1分头脑发挥到1.2分 的哥月入八千为微软员工讲课 - 文学城 www.wenxuecity.com: "1分头脑发挥到1.2分 的哥月入八千为微软员工讲课 新民晚报
1分头脑发挥到1.2分 的哥月入八千为微软员工讲课 新民晚报
月入八千有诀窍 臧师傅现身传经
1分头脑努力发挥到1.2分
“如果不是刘润挡不住外界压力打电话来希望我能现身,如果不是单位领导查业绩表硬是把我挖出来,我今天绝对不会出来面对公众的。
”42岁的臧勤师傅苦笑着对记者说。这个已被各大媒体炒得沸沸扬扬、神乎其神的大众出租车司机终于在昨天下午自揭面纱,并用独到的经营理念和不争的营业数据,证明了月收入八千元并非“天方夜谭”。
隐身三天 为了朋友勇敢露面
粗略算来,从本报3月20日在沪上率先大幅报道了大众出租车司机给微软高管上了堂“MBA”课,到如今当事人终于现身,已经过去了三天的时间。这期间的哥的真实身份成了讨论的一个焦点,除了对出租车司机月收入达八千元的讲法有所怀疑外,很多人更是将矛头指向了微软的刘润,认为他的胡编乱造占了很大一部分,在这三天时间里,两位当事人都承受了巨大的压力。
昨天下午两点,当身着制服的臧师傅出现在众人面前时,当大众公司拿出其营收列表时,一切的谜底都揭晓。对于自己为何在报道过去三天后才肯露面,臧师傅显得很无奈,他诚恳地说道:“虽然和刘润接触次数并不多,但我确信他很有能力,是个伯乐,并且我也已把他当成了朋友。如果刘润不是压力太大实在顶不住,他也不会打电话给我,希望我能露面的。既然朋友有要求,我也只有打消顾虑出来了,反正又不是见不得人的事情。”
从不跑外地线 精确计算最重要
要不是身着大众制服,坐在沙发上侃侃而谈的臧师傅很难让人相信他只是个出租车驾驶员,自信和快乐始终贯穿在长达两个多小时的谈话中。他从1989年起进入出租车行业,一年后被调为驾驶员上岗培训教练,随后又负责安全车管,并在2003年加入大众新亚出租车公司。作为一个有心人、一个肯动脑筋琢磨经营方式的出租车司机,17年出租车驾龄让臧师傅总结出了不少经验,并找到了自己在沪上的几个“根据地”和固定的客户群。
“我从来不跑外地路线,最贵的生意也就是200元左右。”对于有人提出的经常跑外地的说法,臧师傅予以驳斥,“刚做差头司机说靠天吃饭也许无可厚非,但做了段时间后还想着靠运道,就是他们自己的问题了,运道最多只能增加收入的10%。”
用科学的方法来做生意在臧师傅的口中常能听到,“盲目”干活只会导致收入成本增高,效益减低。臧师傅给记者举了个例子,前几天,他在泰兴路附近拉了个客人,他要去静安寺,并提出要从南京路走。臧师傅看了下时间是中午11点左右,他提出另一条路线从北京路走。其实无论选择哪条路线都只是笔十元的生意,但臧师傅的理论是时间才是决定效益的关键。按他的经验,从北京路走,过了一个绿灯的话,就可一路畅通连过四个绿灯,而常德路口必定会遇上红灯,然后停车等待,启动后转至铜仁路的话,就可不踩油门放空挡,让车无成本向前滑行。如此精确的计算让这位客人很是惊讶,最终选择了从北京路走,而实际情况确实与臧师傅所说的相同。
晚高峰笃悠悠吃饭
在臧师傅看来,生意清淡期和热门期并没有太大的差别,每天的收入差距也就在一百元上下。日均千元的收入很大一部分都靠臧师傅积累下来的经验、选择的“根据地”和一双善于发现的眼睛。“下午五点半是我吃饭的时间,雷打不动,六点半出车。这个时间上海的马路交通最堵,许多出租车司机都不会在这个时候吃饭,而是选择做生意。虽然这个时间段要车的人很多,但跑的大多为短途,而且马路一堵花的时间就长,成本也就上去了。”臧师傅点了支香烟,慢慢道起了生意经,“我这个时候往往是开着收音机吃饭,一点都不急,等到这些晚高峰的私家车走掉后,六点半我就可以又开始做生意了,这个时候路面又好,要的人也多。”
在与记者交谈的两个小时内,臧师傅一套套的理论都让人惊叹。而针对刘润所谓的请臧师傅给微软员工上课一说,其实在3月17日就已经实现了。面对微软五十多名员工,他讲述了自己的工作理念与想法。“刘润有10分的头脑,他用到了10分,而我只有1分的头脑,那就要努力发挥到1.2分。MBA课程有它自己完整的系统,而我所谓的讲课也就是说说自己用土办法总结出来的经验。”
■自说精明 休息时间不接客
对于网上评论自己精明“挑客”的言论,臧师傅笑着对记者讲诉了两个事例。
前天下午,臧师傅在九江路上看见一拖着拉杆箱的男子拼命在追他的车子,他判断这人应该是去赶飞机,于是立刻停下。没想到,该男子一开口竟然是大名路。既然选择了就要用心去做,不过臧师傅还是估计该男子可能是什么东西落下了,回去拿好东西后还是会去机场的。路上臧师傅与该男子闲聊起来,没想到臧师傅刚开口“先生,你是不是准备去机场”,那男子马上答道:“我本来是今天的飞机,结果临时有事改到明天了。”臧师傅有点哭笑不得,攀谈中那位乘客用了句“侬心态老好的”来总结,随后询问他第二天是否有空送他去机场,臧师傅婉然谢绝了,因为休息时间他绝对不接客。
助人不讲利
去年中秋节前几天,臧师傅在肇嘉浜路接了个中年妇女,该女子一上车就跟他表示自己的钱包忘在前面一辆公交车上了,希望臧师傅能帮忙追一下。虽然该女子身边没钱,臧师傅绝对有拒载的理由,但他还是帮忙追了,因为该女子表示自己是买了月饼看母亲的,月饼拿了钱包却忘在车上了。从肇嘉浜路一直到南浦大桥,臧师傅终于追上了那辆公交车,随后便离开了,没有收女子任何费用。但这个中年妇女最终还是根据车票上的地址将钱寄回给了臧师傅。“很多时候人与人之间都需要信任,我也是用自己的诚意去打动每个乘客,乘客同样也会给予我很多。有的时候司机与乘客之间存在一种双赢的模式。”臧师傅信心满满地说道。
Saturday, March 25, 2006
Thursday, March 23, 2006
也来博客一把 主流 Blog 程序介绍 Blog 程序 [软件评测] IT.com.cn IT世界网
也来博客一把 主流 Blog 程序介绍 Blog 程序 [软件评测] IT.com.cn IT世界网
也来博客一把 主流 Blog 程序介绍
2006-1-13 17:57:00 文/老鬼 出处:laogui
几个月没关心blog了,blog程序局势发生了很大的变化,尤其在国内,在原有的那些程序功能越来越强大的同时,还出现了很多不错的blog,但国外没出几个好的,MT还居于霸主地位,也许在未来几年内MT的地位是不会动摇的,国内ASP的L-blog已经成为主流,php里,多用户的Plog发展最快,其他功能都差不多,用的人比较多的是wordpress,exBlogMix,bo-blog,另外几个国产blog发展也很快。具体的功能区别我也说不上来了,大家一个一个去研究吧。
我选用blog的最基本要求就是:免费,这个最重要,呵呵;完美支持中文,包括显示和搜索;支持分类;可以发表评论,但最好有评论审核功能;支持RSS,z在我看来,不支持rss只能叫做日记本,不能称作blog;支持TrackBack,方便被人引用;有WYSIWYG编辑器;可以上传文件;模板最好和程序分离,方便修改;可以发草稿,方便以后修改。我收集的这些都具备了blog的基本功能,国外blog程序现在有上百个,但真正好用的不多。
现在很多人在找多用户blog,我列出的大部分都说自己支持多用户,但实际上多用户有两种,一种是多人共同维护一个blog,另一种是每个人有独立的blog,更多的人需要后一种,asp里的oblog和missblog,php里的Plog,asp.net里的Dottext,这几个比较好用。
下载地址我没有列出,都可以在官方网站下载。
ASP
L-Blog: http://www.loveyuki.com 由Loveyuki自主开发的基于 ASP+Access 的小型单用户BLOG,作者比较勤奋,更新很快,现在还有很多L-blog的修改版提供,模板有的非常漂亮。
Dlog: http://webdream.duoluo.com/ 国人开发比较早的一个blog了,最新版是V2.2 ,现在已经停止了开发,但已经是一个完善的程序了!
Misslog: http://www.misslog.com/blog 多用户blog,使用UTF-8编码,支持简繁转换!
theAnswer: http://bravetime.com/dev/ 程序和界面都非常规范,现在已经是sourceforge的一个开源项目了
cixiblog: http://blog.ic5.cn/blog asp+sqlserver存储过程+xml+asp缓存技术的多用户网络日志程序
oblog: http://www.oioj.net 是多用户版本的Blog,实现了Blog的大部分功能,发展很快,现在已经出了SQL商业版本了。
blogx: http://www.blanksoft.com/blogx/
天畅博客: http://www.skycx.com/blog/ 非常简单小巧,但不支持RSS
另外几个国外比较看得上眼的:
dblog: http://www.dblog.it/dblog/
BP Blog: http://www.betaparticle.com/blog/
Matthew1471’s BlogX: http://blogx.co.uk/Main.asp
ASP.NET
DotText: http://scottwater.com/Dottext/default.aspx 非常强大的多用户blog,国内很多大型网站在用,但安装调试非常复杂,有很多汉化版下载。
BlogX: http://www.simplegeek.com/CategoryView.aspx/BlogX 这里有一个blogx的中文修改版 http://www.blanksoft.com/blogx.asp
dasBlog: http://www.dasblog.net 新出来的程序,功能也比较齐全
PHP
b2: http://www.cafelog.com php blog的老祖宗,操作简单,容易上手,现在好像停止了开发。
b2evolution: http://www.b2evolution.net B2多用户版,有很多风格和插件。
wordpress: http://www.wordpress.org 在B2的基础上开发的,添加了很多功能,国内用户很多,。
pivot: http://www.pivotlog.net PHP+XML,没有使用数据库,有中文语言包,
nucleus: http://www.nucleuscms.org 这个也是比较老牌的程序了,有中文语言包!
exBlogMix: http://exblog.fengling.net 功能很强大的blog,更新很快,推荐使用。
M-logger: http://miracle.shakeme.net 文本储存数据。
bo-blog: http://www.bo-blog.com/ 文本数据库,现在发展的很快。
drupal: http://www.drupal.org 著名的开源程序,功能非常强大,多用户,有多种插件和皮肤下载!
O-BLOG: http://her.com.ru/ 需在PHP+MYSQL环境下运行,采用 SMARTY 模板,HTMLAREA编辑器
R-Blog: http://rays.512j.com/ 采用PHPLIB模版引擎,程序与美工基本分离,改版比较方便
boeiblog: http://myblog.boei.cn 新出来的blog程序,简单易用,模板很多。
SaBlog: http://www.4ngel.net/project/sablog.htm 安全天使小组开发的一个简单易用的blog,支持模板
Pmschine: http://www.pmachine.com 这个估计是blog的元老了,不过现在已经商业化了,新版本名叫Expression Engine,在国内可以免费下载!
bBlog: http://dev.bblog.com/ 一个非常简洁好用的blog,汉化版: http://www.xptop.com/lei/
serendipity: http://www.s9y.org 功能很多,每个功能以模块方式安装,界面也很容易修改。
bMachine: http://boastology.com 同时支持文本数据库和MySQL数据库,支持中文搜索。
Plog http://www.plogworld.org/ php blog里的最好作品了,真正的多用户,博客中国,blogit都是用这个改的。
Plainslash: http://www.51zhao.com/plainslash/ 文本blog程序,作者很久没更新了,但现在blog的基本功能都有了。
Simple Blog : http://www.bigevilbrain.com/sphpblog 国外的一个文本的小型blog,代码和界面都很简洁。
Tatter Toolkit : http://www.tattertools.com 韩国人开发的 Blog,界面美观,功能很全。汉化中文站:http://e345.com.ru
myphpblog: http://www.myphpblog.org/
sunlog: http://www.sunlog.org
RCBlog: http://rcsoft.co.nr/
Twoblog: http://www.twoblog.com/
CGI
MT: http://www.movabletype.org 就是我现在用的,世界上用户最多的blog程序,自动生成html!后缀可以自己设置,支持文本数据库和mysql,mssql等!
Greymatter: http://www.noahgrey.com/greysoft/ 是一个类似 Movable Type 的Blog程序非常简单,也是生成静态文件。
HUS Reviv: http://supermanc.51.net/norman/blog.cgi 国人开发的,功能很强大,但由于cgi语言的问题,安装调试比较复杂,而且很占资源。
Blosxom: http://www.blosxom.com 很老的一个程序了,也可能是世界上最小的blog系统了,只有一个文件却实现了blog的大部分功能!
JSP:
DLOG4J: http://dlog4j.sourceforge.net/ 国人开发的,已经申报SourceForge项目 中文官方站: http://www.javayou.com
TM: http://www.terac.com朋友andy开发的一个功能强大的blog,支持文件上传、RSS、评论、WYSIWYG 编辑器等功能,多种语言(含简体中文)
snipsnap: http://snipsnap.org/space/startwiki和blog结合的东东,开源项目,支持多国语
也来博客一把 主流 Blog 程序介绍
2006-1-13 17:57:00 文/老鬼 出处:laogui
几个月没关心blog了,blog程序局势发生了很大的变化,尤其在国内,在原有的那些程序功能越来越强大的同时,还出现了很多不错的blog,但国外没出几个好的,MT还居于霸主地位,也许在未来几年内MT的地位是不会动摇的,国内ASP的L-blog已经成为主流,php里,多用户的Plog发展最快,其他功能都差不多,用的人比较多的是wordpress,exBlogMix,bo-blog,另外几个国产blog发展也很快。具体的功能区别我也说不上来了,大家一个一个去研究吧。
我选用blog的最基本要求就是:免费,这个最重要,呵呵;完美支持中文,包括显示和搜索;支持分类;可以发表评论,但最好有评论审核功能;支持RSS,z在我看来,不支持rss只能叫做日记本,不能称作blog;支持TrackBack,方便被人引用;有WYSIWYG编辑器;可以上传文件;模板最好和程序分离,方便修改;可以发草稿,方便以后修改。我收集的这些都具备了blog的基本功能,国外blog程序现在有上百个,但真正好用的不多。
现在很多人在找多用户blog,我列出的大部分都说自己支持多用户,但实际上多用户有两种,一种是多人共同维护一个blog,另一种是每个人有独立的blog,更多的人需要后一种,asp里的oblog和missblog,php里的Plog,asp.net里的Dottext,这几个比较好用。
下载地址我没有列出,都可以在官方网站下载。
ASP
L-Blog: http://www.loveyuki.com 由Loveyuki自主开发的基于 ASP+Access 的小型单用户BLOG,作者比较勤奋,更新很快,现在还有很多L-blog的修改版提供,模板有的非常漂亮。
Dlog: http://webdream.duoluo.com/ 国人开发比较早的一个blog了,最新版是V2.2 ,现在已经停止了开发,但已经是一个完善的程序了!
Misslog: http://www.misslog.com/blog 多用户blog,使用UTF-8编码,支持简繁转换!
theAnswer: http://bravetime.com/dev/ 程序和界面都非常规范,现在已经是sourceforge的一个开源项目了
cixiblog: http://blog.ic5.cn/blog asp+sqlserver存储过程+xml+asp缓存技术的多用户网络日志程序
oblog: http://www.oioj.net 是多用户版本的Blog,实现了Blog的大部分功能,发展很快,现在已经出了SQL商业版本了。
blogx: http://www.blanksoft.com/blogx/
天畅博客: http://www.skycx.com/blog/ 非常简单小巧,但不支持RSS
另外几个国外比较看得上眼的:
dblog: http://www.dblog.it/dblog/
BP Blog: http://www.betaparticle.com/blog/
Matthew1471’s BlogX: http://blogx.co.uk/Main.asp
ASP.NET
DotText: http://scottwater.com/Dottext/default.aspx 非常强大的多用户blog,国内很多大型网站在用,但安装调试非常复杂,有很多汉化版下载。
BlogX: http://www.simplegeek.com/CategoryView.aspx/BlogX 这里有一个blogx的中文修改版 http://www.blanksoft.com/blogx.asp
dasBlog: http://www.dasblog.net 新出来的程序,功能也比较齐全
PHP
b2: http://www.cafelog.com php blog的老祖宗,操作简单,容易上手,现在好像停止了开发。
b2evolution: http://www.b2evolution.net B2多用户版,有很多风格和插件。
wordpress: http://www.wordpress.org 在B2的基础上开发的,添加了很多功能,国内用户很多,。
pivot: http://www.pivotlog.net PHP+XML,没有使用数据库,有中文语言包,
nucleus: http://www.nucleuscms.org 这个也是比较老牌的程序了,有中文语言包!
exBlogMix: http://exblog.fengling.net 功能很强大的blog,更新很快,推荐使用。
M-logger: http://miracle.shakeme.net 文本储存数据。
bo-blog: http://www.bo-blog.com/ 文本数据库,现在发展的很快。
drupal: http://www.drupal.org 著名的开源程序,功能非常强大,多用户,有多种插件和皮肤下载!
O-BLOG: http://her.com.ru/ 需在PHP+MYSQL环境下运行,采用 SMARTY 模板,HTMLAREA编辑器
R-Blog: http://rays.512j.com/ 采用PHPLIB模版引擎,程序与美工基本分离,改版比较方便
boeiblog: http://myblog.boei.cn 新出来的blog程序,简单易用,模板很多。
SaBlog: http://www.4ngel.net/project/sablog.htm 安全天使小组开发的一个简单易用的blog,支持模板
Pmschine: http://www.pmachine.com 这个估计是blog的元老了,不过现在已经商业化了,新版本名叫Expression Engine,在国内可以免费下载!
bBlog: http://dev.bblog.com/ 一个非常简洁好用的blog,汉化版: http://www.xptop.com/lei/
serendipity: http://www.s9y.org 功能很多,每个功能以模块方式安装,界面也很容易修改。
bMachine: http://boastology.com 同时支持文本数据库和MySQL数据库,支持中文搜索。
Plog http://www.plogworld.org/ php blog里的最好作品了,真正的多用户,博客中国,blogit都是用这个改的。
Plainslash: http://www.51zhao.com/plainslash/ 文本blog程序,作者很久没更新了,但现在blog的基本功能都有了。
Simple Blog : http://www.bigevilbrain.com/sphpblog 国外的一个文本的小型blog,代码和界面都很简洁。
Tatter Toolkit : http://www.tattertools.com 韩国人开发的 Blog,界面美观,功能很全。汉化中文站:http://e345.com.ru
myphpblog: http://www.myphpblog.org/
sunlog: http://www.sunlog.org
RCBlog: http://rcsoft.co.nr/
Twoblog: http://www.twoblog.com/
CGI
MT: http://www.movabletype.org 就是我现在用的,世界上用户最多的blog程序,自动生成html!后缀可以自己设置,支持文本数据库和mysql,mssql等!
