在开发Web应用程序(ASP.NET / MVC)时何时添加安全性?

时间:2022-10-21 04:14:08

When developing a web app, in my case a ASP.NET MVC app, but this question isn't platform specific, when you do you add the infrastructure for membership, roles and authentication?

在开发Web应用程序时,在我的情况下是一个ASP.NET MVC应用程序,但是这个问题不是特定于平台的,当你为成员资格,角色和身份验证添加基础设施时?

I've actually done it both ways.... 1. Start developing the app with membership/roles/authentication being one of the first milestones and 2. Wait until most of the major functionality and requirements are implemented then add in the membership/roles/authentication infrastructure.

我实际上已经完成了两种方式...... 1.开始开发应用程序,其中成员资格/角色/身份验证是最早的里程碑之一,并且等待大多数主要功能和要求得到实施,然后添加成员资格/角色/认证基础设施。

Is there a best practices for this or it is personal preference?

是否有最佳做法或个人偏好?

4 个解决方案

#1


I mix it up depending on what I'm working on.

我把它混合起来取决于我正在做什么。

ASP.Net allows you to abstract security components so much that I find it's really easy to implement them after the fact. Sometimes it's as simple as having your pages inherit from a custom page class. (Or in the case of MVC a custom controller class)

ASP.Net允许您抽象安全组件,以至于我发现在事后实现它们非常容易。有时它就像让页面继承自定义页面类一样简单。 (或者在MVC的情况下是自定义控制器类)

Though, I have found it's a lot easier to debug core functionality when I don't have to worry about the security measures getting in the way.

虽然,我发现当我不必担心安全措施妨碍时,调试核心功能要容易得多。

#2


To quote from "Professional ASP.NET MVC 1.0" (which I happen to be working through),

引用“Professional ASP.NET MVC 1.0”(我碰巧正在解决),

The default Visual Studio project template for ASP.NET MVC automatically enables forms authentication when new ASP.NET MVC applications are created. It also automatically adds a pre-built account login implementation to the project – which makes it really easy to integrate security within a site.

ASP.NET MVC的默认Visual Studio项目模板在创建新的ASP.NET MVC应用程序时自动启用表单身份验证。它还会自动为项目添加预先构建的帐户登录实现 - 这使得在站点内集成安全性变得非常容易。

At least for the tutorial, it mostly just happens, and any explicit references seem to fall in nicely toward the end - but there isn't much. It's the same level of simplicity as PHP sessions if you use it as intended.

至少对于本教程来说,它大多只是恰好发生了,并且任何明确的引用似乎都很好地落到了最后 - 但并没有多少。如果您按预期使用它,它与PHP会话具有相同的简单性。

#3


I'm not very familiar with ASP.NET but every time that I develop an web application security is almost the first thing that I code, otherwise you might miss something in further development; either because you forgot about it or more probably because something has changed during development.

我对ASP.NET不是很熟悉,但每次开发Web应用程序时,安全性几乎都是我编写代码的第一件事,否则你可能会错过进一步开发的东西;要么是因为你忘了它,要么是因为在开发过程中发生了变化。

#4


Security is part of the up-front application design. You cannot add it on later except in the most trivial cases.

安全性是前期应用程序设计的一部分。除了最琐碎的情况外,你不能在以后添加它。

Example: HR Application. The compensation manager can edit compensation, the recruiter can only view it. If you don't know about this distinction up-front, you will not build it into your user interface, and you will be in trouble. Yes, security in ASP.net is largely configurable, but the structure/granularity must be in place in the application.

示例:HR应用程序。薪酬经理可以编辑薪酬,招聘人员只能查看。如果您事先不了解这种区别,则不会将其构建到用户界面中,并且您将遇到麻烦。是的,ASP.net中的安全性在很大程度上是可配置的,但结构/粒度必须在应用程序中到位。

#1


I mix it up depending on what I'm working on.

我把它混合起来取决于我正在做什么。

ASP.Net allows you to abstract security components so much that I find it's really easy to implement them after the fact. Sometimes it's as simple as having your pages inherit from a custom page class. (Or in the case of MVC a custom controller class)

ASP.Net允许您抽象安全组件,以至于我发现在事后实现它们非常容易。有时它就像让页面继承自定义页面类一样简单。 (或者在MVC的情况下是自定义控制器类)

Though, I have found it's a lot easier to debug core functionality when I don't have to worry about the security measures getting in the way.

虽然,我发现当我不必担心安全措施妨碍时,调试核心功能要容易得多。

#2


To quote from "Professional ASP.NET MVC 1.0" (which I happen to be working through),

引用“Professional ASP.NET MVC 1.0”(我碰巧正在解决),

The default Visual Studio project template for ASP.NET MVC automatically enables forms authentication when new ASP.NET MVC applications are created. It also automatically adds a pre-built account login implementation to the project – which makes it really easy to integrate security within a site.

ASP.NET MVC的默认Visual Studio项目模板在创建新的ASP.NET MVC应用程序时自动启用表单身份验证。它还会自动为项目添加预先构建的帐户登录实现 - 这使得在站点内集成安全性变得非常容易。

At least for the tutorial, it mostly just happens, and any explicit references seem to fall in nicely toward the end - but there isn't much. It's the same level of simplicity as PHP sessions if you use it as intended.

至少对于本教程来说,它大多只是恰好发生了,并且任何明确的引用似乎都很好地落到了最后 - 但并没有多少。如果您按预期使用它,它与PHP会话具有相同的简单性。

#3


I'm not very familiar with ASP.NET but every time that I develop an web application security is almost the first thing that I code, otherwise you might miss something in further development; either because you forgot about it or more probably because something has changed during development.

我对ASP.NET不是很熟悉,但每次开发Web应用程序时,安全性几乎都是我编写代码的第一件事,否则你可能会错过进一步开发的东西;要么是因为你忘了它,要么是因为在开发过程中发生了变化。

#4


Security is part of the up-front application design. You cannot add it on later except in the most trivial cases.

安全性是前期应用程序设计的一部分。除了最琐碎的情况外,你不能在以后添加它。

Example: HR Application. The compensation manager can edit compensation, the recruiter can only view it. If you don't know about this distinction up-front, you will not build it into your user interface, and you will be in trouble. Yes, security in ASP.net is largely configurable, but the structure/granularity must be in place in the application.

示例:HR应用程序。薪酬经理可以编辑薪酬,招聘人员只能查看。如果您事先不了解这种区别,则不会将其构建到用户界面中,并且您将遇到麻烦。是的,ASP.net中的安全性在很大程度上是可配置的,但结构/粒度必须在应用程序中到位。