[英]How to implement basic security for my CRUD web app in ASP.net Core 2.2?
I have followed a wonderful tutorial by Microsoft on creating a MVC web app using Core 2.2 ( https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/?view=aspnetcore-2.2 ). 我遵循了Microsoft撰写的精彩教程,内容涉及如何使用Core 2.2创建MVC Web应用程序( https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/?view=aspnetcore-2.2 )。 After completing this tutorial I was able to build a similar web app using a different product.
完成本教程后,我可以使用其他产品来构建类似的Web应用程序。 For simplicity I will stick with the "Movie App" example from the tutorial to ask my question.
为简单起见,我将坚持使用本教程中的“ Movie App”示例来提出我的问题。
Below is the view of the basic CRUD application created. 下面是创建的基本CRUD应用程序的视图。
I would like to provide some basic security for the web application. 我想为Web应用程序提供一些基本的安全性。 So far I have been unable to find a solution that meets my needs which are as follows:
到目前为止,我一直无法找到满足我以下需求的解决方案:
The bulk of the options I am finding are enterprise level, complex beyond my skill level at the moment, or require everyone to be a user. 我发现的大多数选择都是企业级的,目前超出了我的技能水平,或者要求每个人都成为用户。 If I am the only user is there a way for me to easily create one user account and maybe a second factor like an IP lock?
如果我是唯一的用户,是否可以轻松创建一个用户帐户,也许还可以创建第二个因素(例如IP锁定)? If not is there a better approach for me to take in tackling this issue?
如果不是,我有更好的方法来解决这个问题吗?
OK, one thing you have to implement is "some" kind of security / Login - so that the application knows "someone" has logged in. In your case, it needs to know that "you" have logged in. So you have to implement some kind of basic Authentication mechanism, so that the user "identity" is known. 好的,您要实现的一件事是“某种”安全性/登录-这样应用程序就知道“某人”已经登录。在您的情况下,它需要知道“您”已经登录。因此,您必须实现某种基本的身份验证机制,以便知道用户的“身份”。 You can take a look at basic cookie authentication here .
您可以在此处查看基本的cookie身份验证 。 You don't need to implement any major claims system - a simple authentication is enough (for your non production / learning scenarios).
您不需要实施任何主要的索赔系统-简单的身份验证就足够了(对于您的非生产/学习场景)。
Once you have implemented some kind of authentication / login system, after a successful login (authentication), the system knows that the "user" is authenticated. 一旦实施了某种身份验证/登录系统,成功登录(身份验证)后,系统就会知道“用户”已通过身份验证。 Then in your Razor code you could simply check for this condition & then remove the links for Unauthorized folks & on controllers you could add the "Authorize" attribute so that back-end code also checks for authenticated users for relevant functionality.
然后,在Razor代码中,您可以简单地检查这种情况,然后删除未授权人员的链接,并在控制器上可以添加“ Authorize”属性,以便后端代码也可以检查经过身份验证的用户的相关功能。 eg: In Razor code, you could include conditional links to Edit / Delete etc, like so:
例如:在Razor代码中,您可以包括条件链接以编辑/删除等,如下所示:
@if(User.Identity.IsAuthenticated)
{
//Include links for Edit / Delete
}
And you can include a mix of [Authorize] attribute on relevant controllers and [AllowAnonymous] on relevant methods. 您可以在相关控制器上包含[Authorize]属性,在相关方法上包含[AllowAnonymous]。
Hope this helps. 希望这可以帮助。 There is no escaping some basic understanding & work.
没有逃脱一些基本的理解和工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.