Greymatter: http://www.noahgrey.com/greysoft/ 是一个类似 Movable Type 的Blog程序非常简单,也是生成静态文件。
HUS Reviv: http://supermanc.51.net/norman/blog.cgi 国人开发的,功能很强大,但由于cgi语言的问题,安装调试比较复杂,而且很占资源。
Blosxom: http://www.blosxom.com 很老的一个程序了,也可能是世界上最小的blog系统了,只有一个文件却实现了blog的大部分功能!
JSP:
DLOG4J: http://dlog4j.sourceforge.net/ 国人开发的,已经申报SourceForge项目 中文官方站: http://www.javayou.com
TM: http://www.terac.com朋友andy开发的一个功能强大的blog,支持文件上传、RSS、评论、WYSIWYG 编辑器等功能,多种语言(含简体中文)
snipsnap: http://snipsnap.org/space/startwiki和blog结合的东东,开源项目,支持多国语
Tuesday, March 21, 2006
黄巢诗集
黄巢诗集
黄巢(?~884)唐末农民起义领袖,曹州冤句(今山东荷泽)人。举进士不第,公元875年率领数千人在曹州起义,878年继王仙芝死后被推为领袖,称冲天大将军。881年攻破唐朝京都长安,建立农民政权,国号大齐。但由于没有建立较稳固的根据地和未乘胜追歼残余势力,使敌人得以反扑。后因弹尽粮绝,被迫撤出长安,转战山东,884年在泰山狼虎谷战败自杀。诗三首,前两首借题菊花寄寓抒写自己傲世独立、冲天凌云之志,“他年我若为青帝,报与桃花一处开”、“冲天香阵透长安,满城尽带黄金甲”等句都凝集着一股英雄之气,惊人心魄,不愧是揭竿而起的千古豪杰;最后一首《自题像》则是另一种风格,呈现给人的是“铁衣著尽著僧衣”、“独倚栏干看落晖”的一代儒将风采,令人钦慕。
题菊花
飒飒西风满院栽,蕊寒香冷蝶难来。
他年我若为青帝,报与桃花一处开。
不第后赋菊
待到秋来九月八,我花开后百花杀。
冲天香阵透长安,满城尽带黄金甲。
自题像
记得当年草上飞,铁衣著尽著僧衣。
天津桥上无人识,独倚栏干看落晖。
黄巢(?~884)唐末农民起义领袖,曹州冤句(今山东荷泽)人。举进士不第,公元875年率领数千人在曹州起义,878年继王仙芝死后被推为领袖,称冲天大将军。881年攻破唐朝京都长安,建立农民政权,国号大齐。但由于没有建立较稳固的根据地和未乘胜追歼残余势力,使敌人得以反扑。后因弹尽粮绝,被迫撤出长安,转战山东,884年在泰山狼虎谷战败自杀。诗三首,前两首借题菊花寄寓抒写自己傲世独立、冲天凌云之志,“他年我若为青帝,报与桃花一处开”、“冲天香阵透长安,满城尽带黄金甲”等句都凝集着一股英雄之气,惊人心魄,不愧是揭竿而起的千古豪杰;最后一首《自题像》则是另一种风格,呈现给人的是“铁衣著尽著僧衣”、“独倚栏干看落晖”的一代儒将风采,令人钦慕。
题菊花
飒飒西风满院栽,蕊寒香冷蝶难来。
他年我若为青帝,报与桃花一处开。
不第后赋菊
待到秋来九月八,我花开后百花杀。
冲天香阵透长安,满城尽带黄金甲。
自题像
记得当年草上飞,铁衣著尽著僧衣。
天津桥上无人识,独倚栏干看落晖。
Monday, March 20, 2006
用google搜索到的网络摄像头地址
近来,网上流传着一些用google搜索到的网络摄像头地址。网友们可以通过在google里面输入一段代码而捕捉到安装于世界各地的网络摄像头。并且可以调整摄像头的摄像角度和变焦来对某个物体或地方进行监视或偷窥。摄像头使用者们原本以为只有自己才能够看到的内容,在不知不觉中已经失去了安全保护,赤裸裸的暴露在互联网上。
视频聊天发烧友们小心"意外"暴露
随着网络技术的发展和网络产品的普及,越来越多的网民使用摄像头,尤其是摄像头能使网友们在聊天的时候感觉距离的拉近,更有亲切感。网上已经有越来越多的视频聊天俱乐部。有些视频聊天发烧友们常聚在一起,互相通过摄像头进行肢体语言上的沟通。据了解,这些人虽然很乐于向自己很熟悉的人暴露自己,但是也拒绝向不熟的人暴露。不过google这个"法眼"一开,想不暴露也难。
摄像头查找办法:
在google里面输入:
nurl:"ViewerFrame?Mode="
inurl:"ViewerFrame?Mode="
inurl:"view/index.shtml"
inurl:"MultiCameraFrame?Mode="
inurl:"axis-cgi/mjpg"
视频聊天发烧友们小心"意外"暴露
随着网络技术的发展和网络产品的普及,越来越多的网民使用摄像头,尤其是摄像头能使网友们在聊天的时候感觉距离的拉近,更有亲切感。网上已经有越来越多的视频聊天俱乐部。有些视频聊天发烧友们常聚在一起,互相通过摄像头进行肢体语言上的沟通。据了解,这些人虽然很乐于向自己很熟悉的人暴露自己,但是也拒绝向不熟的人暴露。不过google这个"法眼"一开,想不暴露也难。
摄像头查找办法:
在google里面输入:
nurl:"ViewerFrame?Mode="
inurl:"ViewerFrame?Mode="
inurl:"view/index.shtml"
inurl:"MultiCameraFrame?Mode="
inurl:"axis-cgi/mjpg"
Sunday, March 19, 2006
Saturday, March 18, 2006
津门大侠霍元甲
津门大侠霍元甲
霍元甲是清朝末年的一位武术大师,人称“津门大侠”,在国内外享有盛名,他的事迹在天津曾被人们传为佳话。
霍元甲,字俊卿,静海县小南河村(现天津西郊)人,生于一八六八年。其父霍恩弟,武艺超群,常出入关东,为客商保镖,在武林中颇有声望。
霍元甲幼年身体瘦弱,常受乡里顽童欺负,在弟兄十人中也常被取笑。霍恩第心中大为不悦。他怕有损家风,便禁止霍元甲练武,而让他去读书。这大大刺伤了性情刚毅的霍元甲的自尊心,他便偷着练武,暗中和兄弟们比赛。小南河村有个枣树林子,是一块坟地,平时人迹罕至。霍元甲每偷偷向父亲和兄弟们学个三招五式,便到枣林深处练习,边练边揣摩。夏天一身汗水,冬天一身风霜,进步很快。后来,他练武的事被父亲知道了,遭到了一顿训斥。但霍元甲决不半途而废,他答应父亲不与任何人较量,不丢霍家的面子。
一八九零年的秋天,霍家来了一个武林好汉,说是久仰霍家“迷踪艺”的大名,其实是来比武。言语之间,他侮辱了霍家父子,霍元甲三弟元卿与之较量,哪知三个回合便败下阵来。霍恩弟正要亲自上场,只听一声“看我的!”霍元甲旋风般地一跃而出。老人家一看是他,气得不得了,但拦阻已经来不及了,两人已经动起手来。只见霍元甲进攻如闪电,站马步稳如基石。只几个回合,霍元甲趁对手收腿未稳之际,俯身一腿扫去,对手一下子跌倒尘埃。霍元甲一步向前,抓起对手扔出丈余远,把对手的腿摔折了。这出人意料的一幕,使大家又惊又喜。霍元甲“武艺高强”的名声也传扬开去。
一八九五年的腊月,霍元甲挑着一担柴到天津卫去卖,这时他已娶妻生子,日子过得有些窘困。他的柴担可与众不同,一条特制的榆木扁担又长又厚,柴担足有三、四百斤,可他挑着却轻松自在,这使行人议论纷纷,赞不绝口。
霍元甲来到西门外的西头弯子,生意还未开张,便有“混混儿”前来要什么“过街钱”、“地皮钱”,两人由口角到动起手来。“混混儿”哪是霍元甲的对手,他当众出了丑,便一溜烟地跑了。一会儿工夫,一伙“混混儿”拿刀枪棍棒前来报复,霍元甲见势,也抽出扁担严阵以待。等到那一帮人包围上,他突然大喝一声,挥舞扁担左突右刺,前扫后抡,只听见风声呼呼响,“混混儿”们手里的武器也纷纷落地,接着,他又来了个“古树盘根”大扫膛,把扁担冲着“混混儿”们抡了一圈,“混混儿”们哇哇大叫着抱头逃窜。时间不长,又来了四十多人,把霍元甲团团围住。霍元甲也红了眼,他把扁担“咔嚓”一声断为两截,一手拿着一截,准备应战。就在这剑拨弩张的时候,忽听到有人大喝“住手!”原来是“混混儿”的头目冯掌柜到了。他把霍元甲邀入家中,设宴款待,并想让他接手脚行,维持这块地盘。霍元甲答应回去和家人商量再定。
第二年的春天,霍元甲因生活窘迫,便到天津卫投奔了冯掌柜。他接手脚行以后,陆续取消了勒索农民和商贩们的“苛捐杂税”,招致了脚行里的“混混儿”们的不满。此后,他辞去了脚行的差事,来到北门外竹巷怀庆药栈做了搬运夫。
一天,药栈进了一批生地,每捆重五百斤。有一个大汉想和霍元甲较量较量,便一个人扛起这五百斤重的生地捆,一连扛了三趟,然后当着众伙计的面说:“霍师傅,人们都说你武艺高强,力大无比,今日你何不当众哥们的面露一手,也让我们开开眼。”霍元甲早就听说他在栈里依强称霸,便想借此机会扫一扫他的威风。于是,霍元甲向他笑了笑,找一最粗最沉的木杠,挑起两大捆生地,不慌不忙地走进库房。伙计们见他力挑千斤,无不咋舌喝彩,那大汉羞得满面通红,第二天就离职不干了。过了不久,又出了一件事,一天早晨,怀庆药栈的伙计去挑水,只见两个大青石碌碡斜靠立在井口上。那形势,稍有触动,碌碡便会坠入井中。伙计无奈,只好回去请霍元甲。这时,井台周围已围了不少看热闹的人。霍元甲来到一看,笑着说:“这人真有本事,我佩服他,这分明是冲着我来的。”说着,他来到井台,猫上腰来,用两手捧住碌碡,只听“嗨”的一声,就把两个碌碡同时推出去。围观的人齐声喝彩。后来,霍元甲才知道这事是北京源顺镖局的人干的。这几件事,更使霍元甲名声大震,人们给他送了一绰号:“霍大力士”。
一九零零年初春,怀庆药店掌柜农劲荪趁活计不忙,邀霍元甲出去闲逛。二人来到海河边,找了一个茶馆,边喝茶边聊天。农劲荪曾留学日本,知识渊博,他常给霍元甲讲一些中外的事,使霍元甲大开眼界,明白了不少道理,也激发了霍元甲爱国报国之心。二人谈兴正浓之时,忽闻河边有一阵嘈杂之声,原来是运皇粮的船只要在这里停泊。押粮的李刚跳上岸来,转了一圈,没有找到打桩的地方,他有些着急,抬脚把一个席棚的立柱踢断了。席棚的主人是山东逃荒的,靠炸果子为生,见席棚倒塌,便赶紧跑出来,向李刚求情。李刚不容分说,扯掉席棚,把木桩尖头朝下,以臂做锤,打起桩来。只见木桩一寸一寸地被打进地里,一下子惊动了不少的人。那果子铺的主人跪求李刚给点赔偿,李刚不耐烦地一脚把他踢开,在木桩上拴好缆绳,扬长而去。就在这时,只听霍元甲一声大喊:“那黑小子,回来!”李刚自恃是皇家粮船的保镖,怎把霍元甲放在眼里?他回转身来,对霍元甲说:“混小子,你是活腻了,敢在太岁头上动土!”当他得知对面的就是霍元甲时,不由倒吸了一口凉气。但他表面上不甘示弱,便说:“姓霍的,别不识好歹,这事你还是别管的好。”
二人言语不合,终于动起手来。霍元甲见李刚身手不凡,便使出家传“秘踪艺”中的“闪步擗拦掌手雷”的式子,跳到李刚的背后,在其背猛出一“铁砂掌”,只见李刚朝前踉跄几步,“哇”的一声喷出一口鲜血,一头栽倒。这时,船上的运粮官见保镖被打倒在地,大喊大叫,叫人捉拿霍元甲。清兵把霍元甲捆了起来。农劲荪急得顿足捶胸。他见当朝体仁阁大学士徐桐恰巧在此下船换桥,便去喊冤。徐桐问明情由,慨叹霍元甲是条好汉,又得知霍元甲是乡亲,便让人放了霍元甲。
一九零零年旧历六月十八日,八国联军攻陷了天津。北京源顺镖局的“大刀王五”在与洋鬼子斗争中惨遭杀害。霍元甲耳闻目睹了不少洋鬼子血淋淋的罪行,这使他种下了对侵略者的仇恨和对清政府的愤懑,他回家乡招众练武,以报效国家。
一九零一年,霍元甲三十三岁。有一天,他的徒弟刘振声拿来几张广告传单,上面印着俄国大力士在戏园卖艺的事,声称:“打遍中国无敌手,让东亚病夫们见识见识,开开眼界。”霍元甲看后拍案而起:“真是欺人太甚!”他立即带着刘振声赶往天津卫。
他们先找到懂外语的农劲荪,然后到戏园说明来意。戏园管事久仰霍元甲大名,不敢怠慢,安排他们在头等席坐定,便去向俄国大力士通报。戏台上的俄国大力士出场了,他身材高大,体壮如牛,他先打了一套拳来活动浑身的肌肉,然后仰卧台上,两手各举起一百磅的哑铃,双腿再夹住一个,在三个哑铃上放一木板,木板上放一张八仙桌,四把椅子,然后有四名大汉上去坐在椅子上打牌,而木板毫不动摇。接着,他又表演平卷铁板。他先拿一厚铁板让人用大锤砸三下,铁板毫无变化,然后他运足力气硬是将铁板卷成了筒。最后是断铁链。他把一条粗铁链一头用脚踩住,然后绕身几周,另一端从肩上回过来用双手拽住,只听大喝一声,铁链咔嚓挣断,落在台上发出巨响。这些表演,使台下的观众惊叹不已。表演过后,他吹嘘自己是世界第一大力士,并扬言表演三天,“欢迎‘东亚病夫’的能者上台较量”。
霍元甲哪里还坐得住,他一个箭步跳到台上,大声说:“我是‘东亚病夫’霍元甲,愿当众与你较量,怎么样?是君子斗还是小人斗,随你挑!”俄国大力士怕当众出丑,便让翻译向霍元甲解释说,他刚才那番话都是夸张宣传,为的是挣钱,请不要当真。霍元甲再三叫板,他始终不肯比武,最后答应在报上承认错误,灰溜溜地离开了天津。
一九零三年,武清李侍卫邀霍元甲比武。第一项是在空簸箩的边上走三圈。霍元甲此功不深,只走了两圈半便把簸箩踢翻了,引起了李侍卫和门徒的嘲笑。第二项是每人各击对方三掌。李侍卫第一掌出击霍元甲没事一样,只是脚下的青砖裂开了。第二掌下去,霍元甲纹丝不动,脚下的青砖成了小块。李侍卫不由倒吸一口凉气,他拼出全身力气击出第三掌,只见霍元甲的双脚陷进青砖地里三尺多深,而身体稳如泰山。霍元甲拔出双脚,微微一笑说:“老师傅请了!”李侍卫哪知他“铁砂掌”的厉害?只一掌,他就已经受不住了,晃了晃,一头栽倒在地。李侍卫笑脸相赔,承认失败,并邀霍元甲住下,以后再比。谁想他居心叵测,竟把霍元甲锁在小阁楼里。霍元甲在天黑以后使出神力把铁窗整个推了出去,墙壁也塌了一块,方才脱身。
一九零九年,上海来了个名叫奥匹音的英国大力士,在张园设擂,并在报上大登广告,自吹自擂,侮辱中国人。当时上海苦于无人对敌,便来函邀霍元甲前往。霍元甲一到上海,便也在张园设擂,并在广告上写着“专收各国大力士,虽有铜皮铁骨,无所惴焉。”这在社会上立即引起了轰动。奥匹音感到事情不妙,便以一万两银子做赌注要挟霍元甲,没想到胸有成竹的霍元甲一口应承,奥匹音不得不签订了赛约。可是,在比赛的那天,奥匹音却再也不见踪影,原来他已溜到南洋去了。日本柔道会得知霍元甲挫败英、俄大力士,很不服气,便精选了十几名高手,来找霍元甲一试高低。霍元甲先让他的徒弟刘振声上场,刘依照师傅的嘱咐,开始纹丝不动。日本武士见状猛扑过去,抓住刘的衣服想把他摔倒,哪知刘的功夫较深,日武士使出多种招数,都无济无事,刘连败对方五人。日领队非常恼火,便亲自上阵与霍元甲较量。他自恃技艺纯熟,但一交手便知道了霍元甲的厉害。他企图黑手伤人,被霍元甲识破,虚晃一招,用肋急磕其臂,日领队骨断筋折。日方承认失败。
赛后,日方设宴招待霍元甲。席间,日本人知道霍元甲身患“热”“疾”,就介绍一个叫秋野的医生为之看病。哪知服药后,病反而逐渐恶化,仅月余,一代武术大师就含恨离开了人间。事后朋友们把药拿去化验,才知是一种慢性烂肺药。这是日本浪人暗下了毒手。
霍元甲卒于一九零九年一月十四日,年仅四十二岁。国人闻此噩耗,无不深感痛惜。霍元甲逝世后,他亲手创办的“精武体操学校”为他举行隆重的葬礼,墓地在上海北郊,碑上刻有“大力士霍元甲之墓”。
一九一零年,在霍元甲创办的精武体操学校的基础上,成立了精武体育会。该会成立十周年时,孙中山先生亲自题赠匾额,书写了“尚武精神”四个大字,并担任该会的名誉会长。
霍元甲被日本浪人暗害后,霍妻王氏抚养着两子三女艰难度日,于一九六零年去逝,终年九十一岁。霍元甲的遇害,给霍家带来极大的悲痛,集家仇国仇于一身的霍元甲次子霍东阁即随叔父霍元卿前往上海,扶持创办不久的精武体育会,志在强民强国。经几年苦心经营,使精武体育会的威望日益提高,全国许多地方都成立了分会。
