ASP.NET MVC 新手 - 我需要重新学习安全性吗?
我正在计划开展一个新项目,现在很想使用 ASP.NET MVC。我的项目计划使用 JQuery 和 AJAX(尽管也将支持非 JS 客户端)。来自标准 ASP.NET 背景,我仍在尝试了解 MVC 范例(在 斯科特·格思里)。然而,我对使用 MVC 的主要担忧是安全方面。我已经使用 ASP.NET 完成了相当多的安全工作,并且知道如何处理各种攻击媒介。我需要重新学习 ASP.NET MVC 的安全性吗?是否有新的威胁,甚至是处理旧威胁的新方法,我必须阅读?我订购了几本 ASP.NET MVC 书籍(其中有关于安全性的章节),但我想知道其他人对此的经验。
谢谢
I'm planning work on a new project and am now tempted to use ASP.NET MVC. My project plans to use JQuery and AJAX (although non-JS clients will also be supported). Coming from a standard ASP.NET background, I'm still trying to get my head around the MVC paradigm (with great help from Scott Guthrie). However, my main concern with using MVC is the security aspects. I've done quite a bit of security with ASP.NET and I know how to handle various attack vectors. Will I need to re-learn security with ASP.NET MVC? Are there new threats, or even new ways of handling old threats, that I will have to read up on? I've ordered a couple of ASP.NET MVC books (which have chapters on security), but I would like to know of anyone else's experience of this.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
取决于你所说的安全是什么意思。
授权即使不是更容易,也基本相同。支持并鼓励表单身份验证,您只需在控制器或控制器操作上粘贴
[Authorize]属性即可。那里不需要学太多东西。ViewState 已经消失,因此您无需担心 ViewState 验证或任何其他问题。
如果你指的是 XSS,我会说它是差不多的;你需要在输出上转义你的数据,这很容易做到:
我能想到的唯一你可能会发现有点不同的是处理 CSRF/XSRF。幸运的是,其中大部分已经是 内置于框架。
因此,总的来说,我想说不,ASP.NET MVC 安全性的学习曲线不应该像架构本身的学习曲线一样陡峭。
Depends on what you mean by security.
Authorization is basically the same, if not easier. Forms Authentication is supported and encouraged and you need only stick an
[Authorize]attribute on controllers or controller actions. Not too much to learn there.ViewState is gone, so you don't need to worry about ViewState validation or any of that kludge.
If you're referring to XSS, I would say that it's about the same; you need to escape your data on the output and it's very easy to do:
The only thing I can think of that you might find a bit different is handling CSRF/XSRF. Fortunately, most of this is already built in to the framework.
So on the whole I'd say no, the learning curve for security in ASP.NET MVC should not be nearly as steep as the learning curve for the architecture itself.