如何在ASP.net Core 2.2中为我的CRUD Web应用程序实现基本安全性?
[英]How to implement basic security for my CRUD web app in ASP.net Core 2.2?
问题描述
I have followed a wonderful tutorial by Microsoft on creating a MVC web app using Core 2.2 ( https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/?view=aspnetcore-2.2 ). 
我遵循了Microsoft撰写的精彩教程,内容涉及如何使用Core 2.2创建MVC Web应用程序( https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/?view=aspnetcore-2.2 )。 After completing this tutorial I was able to build a similar web app using a different product. 完成本教程后,我可以使用其他产品来构建类似的Web应用程序。 For simplicity I will stick with the "Movie App" example from the tutorial to ask my question. 为简单起见,我将坚持使用本教程中的“ Movie App”示例来提出我的问题。
Below is the view of the basic CRUD application created. 下面是创建的基本CRUD应用程序的视图。
I would like to provide some basic security for the web application. 我想为Web应用程序提供一些基本的安全性。 So far I have been unable to find a solution that meets my needs which are as follows: 到目前为止,我一直无法找到满足我以下需求的解决方案:
- Simplicity. 简单。 There will be only one user who needs any privileges and that is me. 只有一个需要任何特权的用户,就是我。 The privileges will be full use of CRUD features (I am the only one who can click on any of the blue link in the above image). 这些特权将充分利用CRUD功能(我是唯一可以单击上图中的任何蓝色链接的人)。
- No login requirements for the public. 无需公开登录。 I would like anyone who visits to be able to be able to make a query from the search box (not shown in the picture) and see the results. 我希望访问的任何人都能够从搜索框中进行查询(未显示在图片中)并查看结果。 I just don't want them to be able to make any changes. 我只是不希望他们能够进行任何更改。
- Not to have to spend too much time on security so I can continue learning in areas better suited to newer developers. 不必花太多时间在安全性上,这样我就可以在更适合新开发人员的领域继续学习。
The bulk of the options I am finding are enterprise level, complex beyond my skill level at the moment, or require everyone to be a user. 我发现的大多数选择都是企业级的,目前超出了我的技能水平,或者要求每个人都成为用户。 If I am the only user is there a way for me to easily create one user account and maybe a second factor like an IP lock? 如果我是唯一的用户,是否可以轻松创建一个用户帐户,也许还可以创建第二个因素(例如IP锁定)? If not is there a better approach for me to take in tackling this issue? 如果不是,我有更好的方法来解决这个问题吗?
1 个解决方案
解决方案1
0 已采纳 2019-04-27 14:01:16
OK, one thing you have to implement is "some" kind of security / Login - so that the application knows "someone" has logged in. In your case, it needs to know that "you" have logged in. So you have to implement some kind of basic Authentication mechanism, so that the user "identity" is known. 好的,您要实现的一件事是“某种”安全性/登录-这样应用程序就知道“某人”已经登录。在您的情况下,它需要知道“您”已经登录。因此,您必须实现某种基本的身份验证机制,以便知道用户的“身份”。 You can take a look at basic cookie authentication here . 您可以在此处查看基本的cookie身份验证 。 You don't need to implement any major claims system - a simple authentication is enough (for your non production / learning scenarios). 您不需要实施任何主要的索赔系统-简单的身份验证就足够了(对于您的非生产/学习场景)。
Once you have implemented some kind of authentication / login system, after a successful login (authentication), the system knows that the "user" is authenticated. 一旦实施了某种身份验证/登录系统,成功登录(身份验证)后,系统就会知道“用户”已通过身份验证。 Then in your Razor code you could simply check for this condition & then remove the links for Unauthorized folks & on controllers you could add the "Authorize" attribute so that back-end code also checks for authenticated users for relevant functionality. 然后,在Razor代码中,您可以简单地检查这种情况,然后删除未授权人员的链接,并在控制器上可以添加“ Authorize”属性,以便后端代码也可以检查经过身份验证的用户的相关功能。 eg: In Razor code, you could include conditional links to Edit / Delete etc, like so: 例如:在Razor代码中,您可以包括条件链接以编辑/删除等,如下所示:
@if(User.Identity.IsAuthenticated)
{
//Include links for Edit / Delete
}
And you can include a mix of [Authorize] attribute on relevant controllers and [AllowAnonymous] on relevant methods. 您可以在相关控制器上包含[Authorize]属性,在相关方法上包含[AllowAnonymous]。
Hope this helps. 希望这可以帮助。 There is no escaping some basic understanding & work. 没有逃脱一些基本的理解和工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.