一九一九年,霍东阁应精武广东分会邀请,前往广州任教。在此期间,他得悉旅居南洋的华侨也在筹建精武体育组织,不胜欣喜,便于一九二三年携侄子霍寿嵩前往印尼组织、宣传精武体育组织,得到当地人民的赞扬。第二次世界大战期间,他积极组织反日活动,被日本宪兵逮捕。
一九五六年,霍东阁逝世,许多华侨组织联合发出讣告,悼念这位客死异邦的爱国武术家。他在印尼遗有一子一女,现已加入印尼国籍,开办制药厂。
霍寿嵩到达印尼后,随叔父在精武组织教习练武,后开设医院,以行医为生。霍寿嵩生前曾写信给祖国的亲人说,树高千丈,叶落归根,对不能重返故里引为憾事。临终前,嘱咐家人在他死后把骨灰撒入大海,取水流千遭归大海之意。霍寿嵩妻子叶水娘带着丈夫的遗愿,在一九八零年携子女回国观光。霍寿嵩有一子三女,儿子霍公正继承父业,在印尼任中医骨科大夫。霍公正有两个女儿在广州工作。
霍元甲的大部分后代现在天津市,以小南河村为最多。他的长女霍东清(一八九六年生)现还健在。他们至今还留有习武遗风,一些后代使拳弄棒很有功底。
霍元甲是清朝末年的一位武术大师,人称“津门大侠”,在国内外享有盛名,他的事迹在天津曾被人们传为佳话。
霍元甲,字俊卿,静海县小南河村(现天津西郊)人,生于一八六八年。其父霍恩弟,武艺超群,常出入关东,为客商保镖,在武林中颇有声望。
霍元甲幼年身体瘦弱,常受乡里顽童欺负,在弟兄十人中也常被取笑。霍恩第心中大为不悦。他怕有损家风,便禁止霍元甲练武,而让他去读书。这大大刺伤了性情刚毅的霍元甲的自尊心,他便偷着练武,暗中和兄弟们比赛。小南河村有个枣树林子,是一块坟地,平时人迹罕至。霍元甲每偷偷向父亲和兄弟们学个三招五式,便到枣林深处练习,边练边揣摩。夏天一身汗水,冬天一身风霜,进步很快。后来,他练武的事被父亲知道了,遭到了一顿训斥。但霍元甲决不半途而废,他答应父亲不与任何人较量,不丢霍家的面子。
一八九零年的秋天,霍家来了一个武林好汉,说是久仰霍家“迷踪艺”的大名,其实是来比武。言语之间,他侮辱了霍家父子,霍元甲三弟元卿与之较量,哪知三个回合便败下阵来。霍恩弟正要亲自上场,只听一声“看我的!”霍元甲旋风般地一跃而出。老人家一看是他,气得不得了,但拦阻已经来不及了,两人已经动起手来。只见霍元甲进攻如闪电,站马步稳如基石。只几个回合,霍元甲趁对手收腿未稳之际,俯身一腿扫去,对手一下子跌倒尘埃。霍元甲一步向前,抓起对手扔出丈余远,把对手的腿摔折了。这出人意料的一幕,使大家又惊又喜。霍元甲“武艺高强”的名声也传扬开去。
一八九五年的腊月,霍元甲挑着一担柴到天津卫去卖,这时他已娶妻生子,日子过得有些窘困。他的柴担可与众不同,一条特制的榆木扁担又长又厚,柴担足有三、四百斤,可他挑着却轻松自在,这使行人议论纷纷,赞不绝口。
霍元甲来到西门外的西头弯子,生意还未开张,便有“混混儿”前来要什么“过街钱”、“地皮钱”,两人由口角到动起手来。“混混儿”哪是霍元甲的对手,他当众出了丑,便一溜烟地跑了。一会儿工夫,一伙“混混儿”拿刀枪棍棒前来报复,霍元甲见势,也抽出扁担严阵以待。等到那一帮人包围上,他突然大喝一声,挥舞扁担左突右刺,前扫后抡,只听见风声呼呼响,“混混儿”们手里的武器也纷纷落地,接着,他又来了个“古树盘根”大扫膛,把扁担冲着“混混儿”们抡了一圈,“混混儿”们哇哇大叫着抱头逃窜。时间不长,又来了四十多人,把霍元甲团团围住。霍元甲也红了眼,他把扁担“咔嚓”一声断为两截,一手拿着一截,准备应战。就在这剑拨弩张的时候,忽听到有人大喝“住手!”原来是“混混儿”的头目冯掌柜到了。他把霍元甲邀入家中,设宴款待,并想让他接手脚行,维持这块地盘。霍元甲答应回去和家人商量再定。
第二年的春天,霍元甲因生活窘迫,便到天津卫投奔了冯掌柜。他接手脚行以后,陆续取消了勒索农民和商贩们的“苛捐杂税”,招致了脚行里的“混混儿”们的不满。此后,他辞去了脚行的差事,来到北门外竹巷怀庆药栈做了搬运夫。
一天,药栈进了一批生地,每捆重五百斤。有一个大汉想和霍元甲较量较量,便一个人扛起这五百斤重的生地捆,一连扛了三趟,然后当着众伙计的面说:“霍师傅,人们都说你武艺高强,力大无比,今日你何不当众哥们的面露一手,也让我们开开眼。”霍元甲早就听说他在栈里依强称霸,便想借此机会扫一扫他的威风。于是,霍元甲向他笑了笑,找一最粗最沉的木杠,挑起两大捆生地,不慌不忙地走进库房。伙计们见他力挑千斤,无不咋舌喝彩,那大汉羞得满面通红,第二天就离职不干了。过了不久,又出了一件事,一天早晨,怀庆药栈的伙计去挑水,只见两个大青石碌碡斜靠立在井口上。那形势,稍有触动,碌碡便会坠入井中。伙计无奈,只好回去请霍元甲。这时,井台周围已围了不少看热闹的人。霍元甲来到一看,笑着说:“这人真有本事,我佩服他,这分明是冲着我来的。”说着,他来到井台,猫上腰来,用两手捧住碌碡,只听“嗨”的一声,就把两个碌碡同时推出去。围观的人齐声喝彩。后来,霍元甲才知道这事是北京源顺镖局的人干的。这几件事,更使霍元甲名声大震,人们给他送了一绰号:“霍大力士”。
一九零零年初春,怀庆药店掌柜农劲荪趁活计不忙,邀霍元甲出去闲逛。二人来到海河边,找了一个茶馆,边喝茶边聊天。农劲荪曾留学日本,知识渊博,他常给霍元甲讲一些中外的事,使霍元甲大开眼界,明白了不少道理,也激发了霍元甲爱国报国之心。二人谈兴正浓之时,忽闻河边有一阵嘈杂之声,原来是运皇粮的船只要在这里停泊。押粮的李刚跳上岸来,转了一圈,没有找到打桩的地方,他有些着急,抬脚把一个席棚的立柱踢断了。席棚的主人是山东逃荒的,靠炸果子为生,见席棚倒塌,便赶紧跑出来,向李刚求情。李刚不容分说,扯掉席棚,把木桩尖头朝下,以臂做锤,打起桩来。只见木桩一寸一寸地被打进地里,一下子惊动了不少的人。那果子铺的主人跪求李刚给点赔偿,李刚不耐烦地一脚把他踢开,在木桩上拴好缆绳,扬长而去。就在这时,只听霍元甲一声大喊:“那黑小子,回来!”李刚自恃是皇家粮船的保镖,怎把霍元甲放在眼里?他回转身来,对霍元甲说:“混小子,你是活腻了,敢在太岁头上动土!”当他得知对面的就是霍元甲时,不由倒吸了一口凉气。但他表面上不甘示弱,便说:“姓霍的,别不识好歹,这事你还是别管的好。”
二人言语不合,终于动起手来。霍元甲见李刚身手不凡,便使出家传“秘踪艺”中的“闪步擗拦掌手雷”的式子,跳到李刚的背后,在其背猛出一“铁砂掌”,只见李刚朝前踉跄几步,“哇”的一声喷出一口鲜血,一头栽倒。这时,船上的运粮官见保镖被打倒在地,大喊大叫,叫人捉拿霍元甲。清兵把霍元甲捆了起来。农劲荪急得顿足捶胸。他见当朝体仁阁大学士徐桐恰巧在此下船换桥,便去喊冤。徐桐问明情由,慨叹霍元甲是条好汉,又得知霍元甲是乡亲,便让人放了霍元甲。
一九零零年旧历六月十八日,八国联军攻陷了天津。北京源顺镖局的“大刀王五”在与洋鬼子斗争中惨遭杀害。霍元甲耳闻目睹了不少洋鬼子血淋淋的罪行,这使他种下了对侵略者的仇恨和对清政府的愤懑,他回家乡招众练武,以报效国家。
一九零一年,霍元甲三十三岁。有一天,他的徒弟刘振声拿来几张广告传单,上面印着俄国大力士在戏园卖艺的事,声称:“打遍中国无敌手,让东亚病夫们见识见识,开开眼界。”霍元甲看后拍案而起:“真是欺人太甚!”他立即带着刘振声赶往天津卫。
他们先找到懂外语的农劲荪,然后到戏园说明来意。戏园管事久仰霍元甲大名,不敢怠慢,安排他们在头等席坐定,便去向俄国大力士通报。戏台上的俄国大力士出场了,他身材高大,体壮如牛,他先打了一套拳来活动浑身的肌肉,然后仰卧台上,两手各举起一百磅的哑铃,双腿再夹住一个,在三个哑铃上放一木板,木板上放一张八仙桌,四把椅子,然后有四名大汉上去坐在椅子上打牌,而木板毫不动摇。接着,他又表演平卷铁板。他先拿一厚铁板让人用大锤砸三下,铁板毫无变化,然后他运足力气硬是将铁板卷成了筒。最后是断铁链。他把一条粗铁链一头用脚踩住,然后绕身几周,另一端从肩上回过来用双手拽住,只听大喝一声,铁链咔嚓挣断,落在台上发出巨响。这些表演,使台下的观众惊叹不已。表演过后,他吹嘘自己是世界第一大力士,并扬言表演三天,“欢迎‘东亚病夫’的能者上台较量”。
霍元甲哪里还坐得住,他一个箭步跳到台上,大声说:“我是‘东亚病夫’霍元甲,愿当众与你较量,怎么样?是君子斗还是小人斗,随你挑!”俄国大力士怕当众出丑,便让翻译向霍元甲解释说,他刚才那番话都是夸张宣传,为的是挣钱,请不要当真。霍元甲再三叫板,他始终不肯比武,最后答应在报上承认错误,灰溜溜地离开了天津。
一九零三年,武清李侍卫邀霍元甲比武。第一项是在空簸箩的边上走三圈。霍元甲此功不深,只走了两圈半便把簸箩踢翻了,引起了李侍卫和门徒的嘲笑。第二项是每人各击对方三掌。李侍卫第一掌出击霍元甲没事一样,只是脚下的青砖裂开了。第二掌下去,霍元甲纹丝不动,脚下的青砖成了小块。李侍卫不由倒吸一口凉气,他拼出全身力气击出第三掌,只见霍元甲的双脚陷进青砖地里三尺多深,而身体稳如泰山。霍元甲拔出双脚,微微一笑说:“老师傅请了!”李侍卫哪知他“铁砂掌”的厉害?只一掌,他就已经受不住了,晃了晃,一头栽倒在地。李侍卫笑脸相赔,承认失败,并邀霍元甲住下,以后再比。谁想他居心叵测,竟把霍元甲锁在小阁楼里。霍元甲在天黑以后使出神力把铁窗整个推了出去,墙壁也塌了一块,方才脱身。
一九零九年,上海来了个名叫奥匹音的英国大力士,在张园设擂,并在报上大登广告,自吹自擂,侮辱中国人。当时上海苦于无人对敌,便来函邀霍元甲前往。霍元甲一到上海,便也在张园设擂,并在广告上写着“专收各国大力士,虽有铜皮铁骨,无所惴焉。”这在社会上立即引起了轰动。奥匹音感到事情不妙,便以一万两银子做赌注要挟霍元甲,没想到胸有成竹的霍元甲一口应承,奥匹音不得不签订了赛约。可是,在比赛的那天,奥匹音却再也不见踪影,原来他已溜到南洋去了。日本柔道会得知霍元甲挫败英、俄大力士,很不服气,便精选了十几名高手,来找霍元甲一试高低。霍元甲先让他的徒弟刘振声上场,刘依照师傅的嘱咐,开始纹丝不动。日本武士见状猛扑过去,抓住刘的衣服想把他摔倒,哪知刘的功夫较深,日武士使出多种招数,都无济无事,刘连败对方五人。日领队非常恼火,便亲自上阵与霍元甲较量。他自恃技艺纯熟,但一交手便知道了霍元甲的厉害。他企图黑手伤人,被霍元甲识破,虚晃一招,用肋急磕其臂,日领队骨断筋折。日方承认失败。
赛后,日方设宴招待霍元甲。席间,日本人知道霍元甲身患“热”“疾”,就介绍一个叫秋野的医生为之看病。哪知服药后,病反而逐渐恶化,仅月余,一代武术大师就含恨离开了人间。事后朋友们把药拿去化验,才知是一种慢性烂肺药。这是日本浪人暗下了毒手。
霍元甲卒于一九零九年一月十四日,年仅四十二岁。国人闻此噩耗,无不深感痛惜。霍元甲逝世后,他亲手创办的“精武体操学校”为他举行隆重的葬礼,墓地在上海北郊,碑上刻有“大力士霍元甲之墓”。
一九一零年,在霍元甲创办的精武体操学校的基础上,成立了精武体育会。该会成立十周年时,孙中山先生亲自题赠匾额,书写了“尚武精神”四个大字,并担任该会的名誉会长。
霍元甲被日本浪人暗害后,霍妻王氏抚养着两子三女艰难度日,于一九六零年去逝,终年九十一岁。霍元甲的遇害,给霍家带来极大的悲痛,集家仇国仇于一身的霍元甲次子霍东阁即随叔父霍元卿前往上海,扶持创办不久的精武体育会,志在强民强国。经几年苦心经营,使精武体育会的威望日益提高,全国许多地方都成立了分会。
一九一九年,霍东阁应精武广东分会邀请,前往广州任教。在此期间,他得悉旅居南洋的华侨也在筹建精武体育组织,不胜欣喜,便于一九二三年携侄子霍寿嵩前往印尼组织、宣传精武体育组织,得到当地人民的赞扬。第二次世界大战期间,他积极组织反日活动,被日本宪兵逮捕。
一九五六年,霍东阁逝世,许多华侨组织联合发出讣告,悼念这位客死异邦的爱国武术家。他在印尼遗有一子一女,现已加入印尼国籍,开办制药厂。
霍寿嵩到达印尼后,随叔父在精武组织教习练武,后开设医院,以行医为生。霍寿嵩生前曾写信给祖国的亲人说,树高千丈,叶落归根,对不能重返故里引为憾事。临终前,嘱咐家人在他死后把骨灰撒入大海,取水流千遭归大海之意。霍寿嵩妻子叶水娘带着丈夫的遗愿,在一九八零年携子女回国观光。霍寿嵩有一子三女,儿子霍公正继承父业,在印尼任中医骨科大夫。霍公正有两个女儿在广州工作。
霍元甲的大部分后代现在天津市,以小南河村为最多。他的长女霍东清(一八九六年生)现还健在。他们至今还留有习武遗风,一些后代使拳弄棒很有功底。
Friday, March 17, 2006
我在上海赶飞机 出租司机给我上了一堂MBA课 - 文学城 www.wenxuecity.com
我在上海赶飞机 出租司机给我上了一堂MBA课 - 文学城 www.wenxuecity.com
我在上海赶飞机 出租司机给我上了一堂MBA课
文章来源: 职场生涯 于 2006-03-17 09:53:28
敬请注意:新闻取自各大新闻媒体,新闻内容并不代表本网立场!
我在上海赶飞机 出租司机给我上了一堂MBA课 职场生涯
作者:老票
我要从徐家汇赶去机场,于是匆匆结束了一个会议,在美罗大厦前搜索出租车。一辆大众发现了我,非常专业的、径直的停在我的面前。这一停,于是有了后面的这个让我深感震撼的故事,象上了一堂生动的MBA案例课。为了忠实于这名出租车司机的原意,我凭记忆尽量重复他原来的话。
“去哪里……好的,机场。我在徐家汇就喜欢做美罗大厦的生意。这里我只做两个地方。 美罗大厦,均瑶大厦。你知道吗?接到你之前,我在美罗大厦门口兜了两圈,终于被我看到你了!从写字楼里出来的,肯定去的不近~~~”
“哦?你很有方法嘛!”我附和了一下。
“做出租车司机,也要用科学的方法。”他说。我一愣,顿时很有些兴趣“什么科学的方法?”
“要懂得统计。我做过精确的计算。我说给你听啊。我每天开17个小时的车,每小时成本34.5元……”
“怎么算出来的?”我追问。
“你算啊,我每天要交380元,油费大概210元左右。一天17小时,平均每小时固定成本22元,交给公司,平均每小时12.5元油费。这是不是就是34.5 元?”,我有些惊讶。我打了10年的车,第一次听到有出租车司机这么计算成本。以前的司机都和我说,每公里成本0.3元,另外每天交多少钱之类的。
“成本是不能按公里算的,只能按时间算。你看,计价器有一个“检查”功能。你可以看 到一天的详细记录。我做过数据分析,每次载客之间的空驶时间平均为7分钟。如果上来一个起步价,10元,大概要开10分钟。也就是每一个10元的客人要花17分钟的成本,就是9.8元。不赚钱啊!如果说做浦东、杭州、青浦的客人是吃饭,做10元的客人连吃菜都算不上,只能算是撒了些味精。”
强!这位师傅听上去真不象出租车司机,到象是一位成本核算师。“那你怎么办呢?”我更感兴趣了,继续问。看来去机场的路上还能学到新东西。
“千万不能被客户拉了满街跑。而是通过选择停车的地点,时间,和客户,主动地决定你要去的地方。”我非常惊讶,这听上去很有意思。“有人说做出租车司机是靠运气吃饭的职业。我以为不是。你要站在客户的位置上,从客户的角度去思考。”这句话听上去很专业,有点象很多商业管理培训老师说的“put yourself into others' shoes.”
“给你举个例子,医院门口,一个拿着药的,一个拿着脸盆的,你带哪一个。”我想了想,说不知道。
“你要带那个拿脸盆的。一般人病小痛的到医院看一看,拿点药,不一定会去很远的医院。拿着脸盆打车的,那是出院的。住院哪有不死人的?今天二楼的谁死了,明天三楼又死了一个。从医院出来的人通常会有一种重获新生的感觉,重新认识生命的意义,健康才最重要。那天这个说:走,去青浦。眼睛都不眨一下。你说他会打车到人民广场,再去做青浦线吗?绝对不会!”
