for users that are part of Windows domain. Formsbased authentication provi

80、des the unauthenticated users with the login page to ask them for their credentials , and it will vali</p><p>　　References :</p><p>　　[1] Bell ,J . , et al ,2001 ,ASP. NET Programmer’s Reference

81、 ,Wrox Press Ltd. ,USA.</p><p>　　[2] Chilakala ,V. ,2001 ,Microsoft ASP. NET Security ,Microsoft Support WebCasts.</p><p>　　[3] Gonzales ,J . ,2002 ,15 Seconds : Using Forms Authentication in AS

82、P. NET Part 1</p><p>　　[4] Kercher ,J . ,2001 ,Authentication in ASP. NET : . NET, Security Guidance ,MSDN Magazine August 2001.</p><p>　　[5] Lassan ,R. ,Smith , E. ,2002 ,ASP. NET Bible ,Hungry

83、 ,Minds Inc. ,USA.</p><p>　　[6] Leinecker , R. , 2002 ,Using ASP. NET ,Que Corporation , Indiana.</p><p>　　[7] NET Framework Developer’s Guide : ASP. NET Web.Application Security ,Link.</p>