我不由得开始佩服。
“再给你举个例子。那天人民广场,三个人在前面招手。一个年轻女子,拿着小包,刚买完东西。还有一对青年男女,一看就是逛街的。第三个是个里面穿绒衬衫的,外面羽绒服的男子,拿着笔记本包。我看一个人只要3秒钟。我毫不犹豫地停在这个男子面前。这个男的上车后说:延安高架、南北高架~~~还没说后面就忍不住问,为什么你毫不犹豫地开到我面前?前面还有两个人,他们要是想上车,我也不好意思和他们抢。我回答说,中午的时候,还有十几分钟就1点了。那个女孩子是中午溜出来买东西的,估计公司很近;那对男女是游客,没拿什么东西,不会去很远;你是出去办事的,拿着笔记本包,一看就是公务。而且这个时候出去,估计应该不会近。那个男的就说,你说对了,去宝山。”
“那些在超市门口,地铁口打车,穿着睡衣的人可能去很远吗?可能去机场吗?机场也不会让她进啊。”
有道理!我越听越有意思。
“很多司机都抱怨,生意不好做啊,油价又涨了啊,都从别人身上找原因。我说,你永远从别人身上找原因,你永远不能提高。从自己身上找找看,问题出在哪里。”这话听起来好熟,好像是“如果你不能改变世界,就改变你自己”,或者Steven Corvey的“影响圈和关注圈”的翻版。“有一次,在南丹路一个人拦车,去田林。后来又有一次,一个人在南丹路拦车,还是去田林。我就问了,怎么你们从南丹路出来的人,很多都是去田林呢?人家说,在南丹路有一个公共汽车总站,我们都是坐公共汽车从浦东到这里,然后搭车去田林的。我恍然大悟。比如你看我们开过的这条路,没有写字楼,没有酒店,什么都没有,只有公共汽车站,站在这里拦车的多半都是刚下公共汽车的,再选择一条最短路经打车。在这里拦车的客户通常不会高于15元。”
“所以我说,态度决定一切!”我听十几个总裁讲过这句话,第一次听出租车司机这么说。
“要用科学的方法,统计学来做生意。天天等在地铁站口排队,怎么能赚到钱?每个月就赚500块钱怎么养活老婆孩子?这就是在谋杀啊!慢性谋杀你的全家。要用知识武装自己。学习知识可以把一个人变成聪明的人,一个聪明的人学习知识可以变成很聪明的人。一个很聪明的人学习知识,可以变成天才。”
“有一次一个人打车去火车站,问怎么走。他说这么这么走。我说慢,上高架,再这么这么走。他说,这就绕远了。我说,没关系,你经常走你有经验,你那么走50块,你按我的走法,等里程表50块了,我就翻表。你只给50快就好了,多的算我的。按你说的那么走要50分钟,我带你这么走只要25分钟。最后,按我的路走,多走了4公里,快了25分钟,我只收了50块。乘客很高兴,省了10元钱左右。这4公里对我来说就是1块多钱的油钱。我相当于用1元多钱买了25分钟。我刚才说了,我一小时的成本34.5块,我多合算啊!”
“在大众公司,一般一个司机3、4千,拿回家。做的好的大概5千左右。顶级的司机大概每月能有7000。全大众2万个司机,大概只有2-3个司机,万里挑一,每月能拿到8000以上。我就是这2-3个人中间的一个。而且很稳定,基本不会大的波动。”
太强了!到此为止,我越来越佩服这个出租车司机。
“我常常说我是一个快乐的车夫。有人说,你是因为赚的钱多,所以当然快乐。我对他们说,你们正好错了。是因为我有快乐、积极的心态,所以赚的钱多。”
说的多好啊!
“要懂得体味工作带给你的美。堵在人民广场的时候,很多司机抱怨,又堵车了!真是倒霉。千万不要这样,用心体会一下这个城市的美,外面有很多漂亮的女孩子经过,非常现代的高楼大厦,虽然买不起,但是却可以用欣赏的眼光去享受。开车去机场,看着两边的绿色,冬天是白色的,多美啊。再看看里程表,100多了,就更美了!每一样工作都有她美丽的地方,我们要懂得从工作中体会这种美丽。”
“我10年前是强生公司的总教练。8年前在公司作过三个不同部门的部门经理。后来我不干了,一个月就3、5千块,没意思。就主动来做司机。我愿意做一个快乐的车夫。哈哈哈哈。”
到了机场,我给他留了一张名片,说:“你有没有兴趣这个星期五,到我办公室,给我软的员工讲一讲你怎么开出租车的?你就当打着表,60公里一小时,你讲多久,我就付你多少钱。给我电话。”
我迫不及待的在飞机上记录下他这堂生动的MBA课。
我在上海赶飞机 出租司机给我上了一堂MBA课
文章来源: 职场生涯 于 2006-03-17 09:53:28
敬请注意:新闻取自各大新闻媒体,新闻内容并不代表本网立场!
我在上海赶飞机 出租司机给我上了一堂MBA课 职场生涯
作者:老票
我要从徐家汇赶去机场,于是匆匆结束了一个会议,在美罗大厦前搜索出租车。一辆大众发现了我,非常专业的、径直的停在我的面前。这一停,于是有了后面的这个让我深感震撼的故事,象上了一堂生动的MBA案例课。为了忠实于这名出租车司机的原意,我凭记忆尽量重复他原来的话。
“去哪里……好的,机场。我在徐家汇就喜欢做美罗大厦的生意。这里我只做两个地方。 美罗大厦,均瑶大厦。你知道吗?接到你之前,我在美罗大厦门口兜了两圈,终于被我看到你了!从写字楼里出来的,肯定去的不近~~~”
“哦?你很有方法嘛!”我附和了一下。
“做出租车司机,也要用科学的方法。”他说。我一愣,顿时很有些兴趣“什么科学的方法?”
“要懂得统计。我做过精确的计算。我说给你听啊。我每天开17个小时的车,每小时成本34.5元……”
“怎么算出来的?”我追问。
“你算啊,我每天要交380元,油费大概210元左右。一天17小时,平均每小时固定成本22元,交给公司,平均每小时12.5元油费。这是不是就是34.5 元?”,我有些惊讶。我打了10年的车,第一次听到有出租车司机这么计算成本。以前的司机都和我说,每公里成本0.3元,另外每天交多少钱之类的。
“成本是不能按公里算的,只能按时间算。你看,计价器有一个“检查”功能。你可以看 到一天的详细记录。我做过数据分析,每次载客之间的空驶时间平均为7分钟。如果上来一个起步价,10元,大概要开10分钟。也就是每一个10元的客人要花17分钟的成本,就是9.8元。不赚钱啊!如果说做浦东、杭州、青浦的客人是吃饭,做10元的客人连吃菜都算不上,只能算是撒了些味精。”
强!这位师傅听上去真不象出租车司机,到象是一位成本核算师。“那你怎么办呢?”我更感兴趣了,继续问。看来去机场的路上还能学到新东西。
“千万不能被客户拉了满街跑。而是通过选择停车的地点,时间,和客户,主动地决定你要去的地方。”我非常惊讶,这听上去很有意思。“有人说做出租车司机是靠运气吃饭的职业。我以为不是。你要站在客户的位置上,从客户的角度去思考。”这句话听上去很专业,有点象很多商业管理培训老师说的“put yourself into others' shoes.”
“给你举个例子,医院门口,一个拿着药的,一个拿着脸盆的,你带哪一个。”我想了想,说不知道。
“你要带那个拿脸盆的。一般人病小痛的到医院看一看,拿点药,不一定会去很远的医院。拿着脸盆打车的,那是出院的。住院哪有不死人的?今天二楼的谁死了,明天三楼又死了一个。从医院出来的人通常会有一种重获新生的感觉,重新认识生命的意义,健康才最重要。那天这个说:走,去青浦。眼睛都不眨一下。你说他会打车到人民广场,再去做青浦线吗?绝对不会!”
我不由得开始佩服。
“再给你举个例子。那天人民广场,三个人在前面招手。一个年轻女子,拿着小包,刚买完东西。还有一对青年男女,一看就是逛街的。第三个是个里面穿绒衬衫的,外面羽绒服的男子,拿着笔记本包。我看一个人只要3秒钟。我毫不犹豫地停在这个男子面前。这个男的上车后说:延安高架、南北高架~~~还没说后面就忍不住问,为什么你毫不犹豫地开到我面前?前面还有两个人,他们要是想上车,我也不好意思和他们抢。我回答说,中午的时候,还有十几分钟就1点了。那个女孩子是中午溜出来买东西的,估计公司很近;那对男女是游客,没拿什么东西,不会去很远;你是出去办事的,拿着笔记本包,一看就是公务。而且这个时候出去,估计应该不会近。那个男的就说,你说对了,去宝山。”
“那些在超市门口,地铁口打车,穿着睡衣的人可能去很远吗?可能去机场吗?机场也不会让她进啊。”
有道理!我越听越有意思。
“很多司机都抱怨,生意不好做啊,油价又涨了啊,都从别人身上找原因。我说,你永远从别人身上找原因,你永远不能提高。从自己身上找找看,问题出在哪里。”这话听起来好熟,好像是“如果你不能改变世界,就改变你自己”,或者Steven Corvey的“影响圈和关注圈”的翻版。“有一次,在南丹路一个人拦车,去田林。后来又有一次,一个人在南丹路拦车,还是去田林。我就问了,怎么你们从南丹路出来的人,很多都是去田林呢?人家说,在南丹路有一个公共汽车总站,我们都是坐公共汽车从浦东到这里,然后搭车去田林的。我恍然大悟。比如你看我们开过的这条路,没有写字楼,没有酒店,什么都没有,只有公共汽车站,站在这里拦车的多半都是刚下公共汽车的,再选择一条最短路经打车。在这里拦车的客户通常不会高于15元。”
“所以我说,态度决定一切!”我听十几个总裁讲过这句话,第一次听出租车司机这么说。
“要用科学的方法,统计学来做生意。天天等在地铁站口排队,怎么能赚到钱?每个月就赚500块钱怎么养活老婆孩子?这就是在谋杀啊!慢性谋杀你的全家。要用知识武装自己。学习知识可以把一个人变成聪明的人,一个聪明的人学习知识可以变成很聪明的人。一个很聪明的人学习知识,可以变成天才。”
“有一次一个人打车去火车站,问怎么走。他说这么这么走。我说慢,上高架,再这么这么走。他说,这就绕远了。我说,没关系,你经常走你有经验,你那么走50块,你按我的走法,等里程表50块了,我就翻表。你只给50快就好了,多的算我的。按你说的那么走要50分钟,我带你这么走只要25分钟。最后,按我的路走,多走了4公里,快了25分钟,我只收了50块。乘客很高兴,省了10元钱左右。这4公里对我来说就是1块多钱的油钱。我相当于用1元多钱买了25分钟。我刚才说了,我一小时的成本34.5块,我多合算啊!”
“在大众公司,一般一个司机3、4千,拿回家。做的好的大概5千左右。顶级的司机大概每月能有7000。全大众2万个司机,大概只有2-3个司机,万里挑一,每月能拿到8000以上。我就是这2-3个人中间的一个。而且很稳定,基本不会大的波动。”
太强了!到此为止,我越来越佩服这个出租车司机。
“我常常说我是一个快乐的车夫。有人说,你是因为赚的钱多,所以当然快乐。我对他们说,你们正好错了。是因为我有快乐、积极的心态,所以赚的钱多。”
说的多好啊!
“要懂得体味工作带给你的美。堵在人民广场的时候,很多司机抱怨,又堵车了!真是倒霉。千万不要这样,用心体会一下这个城市的美,外面有很多漂亮的女孩子经过,非常现代的高楼大厦,虽然买不起,但是却可以用欣赏的眼光去享受。开车去机场,看着两边的绿色,冬天是白色的,多美啊。再看看里程表,100多了,就更美了!每一样工作都有她美丽的地方,我们要懂得从工作中体会这种美丽。”
“我10年前是强生公司的总教练。8年前在公司作过三个不同部门的部门经理。后来我不干了,一个月就3、5千块,没意思。就主动来做司机。我愿意做一个快乐的车夫。哈哈哈哈。”
到了机场,我给他留了一张名片,说:“你有没有兴趣这个星期五,到我办公室,给我软的员工讲一讲你怎么开出租车的?你就当打着表,60公里一小时,你讲多久,我就付你多少钱。给我电话。”
我迫不及待的在飞机上记录下他这堂生动的MBA课。
Thursday, March 16, 2006
乱扯国共两党抗战期间的表现
乱扯国共两党抗战期间的表现
乱扯国共两党抗战期间的表现
送交者: 阿唐 2006年3月15日17:13:45 于 [史地人物]http://www.bbsland.com
硅谷夜话
阿唐
(十三) 乱扯国共两党抗战期间的表现
1937年,中日全面战争爆发后,国共两党在历经10年的血战之后,开始了北伐战争蜜月后的第二个合作时期,红军换上了自己的老对手的服装,开赴山西抗日前线,配合中央军和晋军进行了忻口战役。这是国共在抗战期间唯一的一次携手联合作战,此后彭德怀的“百团大战”是在战略层面上对于国军的遥相呼应,是一次完全独立的作战行动。
战役期间,八路军以狡诈的战术技巧和勇猛的战斗决心,分别在日军的侧背实施了经典的山地伏击战“平型关”和特种部队夜袭战“阳明堡”,有力配合了国军的正面战役。
对于“平型关”战斗的战果争议较大,歼敌数目从二百人到千余人不等。我个人采信歼敌近千人的结论,依据上有两点:一是毛泽东事后的反应,在最初给林彪的电报中,毛曾经很兴奋地询问能否再搞几次这样的行动,调动一下全国抗战的决心。如果仅仅歼敌两三百人,老毛当不至于兴奋如此。二是时任主攻旅旅长李天佑等人的回忆录,事后皆言因为日军抵抗激烈,八路军伤亡较大。在如此有利地形上实施的伏击战,攻守双方的伤亡比率大致应该是持平,要知道,此时的八路军都是万里长征筛选出来的种子选手,其军事素养和战斗精神都是中国军队中的一流水准,如果仅仅伤亡两三百人,李天佑等人不会如此痛心。
另外,大概是出于宣传的需要,“平型关”的公关工作要比“阳明堡”做的好,国共两党一致猛吹海螺,最高的歼敌数字曾经达到万余,缴获品中甚至出现了战车!嘿嘿,在中国特色上,国共确实是不逞相让,各有千秋。其实,以今天的眼光,“阳明堡”的成果远远大于“平型关”,二十架作战飞机的毁伤,对于国军的正面战场的支援要远远大于歼敌近千人的行动。
那时候,国军的正面抵抗一败再败的原因很多,其中一个原因就是因为军队的素质太低,在最精锐的中央嫡系德械师在上海战区消耗殆尽之后,国军的水准基本上跌到了近代化军队的程度,大部分时候不得不采用死板的点线作战,依靠阵地战死打硬拼。至今仍然有不少人指责国军在抗战中的表现过于拙劣,为什么不采用机动防御战甚至运动战去作战。嘿嘿,指望一个大部分的士兵都是抓来的农民,既缺乏训练,又装备不足的军队去打运动战,半路上大概就跑得七零八落了,因此,国军不得不在阵地战中,以自己的血肉之躯抵御日军飞机大炮的狂轰滥炸,也是没有办法的事情。因此,“阳明堡”的二十架飞机如果升空,将会给国军造成很大的伤亡。
忻口战役后,山西的战略要地基本失守,国军的战线被切割的零零碎碎,曾经的国共两军统一指挥联合行动,甚至在表面上都难以继续开展,于是,八路军就放了单飞,自顾向战线后方的河北山东等地穿插而去,正面战场上除了山西贺龙的留守兵团外,主力都跑到华北敌后去了。
在平型关最初的冲动之后,老毛当然也很心疼自己部队的损失,满打满算,自己只有三万来人的血本,再打几次“平型关”,就玩完了。大概从那时候起,老毛就知道不能再跟在国军的屁股后面拼消耗了,自己的命运自己掌握。
这样,东去的八路军,在行进途中,不断地分流,化整为零,如水银泻地,消失于人民群众之中。不仅国民政府的作战序列中再也找不到这一支“第十八集团军” ,就是中共自己很多时候也不大清楚自己手下的实力和分布状况。
分散开来的八路军以营连为单位,在日军扫荡过后的战线后方的真空地带,建立政权,发动群众,壮大武装,几百人的一只队伍,几年下来,就变成了上万人的大军。等到抗战结束,细细一点,计有正规军一百万,人口近亿,上百个根据地,并且大多集中在中国的中心地带和交通枢纽附近。
牛吧,这就是毛泽东理论宝库中的一个法宝--人民战争,奇迹般地让共产党从生死存亡的边缘,成长壮大到三分中国有其一。嘿嘿,这一招数还有一个学术味道很浓的词汇:总体战。
抗战期间,国民党一直在攻击中共“游而不击”,而中共确实很难反驳这种说法。8年抗战中,八路军和新四军组织的最大的战役行动是1940年的“百团大战”,此次战役的大多数时间里也不过是扒扒破路、炸炸矿山、打一些数十人守备的小据点,并非是以消灭日军有生力量为主要的战役企图。战役的后期,因为日军以大队(营)为单位,在根据地疯狂报复,横冲直撞,老彭气愤不过,组织了陈赓旅等几只主力部队上万人,在关家垴合围了500百人左右的岗崎大队,打了几个昼夜,居然没有全歼!其后,日军对八路军在太行山总部的报复行动中,仍然是以大队为单位进行长途穿插和奇袭,八路军依然是难以正面抵挡日军的进攻,最后导致副总参谋长左权战死疆场。这就是中日双方军队的实力差距,不是单纯依靠战斗意志能够弥补的。
那么,中共真的在8年抗战中如国民党形容的,除了前期的忻口战役和“百团大战” 之外,一直是在做壁上观吗?
这话看怎么讲,如果从师团规模的战斗而言,确实如此,象国军那样与日军动辄几十万人的大会战,八路军从来没有过,新四军甚至连歼敌数百人的战斗都是屈指可数。但是,这绝对不能推出,共军在抗战中毫不出力的结论。
如果八路军编入国军战斗序列,完全听从国府指挥的话,大概忻口战役战役结束,八路的番号就不用保留了,因为全拼光了。对于整个山西战役进程的影响是:迟滞日军对太原的进攻半月左右,给予日军杀伤数千人左右。
因此,在当时的情况下,八路向敌后挺进,不仅在战略上是正确的,而且在战术上也是正确的。
在战略高度上,一方面有效的控制了相当数量的国土和民众资源,使得日军的“以战养战”的策略遭遇极大的挑战和困难;另一方面是充分发挥了中共坚强严密的组织结构和狂热的政治鼓动精神,最大限度地整合了一盘散沙的中国民众,从而调动起其战争潜力。
在战术上,以八路军的装备和训练,是不可能在与日军的正面对抗中占到任何便宜的。记得小时候看过一本“吕梁英雄传”,说八路军跟鬼子拼刺刀,要三个对一个才能打成平手,这还是冷兵器之间的对抗,热兵器方面的差距更大了。因此,打个伏击,摸个岗哨,炸个炮楼,扒扒铁路,埋个地雷什么的,那是拿手好戏,这些都是依靠游击战才能实施的手段。
再者,虽然八路军新四军一般不怎么主动去橹鬼子的虎须,但是日军也不能放任中共军肆意在自己的势力范围内活动,为了保障自己的交通畅通和重要要点的安全,又要驻军,又要清剿,哪一样也少不了部队的运用。如果中共军不在敌后拼命地折腾,国军的正面战场必将遭到更大的压力。
最近看了一些日军在中国战场上的回忆文章中有关中国军队的正面评价,对于国军是敬仰其下级军官的牺牲精神,对于八路军则是充满愤恨和恐惧:危险来自方方面面时时刻刻,搞得日军非常紧张。
因此,完全忽视中共军队在抗日战争中的作用的观点是站不住脚的。
中共建政以来,对于国民政府在抗战中的作用,三?其口。因此,很长一段时间,生活在大陆上人们,脑海中的八年抗战就是敌后武工队,地道战地雷战,对于淞沪血战、武汉会战,长沙战役,常德和衡阳保卫战不甚了了。很多人第一次正面接触这一段史实,还是电影“血战台儿庄”,那个大概还是因为后来回归大陆的李宗仁是那次战役的主官的缘故。
凭心而论,国民党打的相当顽强,付出了很大的代价。田汉歌词中的那句“用我们的血肉筑起我们新的长城”用来形容国军在抗战中的表现,一点都不过分。
有人总是指责老蒋保存实力,消灭异己。其实,很大程度上,这是偏见。在抗战初期的淞沪会战中,老蒋把自己嫡系部队中精锐的德械装备的师团尽数投入了这场战役,最后基本上都消耗殆尽,哪里有保存实力的想法?!
也有人说老蒋笨,不应该在上海狭小的地域之内和日军拼消耗,让日军的舰炮和飞机大显神威。这个也是事后诸葛亮的想法。当时老蒋的判断是,中国如果以一国之力对抗日本,结局毫无悬念是失败。因此,争取外界的支援,就是走向最后胜利的唯一一途。在上海这个国际都市狠狠地跟日本人干上一仗,让国际社会看看中国的实力,坚定他们出面调停的决心。即使真是老蒋笨,也是笨在落后的战争观念上面,没有预计到陆海空立体战争下巨大的火力杀伤效果。
也有人贴金说,这是小个子陈诚的神来之笔:在淞沪地区主动挑动战斗,把日军的注意力从华北引向华东,把日军的进攻轴向由北向南变成为东向西,利用江南的水网地形迟滞日军的进攻步伐,不然,日军沿平汉路南下,一马平川,拿下武汉,切断中国东西联络,那国民政府就难以撤退到西南大后方从事后来的抵抗了。
呵呵,其实,日军在中国的军事冒险,是典型的“行动在理论前面”,早在“九一八”事件的时候,就是关东军中下级军官立功心切,擅自主张,挑起了军事争端。“七七事变”后,日军占领了华北,一者不知道下一步干什么,二者也需要时间慢慢消化刚到手的猎物,因此很希望和老蒋谈判协商停战,没有急迫的鲸吞中国的企图心。因此,老蒋为了保住武汉,把战火首先引向江南自己传统的经济政治中心区域的说法是不合逻辑的。老蒋大概是以为打上一段时间,日本就会在国际社会的压力下被迫停战,没有想到日本这头蛮牛一发威,竟然不仅要打掉上海地区的国军,而且毫不停顿地挥师挺进南京。这也是为什么南京保卫战的准备是如此仓促的原因,据说临战前国防工事的钥匙都找不到,因为老蒋根本没有想到战争的规模会演变成中日两国的全面战争。
接下来的的徐州会战中,台儿庄战役终于绽放出中日战争爆发以来的第一个亮点,近乎歼灭日军轻敌冒进的一个师团。这场战役中,中央军、西北军和桂系通力合作,展现了国难当头,中华民族一致对外的可贵一面。
其后,因为日军反应很快,对徐州形成包围之势,徐州的国军被迫四散撤退,一时间徐州往西的中原大地缺乏成建制的部队设防,老蒋万般无奈,只好炸开黄河花园口,形成了数百公里范围的黄泛区,阻止日军向华中进攻的势头。鬼子据说淹死了千余,老百姓屈死无数。TMD的小日本,这笔帐应该算在他们的头上。
在日军沿长江向武汉进攻中,国军在江西的万家岭一带,再次利用日军的轻敌冒进,合围并几乎全歼了一个师团。这是八年抗战中的第二个亮点,国共内战中大名鼎鼎的张灵甫就是经此一战而成名。关于这个几乎覆亡的师团还有很多的有趣的故事,该师团不是主力师团,其兵员的主要来源是东京的小商贩,被其他日军戏称为“商贩师团”,就这么一个乙级师团,在南昌战役结束后沿长江南岸向武汉的攻击过程中,居然被赋予在崇山峻岭中偏师迂回的重任,结果因为这一带的铁矿干扰,罗盘失灵而迷路,在大山里面转磨磨,终于被国军抓住机会集中了十几倍的兵力团团围定猛打。说来惭愧,激战旬日而不能全歼,最后其师团长带领千余日军在外围日军的接应下,逃出生天。
1938年底,武汉会战的结果,仍然是毫无悬念,日军达成了其全部的军事政治企图:肢解中国,把国民政府降格为地方政权,扶植汪伪政权,建立亲日的中国傀儡政府。
其后的几年内,日军基本上没有发动10万人规模以上的战役,因为太平洋战争的爆发,日军的战略重点根本就不在中国战场上了。
1940年,老蒋得知日本偷袭了珍珠港,第一反应是大大地松了一口气:中国得救了。心思马上就转移到战后中国的局势上面去了,那自然就是国共两党争夺天下的局面了。于是,保存实力就是首要的任务了。这一点上,老毛比老蒋聪明多了,早在37年底中日打得一塌糊涂的时候,就已经看得清清楚楚了。当然,老蒋也是没有办法,谁让他是中央政府呢,肩上背负着整个国家和民族的重任,他不得不抗。
因此,二次大战开始后,已经进行三年中日战争的中国大地上,反而平静下来,基本上是,日军不进攻,国军也不进攻,双方各据其土,相安无事。后来时任盟军中国战区参谋长的美国老兵史迪威之所以与总司令蒋介石闹到不可开交的程度,就是因为他气愤老蒋只管伸手向美国要装备,却缺乏打击日军的主动精神。
日军在随后发动了几场规模和目的都十分有限的战役,如长沙、常德、枣阳宜昌等战役,基本上是军一级数万人的规模。
国军在三次长沙战役中再次绽放了一个亮点,挫败了日军寻歼国军主力的战役企图,最后使得日军无功而返,双方回复战役前的姿态。这几次战役的总指挥薛岳后来也忍不住吹了一个大海螺,称之为“天炉战法”,嘿嘿,用军事术语说就是保持两翼战线的完整,正面做机动防御,逐步消耗日军的进攻动能,最后的战场态势就是日军被国军三面包围。
日军在三次长沙战役没有占到便宜的原因有两个:一是日军战役目的不明确,数万人攻城略地还要寻歼国军主力,胃口太大了;二是国军的战术对头,机动防御,不做正面战场的硬顶,使得日军的火力优势得不到应有的发挥。
但是,一旦日军下定决心,国军依然不能正面抵抗。44年日军为了打通东北至南洋的大陆交通线,轻松击溃中原的汤恩伯部,一鼓作气,很快轻取长沙,直下衡阳。当然,坚城之下,在方先觉的第十军面前栽了一个大跟头:衡阳血战四十八个昼夜方才破城。此前,余万程的74军57师的死守常德16天,也让日军大栽其面。
尽管抗战中后期,国军的武器装备和战斗力有了一定程度的提高,但是与日军的差距仍然相当地巨大。日军发动的以围歼第5战区主力的枣阳宜昌战役中,数万日军打得数十万国军团团转,最后急了眼的第三十三集团军总司令张自忠将军亲上火线,指挥手下不多的亲卫部队,以攻对攻,和日军打运动战,为了协调调动周边的国军,拼命地四下电讯联络,最后被日军侦知其下落,合力围攻之下,张将军英勇殉国。老蒋得讯,痛哭流涕,后来还亲自去为张将军抬棺。当年张自忠因为在中日在华北的过渡时期做过一段时间的北平市长,被国人痛骂为卖国贼,皆曰彼可杀之的时候,是老蒋一力保护,后来又命其带兵打仗,谁说老蒋不识人?!
另外,国军的精锐师团曾经在杜聿明的指挥下,在昆仑关与日军血战一场,歼敌一个旅团,这是一场硬碰硬的攻坚战,除了后期的湎北反击战之外,这大概是国军在抗战期间唯一一次的攻坚战。虽说最后的结果是国军攻克了昆仑关,达到其战役企图,但是以优势的兵力,良好的战场态势,不亚于日军的装备(国军于此战首次出动了战车) ,敌我双方的损失实在是不成比例。
国军对日军作战完完全全地占上风的,大概只有44年在缅甸北部对日军的反击战。此时参战的国军远征军,基本上是按照美军轻装师团编组训练的,其武器装备水平远在日军之上,攻坚和机动能力很强,再加上盟军掌握了完全的制空权,因此,国军第一次以很小的伤亡,打得日军丢盔卸甲,狼狈不堪。即使在天时地利人和占尽优势的湎北之战中,仍然出现了为攻克日军千余人据守的松山堡垒,数万国军围攻月余,伤亡近万,方才得手的意外情况。
无论国军还是共军,在对日作战中表现不佳,原因虽然很多,不过其中很重要的一个就是,日军的顽强。如果说,没有盟军的帮助,中国早就亡于日人之手了,大概没有人会反驳这一点吧。如果说,日军是二战期间,亚洲战场上最强悍的军队,大概也没有人反对吧。
自明治维新起,至太平洋中途岛海战止,日军从未有过战败记录,其英勇顽强的斗志,视死如归的精神,丰富的作战经验,普遍的嗜血性,冷酷的纪律性,都是二战中绝大部分国家的军队所不具备的,不夸张的讲,当时世界上具备与日本一决高下能力的国家只有三个:德国、苏联和美国。就连老牌帝国英国,十几万人在马来半岛,也被骑着自行车的几万日军轻轻松松打得缴械投降了。
即使在战争后期,美军占尽了全部的优势,为了对付在几个海岛上困兽犹斗的日军,伤亡也达到了十数万人之多。要知道,那可是把日军按在地洞里面,用飞机、舰炮、地面炮火、火焰喷射器,坦克、推土机不分昼夜地猛烈捶打的结果啊。
所以说,抗战前期国军打不过日军很正常,抗战中后期装备与日军相当,还是打不过日军也很正常,在装备强于日军的抗战最后几仗中,伤亡大于日军还是很正常,因为还有一个士气和训练的问题。用一个现代词汇说是,觉悟不够,不知道为谁而战。四十年代的中国,从哪个角度来说都不是一个现代意义上的国家,民族和国家的意识在普通中国人心中淡漠得很。常德会战期间,时年弱冠的阿唐老爸曾经给火线上的国军送过饭,后来对阿唐说,一个团的国军几天打下来,就剩下一个连了。问他是否知道为什么要打仗,他只知道日本人来打中国,所以要打他们,其它的一概不知。
为什么日军的回忆录中总是对冲锋在前的国军中下级军官充满敬意,因为印象太深刻了,比比皆是。为什么军官要冲锋在前,难道他们不明白这是违反作战原则的:军官如果首先战死,进攻就失去了组织者?因为他们别无选择,不如此,士兵是不会自觉冲锋在前的。因此,任何对于国军在抗战中表现拙劣的谩骂都是对于为国死难者的极大不恭。
回首往事,国军以其极大的牺牲和勇气,无疑应该荣登抗战胜利荣誉之席的首座,共军以其灵活机动的战略战术,无疑应该得到最大一枚的抗战胜利奖章。
今天,说句公道话,以蒋介石为首的国民政府,在抗战期间的作为,可圈可点,负起了他们肩上应该承担的责任。如果不是蒋公,中国大概在38年就投降了日本,战后铁定是战败国中的一员,联合国常任理事国的位置是想都不用想的了。但是同时,老蒋也为其抗战后期的短视付出了代价:为了保存实力而出工不出力的做法,使得他的军队缺乏在火线上与手中刚刚装备的美式军械磨合的机会,使得后起的军事将领缺乏进行大兵团作战的经验,如孙立人和廖耀湘等,并且,大部分精锐部队龟缩在西南边陲,在抗战结束之后的与中共的对峙之中,处于非常不利的战略姿态。因此,如果说老蒋最后丢失了大陆,除了有其社会、政治和经济上的原因之外,军队在抗战后期的无所事事和萎靡不振,大概也是一个重要原因。
如果以成败论英雄,以毛泽东为首的中国共产党,显然是抗日战争的最大受益者,本来是被人满世界追打的穷叫花子,突然之间与庄家平起平坐,有资格议论“今天下英雄,惟老蒋与老毛耳”了!即使时光倒转,中共也没有什么地方需要后悔,大概还是会按原来走过的路子再来一遍。但是,从国家与民族利益的角度看回去,中共确实是自私了一些。甭管日军打的是国统区还是解放区,他们可都是中国人民,你多藏一些私,人民就要多遭一分的罪。
呵呵,有时候看国共两党的征战史,很像当年的刘邦与项羽,刘邦胜在不以一时长短为计较,宁可背负小人的名声,审时度势,因势利导,借形势而得天下;项羽败在拘泥于眼前的定势,讲究贵族的诚信原则,四平八稳,堂堂正正,最后亥下一战而倾覆。
老蒋,孔孟的书读得稍微多了些,还是不够坏啊。
乱扯国共两党抗战期间的表现
送交者: 阿唐 2006年3月15日17:13:45 于 [史地人物]http://www.bbsland.com
硅谷夜话
阿唐
(十三) 乱扯国共两党抗战期间的表现
1937年,中日全面战争爆发后,国共两党在历经10年的血战之后,开始了北伐战争蜜月后的第二个合作时期,红军换上了自己的老对手的服装,开赴山西抗日前线,配合中央军和晋军进行了忻口战役。这是国共在抗战期间唯一的一次携手联合作战,此后彭德怀的“百团大战”是在战略层面上对于国军的遥相呼应,是一次完全独立的作战行动。
战役期间,八路军以狡诈的战术技巧和勇猛的战斗决心,分别在日军的侧背实施了经典的山地伏击战“平型关”和特种部队夜袭战“阳明堡”,有力配合了国军的正面战役。
对于“平型关”战斗的战果争议较大,歼敌数目从二百人到千余人不等。我个人采信歼敌近千人的结论,依据上有两点:一是毛泽东事后的反应,在最初给林彪的电报中,毛曾经很兴奋地询问能否再搞几次这样的行动,调动一下全国抗战的决心。如果仅仅歼敌两三百人,老毛当不至于兴奋如此。二是时任主攻旅旅长李天佑等人的回忆录,事后皆言因为日军抵抗激烈,八路军伤亡较大。在如此有利地形上实施的伏击战,攻守双方的伤亡比率大致应该是持平,要知道,此时的八路军都是万里长征筛选出来的种子选手,其军事素养和战斗精神都是中国军队中的一流水准,如果仅仅伤亡两三百人,李天佑等人不会如此痛心。
另外,大概是出于宣传的需要,“平型关”的公关工作要比“阳明堡”做的好,国共两党一致猛吹海螺,最高的歼敌数字曾经达到万余,缴获品中甚至出现了战车!嘿嘿,在中国特色上,国共确实是不逞相让,各有千秋。其实,以今天的眼光,“阳明堡”的成果远远大于“平型关”,二十架作战飞机的毁伤,对于国军的正面战场的支援要远远大于歼敌近千人的行动。
那时候,国军的正面抵抗一败再败的原因很多,其中一个原因就是因为军队的素质太低,在最精锐的中央嫡系德械师在上海战区消耗殆尽之后,国军的水准基本上跌到了近代化军队的程度,大部分时候不得不采用死板的点线作战,依靠阵地战死打硬拼。至今仍然有不少人指责国军在抗战中的表现过于拙劣,为什么不采用机动防御战甚至运动战去作战。嘿嘿,指望一个大部分的士兵都是抓来的农民,既缺乏训练,又装备不足的军队去打运动战,半路上大概就跑得七零八落了,因此,国军不得不在阵地战中,以自己的血肉之躯抵御日军飞机大炮的狂轰滥炸,也是没有办法的事情。因此,“阳明堡”的二十架飞机如果升空,将会给国军造成很大的伤亡。
忻口战役后,山西的战略要地基本失守,国军的战线被切割的零零碎碎,曾经的国共两军统一指挥联合行动,甚至在表面上都难以继续开展,于是,八路军就放了单飞,自顾向战线后方的河北山东等地穿插而去,正面战场上除了山西贺龙的留守兵团外,主力都跑到华北敌后去了。
在平型关最初的冲动之后,老毛当然也很心疼自己部队的损失,满打满算,自己只有三万来人的血本,再打几次“平型关”,就玩完了。大概从那时候起,老毛就知道不能再跟在国军的屁股后面拼消耗了,自己的命运自己掌握。
这样,东去的八路军,在行进途中,不断地分流,化整为零,如水银泻地,消失于人民群众之中。不仅国民政府的作战序列中再也找不到这一支“第十八集团军” ,就是中共自己很多时候也不大清楚自己手下的实力和分布状况。
分散开来的八路军以营连为单位,在日军扫荡过后的战线后方的真空地带,建立政权,发动群众,壮大武装,几百人的一只队伍,几年下来,就变成了上万人的大军。等到抗战结束,细细一点,计有正规军一百万,人口近亿,上百个根据地,并且大多集中在中国的中心地带和交通枢纽附近。
牛吧,这就是毛泽东理论宝库中的一个法宝--人民战争,奇迹般地让共产党从生死存亡的边缘,成长壮大到三分中国有其一。嘿嘿,这一招数还有一个学术味道很浓的词汇:总体战。
抗战期间,国民党一直在攻击中共“游而不击”,而中共确实很难反驳这种说法。8年抗战中,八路军和新四军组织的最大的战役行动是1940年的“百团大战”,此次战役的大多数时间里也不过是扒扒破路、炸炸矿山、打一些数十人守备的小据点,并非是以消灭日军有生力量为主要的战役企图。战役的后期,因为日军以大队(营)为单位,在根据地疯狂报复,横冲直撞,老彭气愤不过,组织了陈赓旅等几只主力部队上万人,在关家垴合围了500百人左右的岗崎大队,打了几个昼夜,居然没有全歼!其后,日军对八路军在太行山总部的报复行动中,仍然是以大队为单位进行长途穿插和奇袭,八路军依然是难以正面抵挡日军的进攻,最后导致副总参谋长左权战死疆场。这就是中日双方军队的实力差距,不是单纯依靠战斗意志能够弥补的。
那么,中共真的在8年抗战中如国民党形容的,除了前期的忻口战役和“百团大战” 之外,一直是在做壁上观吗?
这话看怎么讲,如果从师团规模的战斗而言,确实如此,象国军那样与日军动辄几十万人的大会战,八路军从来没有过,新四军甚至连歼敌数百人的战斗都是屈指可数。但是,这绝对不能推出,共军在抗战中毫不出力的结论。
如果八路军编入国军战斗序列,完全听从国府指挥的话,大概忻口战役战役结束,八路的番号就不用保留了,因为全拼光了。对于整个山西战役进程的影响是:迟滞日军对太原的进攻半月左右,给予日军杀伤数千人左右。
因此,在当时的情况下,八路向敌后挺进,不仅在战略上是正确的,而且在战术上也是正确的。
在战略高度上,一方面有效的控制了相当数量的国土和民众资源,使得日军的“以战养战”的策略遭遇极大的挑战和困难;另一方面是充分发挥了中共坚强严密的组织结构和狂热的政治鼓动精神,最大限度地整合了一盘散沙的中国民众,从而调动起其战争潜力。
在战术上,以八路军的装备和训练,是不可能在与日军的正面对抗中占到任何便宜的。记得小时候看过一本“吕梁英雄传”,说八路军跟鬼子拼刺刀,要三个对一个才能打成平手,这还是冷兵器之间的对抗,热兵器方面的差距更大了。因此,打个伏击,摸个岗哨,炸个炮楼,扒扒铁路,埋个地雷什么的,那是拿手好戏,这些都是依靠游击战才能实施的手段。
再者,虽然八路军新四军一般不怎么主动去橹鬼子的虎须,但是日军也不能放任中共军肆意在自己的势力范围内活动,为了保障自己的交通畅通和重要要点的安全,又要驻军,又要清剿,哪一样也少不了部队的运用。如果中共军不在敌后拼命地折腾,国军的正面战场必将遭到更大的压力。
最近看了一些日军在中国战场上的回忆文章中有关中国军队的正面评价,对于国军是敬仰其下级军官的牺牲精神,对于八路军则是充满愤恨和恐惧:危险来自方方面面时时刻刻,搞得日军非常紧张。
因此,完全忽视中共军队在抗日战争中的作用的观点是站不住脚的。
中共建政以来,对于国民政府在抗战中的作用,三?其口。因此,很长一段时间,生活在大陆上人们,脑海中的八年抗战就是敌后武工队,地道战地雷战,对于淞沪血战、武汉会战,长沙战役,常德和衡阳保卫战不甚了了。很多人第一次正面接触这一段史实,还是电影“血战台儿庄”,那个大概还是因为后来回归大陆的李宗仁是那次战役的主官的缘故。
凭心而论,国民党打的相当顽强,付出了很大的代价。田汉歌词中的那句“用我们的血肉筑起我们新的长城”用来形容国军在抗战中的表现,一点都不过分。
有人总是指责老蒋保存实力,消灭异己。其实,很大程度上,这是偏见。在抗战初期的淞沪会战中,老蒋把自己嫡系部队中精锐的德械装备的师团尽数投入了这场战役,最后基本上都消耗殆尽,哪里有保存实力的想法?!
也有人说老蒋笨,不应该在上海狭小的地域之内和日军拼消耗,让日军的舰炮和飞机大显神威。这个也是事后诸葛亮的想法。当时老蒋的判断是,中国如果以一国之力对抗日本,结局毫无悬念是失败。因此,争取外界的支援,就是走向最后胜利的唯一一途。在上海这个国际都市狠狠地跟日本人干上一仗,让国际社会看看中国的实力,坚定他们出面调停的决心。即使真是老蒋笨,也是笨在落后的战争观念上面,没有预计到陆海空立体战争下巨大的火力杀伤效果。
也有人贴金说,这是小个子陈诚的神来之笔:在淞沪地区主动挑动战斗,把日军的注意力从华北引向华东,把日军的进攻轴向由北向南变成为东向西,利用江南的水网地形迟滞日军的进攻步伐,不然,日军沿平汉路南下,一马平川,拿下武汉,切断中国东西联络,那国民政府就难以撤退到西南大后方从事后来的抵抗了。
呵呵,其实,日军在中国的军事冒险,是典型的“行动在理论前面”,早在“九一八”事件的时候,就是关东军中下级军官立功心切,擅自主张,挑起了军事争端。“七七事变”后,日军占领了华北,一者不知道下一步干什么,二者也需要时间慢慢消化刚到手的猎物,因此很希望和老蒋谈判协商停战,没有急迫的鲸吞中国的企图心。因此,老蒋为了保住武汉,把战火首先引向江南自己传统的经济政治中心区域的说法是不合逻辑的。老蒋大概是以为打上一段时间,日本就会在国际社会的压力下被迫停战,没有想到日本这头蛮牛一发威,竟然不仅要打掉上海地区的国军,而且毫不停顿地挥师挺进南京。这也是为什么南京保卫战的准备是如此仓促的原因,据说临战前国防工事的钥匙都找不到,因为老蒋根本没有想到战争的规模会演变成中日两国的全面战争。
接下来的的徐州会战中,台儿庄战役终于绽放出中日战争爆发以来的第一个亮点,近乎歼灭日军轻敌冒进的一个师团。这场战役中,中央军、西北军和桂系通力合作,展现了国难当头,中华民族一致对外的可贵一面。
其后,因为日军反应很快,对徐州形成包围之势,徐州的国军被迫四散撤退,一时间徐州往西的中原大地缺乏成建制的部队设防,老蒋万般无奈,只好炸开黄河花园口,形成了数百公里范围的黄泛区,阻止日军向华中进攻的势头。鬼子据说淹死了千余,老百姓屈死无数。TMD的小日本,这笔帐应该算在他们的头上。
在日军沿长江向武汉进攻中,国军在江西的万家岭一带,再次利用日军的轻敌冒进,合围并几乎全歼了一个师团。这是八年抗战中的第二个亮点,国共内战中大名鼎鼎的张灵甫就是经此一战而成名。关于这个几乎覆亡的师团还有很多的有趣的故事,该师团不是主力师团,其兵员的主要来源是东京的小商贩,被其他日军戏称为“商贩师团”,就这么一个乙级师团,在南昌战役结束后沿长江南岸向武汉的攻击过程中,居然被赋予在崇山峻岭中偏师迂回的重任,结果因为这一带的铁矿干扰,罗盘失灵而迷路,在大山里面转磨磨,终于被国军抓住机会集中了十几倍的兵力团团围定猛打。说来惭愧,激战旬日而不能全歼,最后其师团长带领千余日军在外围日军的接应下,逃出生天。
1938年底,武汉会战的结果,仍然是毫无悬念,日军达成了其全部的军事政治企图:肢解中国,把国民政府降格为地方政权,扶植汪伪政权,建立亲日的中国傀儡政府。
其后的几年内,日军基本上没有发动10万人规模以上的战役,因为太平洋战争的爆发,日军的战略重点根本就不在中国战场上了。
1940年,老蒋得知日本偷袭了珍珠港,第一反应是大大地松了一口气:中国得救了。心思马上就转移到战后中国的局势上面去了,那自然就是国共两党争夺天下的局面了。于是,保存实力就是首要的任务了。这一点上,老毛比老蒋聪明多了,早在37年底中日打得一塌糊涂的时候,就已经看得清清楚楚了。当然,老蒋也是没有办法,谁让他是中央政府呢,肩上背负着整个国家和民族的重任,他不得不抗。
因此,二次大战开始后,已经进行三年中日战争的中国大地上,反而平静下来,基本上是,日军不进攻,国军也不进攻,双方各据其土,相安无事。后来时任盟军中国战区参谋长的美国老兵史迪威之所以与总司令蒋介石闹到不可开交的程度,就是因为他气愤老蒋只管伸手向美国要装备,却缺乏打击日军的主动精神。
日军在随后发动了几场规模和目的都十分有限的战役,如长沙、常德、枣阳宜昌等战役,基本上是军一级数万人的规模。
国军在三次长沙战役中再次绽放了一个亮点,挫败了日军寻歼国军主力的战役企图,最后使得日军无功而返,双方回复战役前的姿态。这几次战役的总指挥薛岳后来也忍不住吹了一个大海螺,称之为“天炉战法”,嘿嘿,用军事术语说就是保持两翼战线的完整,正面做机动防御,逐步消耗日军的进攻动能,最后的战场态势就是日军被国军三面包围。
日军在三次长沙战役没有占到便宜的原因有两个:一是日军战役目的不明确,数万人攻城略地还要寻歼国军主力,胃口太大了;二是国军的战术对头,机动防御,不做正面战场的硬顶,使得日军的火力优势得不到应有的发挥。
但是,一旦日军下定决心,国军依然不能正面抵抗。44年日军为了打通东北至南洋的大陆交通线,轻松击溃中原的汤恩伯部,一鼓作气,很快轻取长沙,直下衡阳。当然,坚城之下,在方先觉的第十军面前栽了一个大跟头:衡阳血战四十八个昼夜方才破城。此前,余万程的74军57师的死守常德16天,也让日军大栽其面。
尽管抗战中后期,国军的武器装备和战斗力有了一定程度的提高,但是与日军的差距仍然相当地巨大。日军发动的以围歼第5战区主力的枣阳宜昌战役中,数万日军打得数十万国军团团转,最后急了眼的第三十三集团军总司令张自忠将军亲上火线,指挥手下不多的亲卫部队,以攻对攻,和日军打运动战,为了协调调动周边的国军,拼命地四下电讯联络,最后被日军侦知其下落,合力围攻之下,张将军英勇殉国。老蒋得讯,痛哭流涕,后来还亲自去为张将军抬棺。当年张自忠因为在中日在华北的过渡时期做过一段时间的北平市长,被国人痛骂为卖国贼,皆曰彼可杀之的时候,是老蒋一力保护,后来又命其带兵打仗,谁说老蒋不识人?!
另外,国军的精锐师团曾经在杜聿明的指挥下,在昆仑关与日军血战一场,歼敌一个旅团,这是一场硬碰硬的攻坚战,除了后期的湎北反击战之外,这大概是国军在抗战期间唯一一次的攻坚战。虽说最后的结果是国军攻克了昆仑关,达到其战役企图,但是以优势的兵力,良好的战场态势,不亚于日军的装备(国军于此战首次出动了战车) ,敌我双方的损失实在是不成比例。
国军对日军作战完完全全地占上风的,大概只有44年在缅甸北部对日军的反击战。此时参战的国军远征军,基本上是按照美军轻装师团编组训练的,其武器装备水平远在日军之上,攻坚和机动能力很强,再加上盟军掌握了完全的制空权,因此,国军第一次以很小的伤亡,打得日军丢盔卸甲,狼狈不堪。即使在天时地利人和占尽优势的湎北之战中,仍然出现了为攻克日军千余人据守的松山堡垒,数万国军围攻月余,伤亡近万,方才得手的意外情况。
无论国军还是共军,在对日作战中表现不佳,原因虽然很多,不过其中很重要的一个就是,日军的顽强。如果说,没有盟军的帮助,中国早就亡于日人之手了,大概没有人会反驳这一点吧。如果说,日军是二战期间,亚洲战场上最强悍的军队,大概也没有人反对吧。
自明治维新起,至太平洋中途岛海战止,日军从未有过战败记录,其英勇顽强的斗志,视死如归的精神,丰富的作战经验,普遍的嗜血性,冷酷的纪律性,都是二战中绝大部分国家的军队所不具备的,不夸张的讲,当时世界上具备与日本一决高下能力的国家只有三个:德国、苏联和美国。就连老牌帝国英国,十几万人在马来半岛,也被骑着自行车的几万日军轻轻松松打得缴械投降了。
即使在战争后期,美军占尽了全部的优势,为了对付在几个海岛上困兽犹斗的日军,伤亡也达到了十数万人之多。要知道,那可是把日军按在地洞里面,用飞机、舰炮、地面炮火、火焰喷射器,坦克、推土机不分昼夜地猛烈捶打的结果啊。
所以说,抗战前期国军打不过日军很正常,抗战中后期装备与日军相当,还是打不过日军也很正常,在装备强于日军的抗战最后几仗中,伤亡大于日军还是很正常,因为还有一个士气和训练的问题。用一个现代词汇说是,觉悟不够,不知道为谁而战。四十年代的中国,从哪个角度来说都不是一个现代意义上的国家,民族和国家的意识在普通中国人心中淡漠得很。常德会战期间,时年弱冠的阿唐老爸曾经给火线上的国军送过饭,后来对阿唐说,一个团的国军几天打下来,就剩下一个连了。问他是否知道为什么要打仗,他只知道日本人来打中国,所以要打他们,其它的一概不知。
为什么日军的回忆录中总是对冲锋在前的国军中下级军官充满敬意,因为印象太深刻了,比比皆是。为什么军官要冲锋在前,难道他们不明白这是违反作战原则的:军官如果首先战死,进攻就失去了组织者?因为他们别无选择,不如此,士兵是不会自觉冲锋在前的。因此,任何对于国军在抗战中表现拙劣的谩骂都是对于为国死难者的极大不恭。
回首往事,国军以其极大的牺牲和勇气,无疑应该荣登抗战胜利荣誉之席的首座,共军以其灵活机动的战略战术,无疑应该得到最大一枚的抗战胜利奖章。
今天,说句公道话,以蒋介石为首的国民政府,在抗战期间的作为,可圈可点,负起了他们肩上应该承担的责任。如果不是蒋公,中国大概在38年就投降了日本,战后铁定是战败国中的一员,联合国常任理事国的位置是想都不用想的了。但是同时,老蒋也为其抗战后期的短视付出了代价:为了保存实力而出工不出力的做法,使得他的军队缺乏在火线上与手中刚刚装备的美式军械磨合的机会,使得后起的军事将领缺乏进行大兵团作战的经验,如孙立人和廖耀湘等,并且,大部分精锐部队龟缩在西南边陲,在抗战结束之后的与中共的对峙之中,处于非常不利的战略姿态。因此,如果说老蒋最后丢失了大陆,除了有其社会、政治和经济上的原因之外,军队在抗战后期的无所事事和萎靡不振,大概也是一个重要原因。
如果以成败论英雄,以毛泽东为首的中国共产党,显然是抗日战争的最大受益者,本来是被人满世界追打的穷叫花子,突然之间与庄家平起平坐,有资格议论“今天下英雄,惟老蒋与老毛耳”了!即使时光倒转,中共也没有什么地方需要后悔,大概还是会按原来走过的路子再来一遍。但是,从国家与民族利益的角度看回去,中共确实是自私了一些。甭管日军打的是国统区还是解放区,他们可都是中国人民,你多藏一些私,人民就要多遭一分的罪。
呵呵,有时候看国共两党的征战史,很像当年的刘邦与项羽,刘邦胜在不以一时长短为计较,宁可背负小人的名声,审时度势,因势利导,借形势而得天下;项羽败在拘泥于眼前的定势,讲究贵族的诚信原则,四平八稳,堂堂正正,最后亥下一战而倾覆。
老蒋,孔孟的书读得稍微多了些,还是不够坏啊。
Wednesday, March 15, 2006
Tuesday, March 14, 2006
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
Page Stats: "Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
How To: Use Forms Authentication with SQL Server in ASP.NET 1.1
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
Published: November 2002
Last Revised: January 2006
Applies to:
ASP.NET 1.1
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.
Summary: This How To shows you how to implement Forms authentication against a SQL Server credential store. It also shows you how to store password digests in the database. (12 printed pages)
Contents
Summary of Steps
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Develop Functions to Generate a Hash and Salt value
Step 4. Create a User Account Database
Step 5. Use ADO.NET to Store Account Details in the Database
Step 6. Authenticate User Credentials against the Database
Step 7. Test the ApplicationAdditional Resources
Web applications that use Forms authentication often store user credentials (user names and passwords) together with associated role or group lists in MicrosoftSQL Server.
This How To describes how to securely look up user names and validate passwords against SQL Server. There are two key concepts for storing user credentials securely:
Storing password digests. For security reasons, passwords should not be stored in clear text or encrypted format in the database. This How To describes how to create and store a one-way hash of a user's password rather than the password itself. This approach is preferred to storing a clear text or encrypted version of the user's password, for two reasons. First, it helps to prevent an attacker who gains access to your user store from obtaining the user passwords. In addition, this approach helps you to avoid the key-management issues associated with encryption techniques.
Using a salt value when creating the hash helps to slow an attacker who is attempting to perform a dictionary attack (where an attacker attempts to decipher the key used for hashing). This approach gives you additional time to detect and react to the compromise.
Important: The one drawback of not storing passwords in the database is that if a user forgets a password, it cannot be recovered. As a result, your application should use password hints and store them alongside the password digest within the database.
Validating user input. Where user input is passed to SQL commands, for example as string literals in comparison or pattern matching statements, great care should be taken to validate the input, to ensure that the resulting commands do not contain syntax errors and also to ensure that a hacker cannot cause your application to run arbitrary SQL commands. Validating the supplied user name during a logon process is particularly vital as your application's security model is entirely dependent on being able to correctly and securely authenticate users.
For more information about validating user input for SQL commands and for validation functions, see "SQL Injection Attacks" in Chapter 12, "Data Access Security."
Summary of Steps
This How To includes the following steps:
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Develop Functions to Generate a Hash and Salt value
Step 4. Create a User Account Database
Step 5. Use ADO.NET to Store Account Details in the Database
Step 6. Authenticate User Credentials against the Database
Step 7. Test the Application
Step 1. Create a Web Application with a Logon Page
This procedure creates a simple C# Web application that contains a logon page that allows a user to enter a username and password.
To create a Web application with a logon page
Start Visual Studio .NET and create a new C# ASP.NET Web application called FormsAuthSQL.
Use Solution Explorer to rename WebForm1.aspx to Logon.aspx
Add the controls listed in Table 1 to Logon.aspx to create a simple logon form.
Table 1: Logon.aspx controls Control Type Text ID
Label User Name: -
Label Password -
Text Box - txtUserName
Text Box - txtPassword
Button Register btnRegister
Button Logon btnLogon
Label - lblMessage
Your Web page should resemble the one illustrated in Figure 1.
Figure 1. Logon page Web form
Set the TextMode property of the txtPassword to Password.
Step 2. Configure the Web Application for Forms Authentication
This procedure edits the application's Web.config file to configure the application for Forms authentication.
To configure the Web application for Forms authentication
Use Solution Explorer to open Web.config.
Locate the element and change the mode attribute to Forms.
Add the following element as a child of the element and set the loginUrl, name, timeout, and path attributes as follows.
Add the following element beneath the element. This will allow only authenticated users to access the application. The previously established loginUrl attribute of the element will redirect unauthenticated requests to the logon.aspx page.
Step 3. Develop Functions to Generate a Hash and Salt value
This procedure adds two utility methods to your Web application; one to generate a random salt value, and one to create a hash based on a supplied password and salt value.
To develop functions to generate a hash and salt value
Open Logon.aspx.cs and add the following using statements to the top of the file beneath the existing using statements.
using System.Security.Cryptography;
using System.Web.Security;
Add the following static method to the WebForm1 class to generate a random salt value and return it as a Base 64 encoded string.
private static string CreateSalt(int size)
{
// Generate a cryptographic random number using the cryptographic
// service provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number
return Convert.ToBase64String(buff);
}
Add the following static method to generate a hash value based on a supplied password and salt value.
private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
hashedPwd = String.Concat(hashedPwd, salt);
return hashedPwd;
}
Step 4. Create a User Account Database
This procedure creates a new user account database in SQL Server that contains a single users table and a stored procedure used to query the user database.
To create a user account database
On the Microsoft SQL Server programs menu, click Query Analyzer, and then connect to your local SQL Server.
Enter the following SQL script. Note that you must replace "LocalMachine" with your own computer name towards the end of the script.
USE master
GO
-- create a database for the security information
IF EXISTS (SELECT * FROM master..sysdatabases WHERE name =
'UserAccounts')
DROP DATABASE UserAccounts
GO
CREATE DATABASE UserAccounts
GO
USE UserAccounts
GO
CREATE TABLE [Users] (
[UserName] [varchar] (20) NOT NULL ,
[PasswordHash] [varchar] (40) NOT NULL ,
CONSTRAINT [PK_Users] PRIMARY KEY CLUSTERED
(
[UserName]
) ON [PRIMARY]
) ON [PRIMARY]
GO
-- create stored procedure to register user details
CREATE PROCEDURE RegisterUser
@userName varchar(20),
@passwordHash varchar(40)
AS
INSERT INTO Users VALUES(@userName, @passwordHash)
GO
-- create stored procedure to retrieve user details
CREATE PROCEDURE LookupUser
@userName varchar(20)
AS
SELECT PasswordHash
FROM Users
WHERE UserName = @userName
GO
-- Add a login for the local ASPNET account
-- In the following statements, replace LocalMachine with your
-- local machine name
exec sp_grantlogin [LocalMachine\ASPNET]
-- Add a database login for the UserAccounts database for the ASPNET
account
exec sp_grantdbaccess [LocalMachine\ASPNET]
-- Grant execute permissions to the LookupUser and RegisterUser
-- stored procs
grant execute on LookupUser to [LocalMachine\ASPNET]
grant execute on RegisterUser to [LocalMachine\ASPNET]
Run the query to create the UserAccounts database.
Exit Query Manager.
Step 5. Use ADO.NET to Store Account Details in the Database
This procedure modifies the Web application code to store the supplied user name, generated password hash and salt value in the database.
To use ADO.NET to store account details in the database
Return to Visual Studio .NET and double-click the Register button on the Web form to create a button click event handler.
Add the following code to the method.
int saltSize = 5;
string salt = CreateSalt(saltSize);
string passwordHash = CreatePasswordHash(txtPassword.Text,salt);
try
{
StoreAccountDetails( txtUserName.Text, passwordHash);
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
}
Add the following using statement at the top of the file, beneath the existing using statements.
using System.Data.SqlClient;
Add the StoreAccountDetails utility method using the following code. This code uses ADO.NET to connect to the UserAccounts database and stores the supplied username, password hash and salt value in the Users table.
private void StoreAccountDetails( string userName,
string passwordHash )
{
// See "How To Use DPAPI (Machine Store) from ASP.NET" for
information
// about securely storing connection strings.
SqlConnection conn = new SqlConnection( "Server=(local);" +
"Integrated
Security=SSPI;" +
"database=UserAccounts");
SqlCommand cmd = new SqlCommand("RegisterUser", conn );
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter sqlParam = null;
//Usage of Sql parameters also helps avoid SQL Injection attacks.
sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar,
20);
sqlParam.Value = userName;
sqlParam = cmd.Parameters.Add("@passwordHash ", SqlDbType.VarChar,
40);
sqlParam.Value = passwordHash;
try
{
conn.Open();
cmd.ExecuteNonQuery();
}
catch( Exception ex )
{
// Code to check for primary key violation (duplicate account
name)
// or other database errors omitted for clarity
throw new Exception("Exception adding account. " + ex.Message);
}
finally
{
conn.Close();
}
}
Step 6. Authenticate User Credentials Against the Database
This procedure develops ADO.NET code to look up the supplied user name in the database and validate the supplied password, by matching password hashes.
Note In many Forms authentication scenarios where you are using .NET role-based authorization, you may also retrieve the roles that the user belongs to from the database at this point. These can subsequently be used to generate a GenericPrincipal object that can be associated with authenticated Web requests, for .NET authorization purposes.
For more information about constructing a Forms authentication ticket incorporating a user's role details, see "How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1" in the Reference section of this guide.
To authenticate user credentials against the database
Return to the Logon.aspx.cs and add the VerifyPassword private helper method as shown in the following code.
private bool VerifyPassword(string suppliedUserName,
string suppliedPassword )
{
bool passwordMatch = false;
// Get the salt and pwd from the database based on the user name.
// See "How To: Use DPAPI (Machine Store) from ASP.NET," "How To:
// Use DPAPI (User Store) from Enterprise Services," and "How To:
// Create a DPAPI Library" for more information about how to use
// DPAPI to securely store connection strings.
SqlConnection conn = new SqlConnection( "Server=(local);" +
"Integrated
Security=SSPI;" +
"database=UserAccounts");
SqlCommand cmd = new SqlCommand( "LookupUser", conn );
cmd.CommandType = CommandType.StoredProcedure;
//Usage of Sql parameters also helps avoid SQL Injection attacks.
SqlParameter sqlParam = cmd.Parameters.Add("@userName",
SqlDbType.VarChar,
20);
sqlParam.Value = suppliedUserName;
try
{
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
reader.Read(); // Advance to the one and only row
// Return output parameters from returned data stream
string dbPasswordHash = reader.GetString(0);
int saltSize = 5;
string salt =
dbPasswordHash.Substring(dbPasswordHash.Length - saltSize);
reader.Close();
// Now take the password supplied by the user
// and generate the hash.
string hashedPasswordAndSalt =
CreatePasswordHash(suppliedPassword, salt);
// Now verify them.
passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
}
catch (Exception ex)
{
throw new Exception("Execption verifying password. " +
ex.Message);
}
finally
{
conn.Close();
}
return passwordMatch;
}
Step 7. Test the Application
This procedure tests the application. You will register a user, which results in the user name, password hash and salt value being added to the Users table in the UserAccounts database. You will then log on the same user to ensure the correct operation of the password verification routines.
To test the application
Return to the Logon form and double-click the Logon button to create a button click event handler.
Add the following code to the Logon button click event handler to call the VerifyPassword method and display a message based on whether or not the supplied user name and password are valid.
bool passwordVerified = false;
try
{
passwordVerified =
VerifyPassword(txtUserName.Text,txtPassword.Text);
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
return;
}
if (passwordVerified == true )
{
// The user is authenticated
// At this point, an authentication ticket is normally created
// This can subsequently be used to generate a GenericPrincipal
// object for .NET authorization purposes
// For details, see "How To: Use Forms authentication with
// GenericPrincipal objects
lblMessage.Text = "Logon successful: User is authenticated";
}
else
{
lblMessage.Text = "Invalid username or password";
}
On the Build menu, click Build Solution.
In Solution Explorer, right-click logon.aspx, and then click View in Browser.
Enter a user name and password, and then click Register.
Use SQL Server Enterprise Manager to view the contents of the Users table. You should see a new row for the new user name together with a generated password hash.
Return to the Logon Web page, re-enter the password, and then click Logon. You should see the message "Logon successful: User is authenticated."
Now enter an invalid password (leaving the user name the same). You should see the message "Invalid username or password."
Close Internet Explorer.
Additional Resources
For more information, see the following:
"How To: Use DPAPI (Machine Store) from ASP.NET 1.1"
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1"
"SQL Injection Attacks" in Chapter 12, "Data Access Security"
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
How To: Use Forms Authentication with SQL Server in ASP.NET 1.1
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
Published: November 2002
Last Revised: January 2006
Applies to:
ASP.NET 1.1
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.
Summary: This How To shows you how to implement Forms authentication against a SQL Server credential store. It also shows you how to store password digests in the database. (12 printed pages)
Contents
Summary of Steps
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Develop Functions to Generate a Hash and Salt value
Step 4. Create a User Account Database
Step 5. Use ADO.NET to Store Account Details in the Database
Step 6. Authenticate User Credentials against the Database
Step 7. Test the ApplicationAdditional Resources
Web applications that use Forms authentication often store user credentials (user names and passwords) together with associated role or group lists in MicrosoftSQL Server.
This How To describes how to securely look up user names and validate passwords against SQL Server. There are two key concepts for storing user credentials securely:
Storing password digests. For security reasons, passwords should not be stored in clear text or encrypted format in the database. This How To describes how to create and store a one-way hash of a user's password rather than the password itself. This approach is preferred to storing a clear text or encrypted version of the user's password, for two reasons. First, it helps to prevent an attacker who gains access to your user store from obtaining the user passwords. In addition, this approach helps you to avoid the key-management issues associated with encryption techniques.
Using a salt value when creating the hash helps to slow an attacker who is attempting to perform a dictionary attack (where an attacker attempts to decipher the key used for hashing). This approach gives you additional time to detect and react to the compromise.
Important: The one drawback of not storing passwords in the database is that if a user forgets a password, it cannot be recovered. As a result, your application should use password hints and store them alongside the password digest within the database.
Validating user input. Where user input is passed to SQL commands, for example as string literals in comparison or pattern matching statements, great care should be taken to validate the input, to ensure that the resulting commands do not contain syntax errors and also to ensure that a hacker cannot cause your application to run arbitrary SQL commands. Validating the supplied user name during a logon process is particularly vital as your application's security model is entirely dependent on being able to correctly and securely authenticate users.
For more information about validating user input for SQL commands and for validation functions, see "SQL Injection Attacks" in Chapter 12, "Data Access Security."
Summary of Steps
This How To includes the following steps:
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Develop Functions to Generate a Hash and Salt value
Step 4. Create a User Account Database
Step 5. Use ADO.NET to Store Account Details in the Database
Step 6. Authenticate User Credentials against the Database
Step 7. Test the Application
Step 1. Create a Web Application with a Logon Page
This procedure creates a simple C# Web application that contains a logon page that allows a user to enter a username and password.
To create a Web application with a logon page
Start Visual Studio .NET and create a new C# ASP.NET Web application called FormsAuthSQL.
Use Solution Explorer to rename WebForm1.aspx to Logon.aspx
Add the controls listed in Table 1 to Logon.aspx to create a simple logon form.
Table 1: Logon.aspx controls Control Type Text ID
Label User Name: -
Label Password -
Text Box - txtUserName
Text Box - txtPassword
Button Register btnRegister
Button Logon btnLogon
Label - lblMessage
Your Web page should resemble the one illustrated in Figure 1.
Figure 1. Logon page Web form
Set the TextMode property of the txtPassword to Password.
Step 2. Configure the Web Application for Forms Authentication
This procedure edits the application's Web.config file to configure the application for Forms authentication.
To configure the Web application for Forms authentication
Use Solution Explorer to open Web.config.
Locate the
Add the following
Add the following
Step 3. Develop Functions to Generate a Hash and Salt value
This procedure adds two utility methods to your Web application; one to generate a random salt value, and one to create a hash based on a supplied password and salt value.
To develop functions to generate a hash and salt value
Open Logon.aspx.cs and add the following using statements to the top of the file beneath the existing using statements.
using System.Security.Cryptography;
using System.Web.Security;
Add the following static method to the WebForm1 class to generate a random salt value and return it as a Base 64 encoded string.
private static string CreateSalt(int size)
{
// Generate a cryptographic random number using the cryptographic
// service provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number
return Convert.ToBase64String(buff);
}
Add the following static method to generate a hash value based on a supplied password and salt value.
private static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "SHA1");
hashedPwd = String.Concat(hashedPwd, salt);
return hashedPwd;
}
Step 4. Create a User Account Database
This procedure creates a new user account database in SQL Server that contains a single users table and a stored procedure used to query the user database.
To create a user account database
On the Microsoft SQL Server programs menu, click Query Analyzer, and then connect to your local SQL Server.
Enter the following SQL script. Note that you must replace "LocalMachine" with your own computer name towards the end of the script.
USE master
GO
-- create a database for the security information
IF EXISTS (SELECT * FROM master..sysdatabases WHERE name =
'UserAccounts')
DROP DATABASE UserAccounts
GO
CREATE DATABASE UserAccounts
GO
USE UserAccounts
GO
CREATE TABLE [Users] (
[UserName] [varchar] (20) NOT NULL ,
[PasswordHash] [varchar] (40) NOT NULL ,
CONSTRAINT [PK_Users] PRIMARY KEY CLUSTERED
(
[UserName]
) ON [PRIMARY]
) ON [PRIMARY]
GO
-- create stored procedure to register user details
CREATE PROCEDURE RegisterUser
@userName varchar(20),
@passwordHash varchar(40)
AS
INSERT INTO Users VALUES(@userName, @passwordHash)
GO
-- create stored procedure to retrieve user details
CREATE PROCEDURE LookupUser
@userName varchar(20)
AS
SELECT PasswordHash
FROM Users
WHERE UserName = @userName
GO
-- Add a login for the local ASPNET account
-- In the following statements, replace LocalMachine with your
-- local machine name
exec sp_grantlogin [LocalMachine\ASPNET]
-- Add a database login for the UserAccounts database for the ASPNET
account
exec sp_grantdbaccess [LocalMachine\ASPNET]
-- Grant execute permissions to the LookupUser and RegisterUser
-- stored procs
grant execute on LookupUser to [LocalMachine\ASPNET]
grant execute on RegisterUser to [LocalMachine\ASPNET]
Run the query to create the UserAccounts database.
Exit Query Manager.
Step 5. Use ADO.NET to Store Account Details in the Database
This procedure modifies the Web application code to store the supplied user name, generated password hash and salt value in the database.
To use ADO.NET to store account details in the database
Return to Visual Studio .NET and double-click the Register button on the Web form to create a button click event handler.
Add the following code to the method.
int saltSize = 5;
string salt = CreateSalt(saltSize);
string passwordHash = CreatePasswordHash(txtPassword.Text,salt);
try
{
StoreAccountDetails( txtUserName.Text, passwordHash);
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
}
Add the following using statement at the top of the file, beneath the existing using statements.
using System.Data.SqlClient;
Add the StoreAccountDetails utility method using the following code. This code uses ADO.NET to connect to the UserAccounts database and stores the supplied username, password hash and salt value in the Users table.
private void StoreAccountDetails( string userName,
string passwordHash )
{
// See "How To Use DPAPI (Machine Store) from ASP.NET" for
information
// about securely storing connection strings.
SqlConnection conn = new SqlConnection( "Server=(local);" +
"Integrated
Security=SSPI;" +
"database=UserAccounts");
SqlCommand cmd = new SqlCommand("RegisterUser", conn );
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter sqlParam = null;
//Usage of Sql parameters also helps avoid SQL Injection attacks.
sqlParam = cmd.Parameters.Add("@userName", SqlDbType.VarChar,
20);
sqlParam.Value = userName;
sqlParam = cmd.Parameters.Add("@passwordHash ", SqlDbType.VarChar,
40);
sqlParam.Value = passwordHash;
try
{
conn.Open();
cmd.ExecuteNonQuery();
}
catch( Exception ex )
{
// Code to check for primary key violation (duplicate account
name)
// or other database errors omitted for clarity
throw new Exception("Exception adding account. " + ex.Message);
}
finally
{
conn.Close();
}
}
Step 6. Authenticate User Credentials Against the Database
This procedure develops ADO.NET code to look up the supplied user name in the database and validate the supplied password, by matching password hashes.
Note In many Forms authentication scenarios where you are using .NET role-based authorization, you may also retrieve the roles that the user belongs to from the database at this point. These can subsequently be used to generate a GenericPrincipal object that can be associated with authenticated Web requests, for .NET authorization purposes.
For more information about constructing a Forms authentication ticket incorporating a user's role details, see "How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1" in the Reference section of this guide.
To authenticate user credentials against the database
Return to the Logon.aspx.cs and add the VerifyPassword private helper method as shown in the following code.
private bool VerifyPassword(string suppliedUserName,
string suppliedPassword )
{
bool passwordMatch = false;
// Get the salt and pwd from the database based on the user name.
// See "How To: Use DPAPI (Machine Store) from ASP.NET," "How To:
// Use DPAPI (User Store) from Enterprise Services," and "How To:
// Create a DPAPI Library" for more information about how to use
// DPAPI to securely store connection strings.
SqlConnection conn = new SqlConnection( "Server=(local);" +
"Integrated
Security=SSPI;" +
"database=UserAccounts");
SqlCommand cmd = new SqlCommand( "LookupUser", conn );
cmd.CommandType = CommandType.StoredProcedure;
//Usage of Sql parameters also helps avoid SQL Injection attacks.
SqlParameter sqlParam = cmd.Parameters.Add("@userName",
SqlDbType.VarChar,
20);
sqlParam.Value = suppliedUserName;
try
{
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
reader.Read(); // Advance to the one and only row
// Return output parameters from returned data stream
string dbPasswordHash = reader.GetString(0);
int saltSize = 5;
string salt =
dbPasswordHash.Substring(dbPasswordHash.Length - saltSize);
reader.Close();
// Now take the password supplied by the user
// and generate the hash.
string hashedPasswordAndSalt =
CreatePasswordHash(suppliedPassword, salt);
// Now verify them.
passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
}
catch (Exception ex)
{
throw new Exception("Execption verifying password. " +
ex.Message);
}
finally
{
conn.Close();
}
return passwordMatch;
}
Step 7. Test the Application
This procedure tests the application. You will register a user, which results in the user name, password hash and salt value being added to the Users table in the UserAccounts database. You will then log on the same user to ensure the correct operation of the password verification routines.
To test the application
Return to the Logon form and double-click the Logon button to create a button click event handler.
Add the following code to the Logon button click event handler to call the VerifyPassword method and display a message based on whether or not the supplied user name and password are valid.
bool passwordVerified = false;
try
{
passwordVerified =
VerifyPassword(txtUserName.Text,txtPassword.Text);
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
return;
}
if (passwordVerified == true )
{
// The user is authenticated
// At this point, an authentication ticket is normally created
// This can subsequently be used to generate a GenericPrincipal
// object for .NET authorization purposes
// For details, see "How To: Use Forms authentication with
// GenericPrincipal objects
lblMessage.Text = "Logon successful: User is authenticated";
}
else
{
lblMessage.Text = "Invalid username or password";
}
On the Build menu, click Build Solution.
In Solution Explorer, right-click logon.aspx, and then click View in Browser.
Enter a user name and password, and then click Register.
Use SQL Server Enterprise Manager to view the contents of the Users table. You should see a new row for the new user name together with a generated password hash.
Return to the Logon Web page, re-enter the password, and then click Logon. You should see the message "Logon successful: User is authenticated."
Now enter an invalid password (leaving the user name the same). You should see the message "Invalid username or password."
Close Internet Explorer.
Additional Resources
For more information, see the following:
"How To: Use DPAPI (Machine Store) from ASP.NET 1.1"
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1"
"SQL Injection Attacks" in Chapter 12, "Data Access Security"
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
Published: November 2002
Last Revised: January 2006
Applies to:
ASP.NET 1.1
.NET Framework 1.1
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.
Summary: This How To shows you how to create and handle GenericPrincipal and FormsIdentity objects when using Forms authentication. (9 printed pages)
Contents
Summary of Steps
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Generate an Authentication Ticket for Authenticated Users
Step 4. Construct GenericPrincipal and FormsIdentity Objects
Step 5. Test the Application
Additional Resources
Applications that use Forms authentication will often want to use the GenericPrincipal class (in conjunction with the FormsIdentity class), to create a non-Windows specific authorization scheme, independent of a Windows domain.
For example, an application may:
Use Forms authentication to obtain user credentials (user name and password).
Validate the supplied credentials against a data store; for example, a database or Microsoft? Active Directory? directory service.
Create GenericPrincipal and FormsIdentity objects based on values retrieved from the data store. These may include a user's role membership details.
Use these objects to make authorization decisions.
This How To describes how to create a Forms-based Web application that authenticates users and creates a custom Forms authentication ticket that contains user and role information. It also shows you how to map this information into GenericPrincipal and FormsIdentity objects and associate the new objects with the HTTP Web request context (HttpContext), allowing them to be used for authorization logic within your application.
This How To focuses on the construction of the GenericPrincipal and FormsIdentity objects together with the processing of the forms authentication ticket. For details about how to authenticate users against Active Directory and SQL Server, see the following related How Tos in this guide:
How To: Use Forms Authentication with Active Directory in ASP.NET 1.1
How To: Use Forms Authentication with SQL Server 2000 in ASP.NET 1.1
Summary of Steps
This How To includes the following steps:
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Generate an Authentication Ticket for Authenticated Users
Step 4. Construct GenericPrincipal and FormsIdentity Objects
Step 5. Test the Application
Step 1. Create a Web Application with a Logon Page
This procedure creates a new ASP.NET Web application. The application will contain two pages; a default page that only authenticated users are allowed to access, and a logon page used to collect user credentials.
To create a Web application with a logon page
Start Visual Studio .NET and create a new C# ASP.NET Web Application called GenericPrincipalApp.
Rename WebForm1.aspx to Logon.aspx.
Add the following controls to Logon.aspx to create a logon form.
Table 1: Logon.aspx controls Control Type Text ID
Label User Name: -
Label Password -
Text Box - txtUserName
Text Box - txtPassword
Button Logon btnLogon
Set the TextMode property of the password Text Box control to Password.
In Solution Explorer, right-click GenericPrincipalApp, point to Add, and then click Add Web Form.
Enter default.aspx as the new form's name, and then click Open.
Step 2. Configure the Web Application for Forms Authentication
To edit the application's Web.config file to configure the application for Forms authentication
Use Solution Explorer to open Web.config.
Locate the element and change the mode attribute to Forms.
Add the following element as a child of the element and set the loginUrl, name, timeout, and path attributes as follows:
Add the following element beneath the element. This allows only authenticated users to access the application. The previously established loginUrl attribute of the element redirects unauthenticated requests to the Logon.aspx page.
Step 3. Generate an Authentication Ticket for Authenticated Users
This procedure writes code to generate an authentication ticket for authenticated users. The authentication ticket is contained within the authentication cookie used by the ASP.NET FormsAuthenticationModule.
The authentication code typically involves looking up the supplied user name and password against either a custom database or against Active Directory.
For information about performing these lookups, see the following How To articles in this guide:
How To: Use Forms Authentication with Active Directory in ASP.NET 1.1
How To: Use Forms Authentication with SQL Server in ASP.NET 1.1
To generate an authentication ticket for authenticated users
Open the Logon.aspx.cs file and the following using statement to the top of the file beneath the existing using statements:
using System.Web.Security;
Add the following private helper method to the WebForm1 class called IsAuthenticated, which is used to validate user names and passwords to authenticate users. This code assumes that all user name and password combinations are valid.
private bool IsAuthenticated( string username, string password )
{
// Lookup code omitted for clarity
// This code would typically validate the user name and password
// combination against a SQL database or Active Directory
// Simulate an authenticated user
return true;
}
Add the following private helper method called GetRoles, which is used to obtain the set of roles that the user belongs to.
private string GetRoles( string username)
{
// Lookup code omitted for clarity
// This code would typically look up the role list from a database
// table.
// If the user was being authenticated against Active Directory,
// the Security groups and/or distribution lists that the user
// belongs to may be used instead
// This GetRoles method returns a pipe delimited string containing
// roles rather than returning an array, because the string format
// is convenient for storing in the authentication ticket /
// cookie, as user data
return "Senior Manager|Manager|Employee";
}
Display the Logon.aspx form in Designer mode and double-click the Logon button to create a click event handler.
Add a call to the IsAuthenticated method, supplying the user name and password captured through the logon form. Assign the return value to a variable of type bool, which indicates whether or not the user is authenticated.
bool isAuthenticated = IsAuthenticated( txtUserName.Text,
txtPassword.Text );
If the user is authenticated, add a call to the GetRoles method to obtain the user's role list.
if (isAuthenticated == true )
{
string roles = GetRoles( txtUserName.Text);
Create a new forms authentication ticket that contains the user name, an expiration time, and the list of roles that the user belongs to. Note that the user data property of the authentication ticket is used to store the user's role list. Also note that the following code creates a non-persistent ticket, although whether or not the ticket / cookie is persistent is dependent upon your application scenario. Persisting authentication cookies is not recommended because they are vulnerable to attacks.
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //
version
txtUserName.Text, // user
name
DateTime.Now, //
creation
DateTime.Now.AddMinutes(60),//
Expiration
false, //
Persistent
roles ); // User
data
Add code to create an encrypted string representation of the ticket and store it as data within an HttpCookie object.
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Add the cookie to the cookies collection returned to the user's browser.
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
Redirect the user to the originally requested page
// Redirect the user to the originally requested page
Response.Redirect( FormsAuthentication.GetRedirectUrl(
txtUserName.Text,
false ));
}
Step 4. Construct GenericPrincipal and FormsIdentity Objects
This procedure implements an application authentication event handler and constructs GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket.
To construct GenericPrincipal and FormsIdentity objects
From Solution Explorer, open global.asax.
Switch to code view and add the following using statements to the top of the file:
using System.Web.Security;
using System.Security.Principal;
Locate the Application_AuthenticateRequest event handler and add the following code to obtain the forms authentication cookie from the cookie collection passed with the request.
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(null == authCookie)
{
// There is no authentication cookie.
return;
}
Add the following code to extract and decrypt the authentication ticket from the forms authentication cookie.
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
Add the following code to parse out the pipe separate list of role names attached to the ticket when the user was originally authenticated.
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});
Add the following code to create a FormsIdentity object with the user name obtained from the ticket name and a GenericPrincipal object that contains this identity together with the user's role list.
// Create an Identity object
FormsIdentity id = new FormsIdentity( authTicket );
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
Step 5. Test the Application
This procedure adds code to the default.aspx page to display information from the GenericPrincipal object attached to the current HttpContext object, to confirm that the object has been correctly constructed and assigned to the current Web request. You will then build and test the application.
To test the application
In Solution Explorer, double-click default.aspx.
Double-click the default.aspx Web form to display the page load event handler.
Scroll to the top of the file and add the following using statement beneath the existing using statements.
using System.Security.Principal;
Return to the page load event handler and add the following code to display the identity name attached to the GenericPrincipal associated with the current Web request.
IPrincipal p = HttpContext.Current.User;
Response.Write( "Authenticated Identity is: " +
p.Identity.Name );
Response.Write( "
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
How To: Create GenericPrincipal Objects with Forms Authentication in ASP.NET 1.1
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
Published: November 2002
Last Revised: January 2006
Applies to:
ASP.NET 1.1
.NET Framework 1.1
See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.
See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.
Summary: This How To shows you how to create and handle GenericPrincipal and FormsIdentity objects when using Forms authentication. (9 printed pages)
Contents
Summary of Steps
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Generate an Authentication Ticket for Authenticated Users
Step 4. Construct GenericPrincipal and FormsIdentity Objects
Step 5. Test the Application
Additional Resources
Applications that use Forms authentication will often want to use the GenericPrincipal class (in conjunction with the FormsIdentity class), to create a non-Windows specific authorization scheme, independent of a Windows domain.
For example, an application may:
Use Forms authentication to obtain user credentials (user name and password).
Validate the supplied credentials against a data store; for example, a database or Microsoft? Active Directory? directory service.
Create GenericPrincipal and FormsIdentity objects based on values retrieved from the data store. These may include a user's role membership details.
Use these objects to make authorization decisions.
This How To describes how to create a Forms-based Web application that authenticates users and creates a custom Forms authentication ticket that contains user and role information. It also shows you how to map this information into GenericPrincipal and FormsIdentity objects and associate the new objects with the HTTP Web request context (HttpContext), allowing them to be used for authorization logic within your application.
This How To focuses on the construction of the GenericPrincipal and FormsIdentity objects together with the processing of the forms authentication ticket. For details about how to authenticate users against Active Directory and SQL Server, see the following related How Tos in this guide:
How To: Use Forms Authentication with Active Directory in ASP.NET 1.1
How To: Use Forms Authentication with SQL Server 2000 in ASP.NET 1.1
Summary of Steps
This How To includes the following steps:
Step 1. Create a Web Application with a Logon Page
Step 2. Configure the Web Application for Forms Authentication
Step 3. Generate an Authentication Ticket for Authenticated Users
Step 4. Construct GenericPrincipal and FormsIdentity Objects
Step 5. Test the Application
Step 1. Create a Web Application with a Logon Page
This procedure creates a new ASP.NET Web application. The application will contain two pages; a default page that only authenticated users are allowed to access, and a logon page used to collect user credentials.
To create a Web application with a logon page
Start Visual Studio .NET and create a new C# ASP.NET Web Application called GenericPrincipalApp.
Rename WebForm1.aspx to Logon.aspx.
Add the following controls to Logon.aspx to create a logon form.
Table 1: Logon.aspx controls Control Type Text ID
Label User Name: -
Label Password -
Text Box - txtUserName
Text Box - txtPassword
Button Logon btnLogon
Set the TextMode property of the password Text Box control to Password.
In Solution Explorer, right-click GenericPrincipalApp, point to Add, and then click Add Web Form.
Enter default.aspx as the new form's name, and then click Open.
Step 2. Configure the Web Application for Forms Authentication
To edit the application's Web.config file to configure the application for Forms authentication
Use Solution Explorer to open Web.config.
Locate the
Add the following
Add the following
Step 3. Generate an Authentication Ticket for Authenticated Users
This procedure writes code to generate an authentication ticket for authenticated users. The authentication ticket is contained within the authentication cookie used by the ASP.NET FormsAuthenticationModule.
The authentication code typically involves looking up the supplied user name and password against either a custom database or against Active Directory.
For information about performing these lookups, see the following How To articles in this guide:
How To: Use Forms Authentication with Active Directory in ASP.NET 1.1
How To: Use Forms Authentication with SQL Server in ASP.NET 1.1
To generate an authentication ticket for authenticated users
Open the Logon.aspx.cs file and the following using statement to the top of the file beneath the existing using statements:
using System.Web.Security;
Add the following private helper method to the WebForm1 class called IsAuthenticated, which is used to validate user names and passwords to authenticate users. This code assumes that all user name and password combinations are valid.
private bool IsAuthenticated( string username, string password )
{
// Lookup code omitted for clarity
// This code would typically validate the user name and password
// combination against a SQL database or Active Directory
// Simulate an authenticated user
return true;
}
Add the following private helper method called GetRoles, which is used to obtain the set of roles that the user belongs to.
private string GetRoles( string username)
{
// Lookup code omitted for clarity
// This code would typically look up the role list from a database
// table.
// If the user was being authenticated against Active Directory,
// the Security groups and/or distribution lists that the user
// belongs to may be used instead
// This GetRoles method returns a pipe delimited string containing
// roles rather than returning an array, because the string format
// is convenient for storing in the authentication ticket /
// cookie, as user data
return "Senior Manager|Manager|Employee";
}
Display the Logon.aspx form in Designer mode and double-click the Logon button to create a click event handler.
Add a call to the IsAuthenticated method, supplying the user name and password captured through the logon form. Assign the return value to a variable of type bool, which indicates whether or not the user is authenticated.
bool isAuthenticated = IsAuthenticated( txtUserName.Text,
txtPassword.Text );
If the user is authenticated, add a call to the GetRoles method to obtain the user's role list.
if (isAuthenticated == true )
{
string roles = GetRoles( txtUserName.Text);
Create a new forms authentication ticket that contains the user name, an expiration time, and the list of roles that the user belongs to. Note that the user data property of the authentication ticket is used to store the user's role list. Also note that the following code creates a non-persistent ticket, although whether or not the ticket / cookie is persistent is dependent upon your application scenario. Persisting authentication cookies is not recommended because they are vulnerable to attacks.
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //
version
txtUserName.Text, // user
name
DateTime.Now, //
creation
DateTime.Now.AddMinutes(60),//
Expiration
false, //
Persistent
roles ); // User
data
Add code to create an encrypted string representation of the ticket and store it as data within an HttpCookie object.
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Add the cookie to the cookies collection returned to the user's browser.
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
Redirect the user to the originally requested page
// Redirect the user to the originally requested page
Response.Redirect( FormsAuthentication.GetRedirectUrl(
txtUserName.Text,
false ));
}
Step 4. Construct GenericPrincipal and FormsIdentity Objects
This procedure implements an application authentication event handler and constructs GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket.
To construct GenericPrincipal and FormsIdentity objects
From Solution Explorer, open global.asax.
Switch to code view and add the following using statements to the top of the file:
using System.Web.Security;
using System.Security.Principal;
Locate the Application_AuthenticateRequest event handler and add the following code to obtain the forms authentication cookie from the cookie collection passed with the request.
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(null == authCookie)
{
// There is no authentication cookie.
return;
}
Add the following code to extract and decrypt the authentication ticket from the forms authentication cookie.
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
Add the following code to parse out the pipe separate list of role names attached to the ticket when the user was originally authenticated.
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[]{'|'});
Add the following code to create a FormsIdentity object with the user name obtained from the ticket name and a GenericPrincipal object that contains this identity together with the user's role list.
// Create an Identity object
FormsIdentity id = new FormsIdentity( authTicket );
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
Step 5. Test the Application
This procedure adds code to the default.aspx page to display information from the GenericPrincipal object attached to the current HttpContext object, to confirm that the object has been correctly constructed and assigned to the current Web request. You will then build and test the application.
To test the application
In Solution Explorer, double-click default.aspx.
Double-click the default.aspx Web form to display the page load event handler.
Scroll to the top of the file and add the following using statement beneath the existing using statements.
using System.Security.Principal;
Return to the page load event handler and add the following code to display the identity name attached to the GenericPrincipal associated with the current Web request.
IPrincipal p = HttpContext.Current.User;
Response.Write( "Authenticated Identity is: " +
p.Identity.Name );
Response.Write( "
" );
Add the following code to test role membership for the current authenticated identity.
if ( p.IsInRole("Senior Manager") )
Response.Write( "User is in Senior Manager role
" );
else
Response.Write( "User is not in Senior Manager role
" );
if ( p.IsInRole("Manager") )
Response.Write( "User is in Manager role
" );
else
Response.Write( "User is not in Manager role
" );
if ( p.IsInRole("Employee") )
Response.Write( "User is in Employee role
" );
else
Response.Write( "User is not in Employee role
" );
if ( p.IsInRole("Sales") )
Response.Write( "User is in Sales role
" );
else
Response.Write( "User is not in Sales role
" );
In Solution Explorer, right-click default.aspx, and then click Set As Start Page.
On the Build menu, click Build Solution. Eliminate any build errors.
Press Ctrl+F5 to run the application. Because default.aspx is configured as the start up page, this is the initially requested page.
When you are redirected to the logon page (because you do not initially have an authentication ticket), enter a user name and password (any will do), and then click Logon.
Confirm that you are redirected to default.aspx and that the user identity and the correct role details are displayed. The user should be a member of the Senior Manager, Manager, and Employee role, but not a member of the Sales role.
Additional Resources
For more information, see the following related How Tos in this guide:
How To: Use Forms Authentication with Active Directory in ASP.NET 1.1
How To: Use Forms Authentication with SQL Server in ASP.NET 1.1
Single sign-on across multiple applications in ASP.NET - The Code Project - ASP.NET
Single sign-on across multiple applications in ASP.NET - The Code Project - ASP.NET
Single sign-on across multiple applications in ASP.NET
By Michal Altair Valasek
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way. VB.NET
Windows, .NET (.NET 1.1, .NET 1.0)
ASP.NET, Win32, VS
Dev
Posted 1 Apr 2004
66,508 views
23 votes for this article.
Popularity: 5.32. Rating: 3.9 out of 5.
Introduction
I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.
Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.
Behind the Forms authentication
Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.
To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.
You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".
So, only what you need is to make authentication cookies domain-wide.
Setting it up
You must setup authentication in system.web section of your web.config file as usual, for example:
As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:
decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885"
/>
The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.
Signing on
You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):
Dim C As System.Web.HttpCookie = _
System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName,
False))
Signing off
Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.
You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:
Dim C As System.Web.HttpCookie = _
Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)
About Michal Altair Valasek
Software developer, system administrator, web designer, journalist, fantasy writer, film editor and executive producer - some of occupations I held in 25 years of my age.
Awarded as Microsoft Most Valuable Professional (MVP) for ASP.NET technology.
Editor and publisher of ASPNET.CZ (formerly known as ASP Network), oldest Czech web server dedicated to Microsoft technology for the Internet.
Project coordinator of BDSM.CZ (http://www.bdsm.cz, first and biggest Czech non-commercial server about sadomasochism.
See my weblog (in Czech language) at http://weblog.rider.cz
Click here to view Michal Altair Valasek's online profile.
Single sign-on across multiple applications in ASP.NET
By Michal Altair Valasek
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way. VB.NET
Windows, .NET (.NET 1.1, .NET 1.0)
ASP.NET, Win32, VS
Dev
Posted 1 Apr 2004
66,508 views
23 votes for this article.
Popularity: 5.32. Rating: 3.9 out of 5.
Introduction
I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.
Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.
Behind the Forms authentication
Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.
To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.
You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".
So, only what you need is to make authentication cookies domain-wide.
Setting it up
You must setup authentication in system.web section of your web.config file as usual, for example:
As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:
decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885"
/>
The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.
Signing on
You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):
Dim C As System.Web.HttpCookie = _
System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName,
False))
Signing off
Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.
You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:
Dim C As System.Web.HttpCookie = _
Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)
About Michal Altair Valasek
Software developer, system administrator, web designer, journalist, fantasy writer, film editor and executive producer - some of occupations I held in 25 years of my age.
Awarded as Microsoft Most Valuable Professional (MVP) for ASP.NET technology.
Editor and publisher of ASPNET.CZ (formerly known as ASP Network), oldest Czech web server dedicated to Microsoft technology for the Internet.
Project coordinator of BDSM.CZ (http://www.bdsm.cz, first and biggest Czech non-commercial server about sadomasochism.
See my weblog (in Czech language) at http://weblog.rider.cz
Click here to view Michal Altair Valasek's online profile.
New FormsAuthentication.SignOut behavior in ASP.NET 2.0
ComputerZen.com - Scott Hanselman - New FormsAuthentication.SignOut behavior in ASP.NET 2.0
Calling FormsAuthentication.SignOut() removes the FormsAuthentication cookies in ASP.NET 1.1. Sometimes folks call it from their Login page, like this:
if (!Page.IsPostBack)
{
FormsAuthentication.SignOut();
}
This says, "If this is a fresh load of this page, clear out the authentication cookies."
If this seems like a reasonable thing, that's because it is. However, if you run an ASP.NET 1.1 site under ASP.NET 2.0 without recompiling, as a number of dasBlog users do, you may get some odd behavior.
You'll visit the Login.aspx page and redirect to the Login.aspx page forever in a loop...it will make your URL look like this:
/Blog/login.aspx?ReturnUrl=%2fBlog%2flogin.aspx%3fReturnUrl%3d%252fBlog%252flogin.aspx%
253fReturnUrl%253d%25252fBlog%25252flogin.aspx%25253fReturnUrl%25253d%2525252fBlog%
525252flogin.aspx%2525253fReturnUrl%2525253d%252525252fBlog%252525252flogin.aspx%
52525253fReturnUrl%252525253d%25252525252fBlog%25252525252flogin.aspx%25252525253fReturnUrl%
5252525253d%2525252525252fBlog%2525252525252flogin.aspx%2525252525253fReturnUrl%2525252525253d%
52525252525252fBlog%252525252525252flogin.aspx%252525252525253fReturnUrl%252525252525253d%
5252525252525252fBlog%25252525252525252flogin.aspx%25252525252525253fReturnUrl%25252525252525253d%
525252525252525252fBlog%2525252525252525252flogin.aspx%2525252525252525253fReturnUrl%
525252525252525253d%252525252525252525252fBlog%252525252525252525252fLogin.aspx
Why? Because ASP.NET 2.0 add this code inside SignOut():
if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
Response.Redirect(FormsAuthentication.GetLoginPage(null), false);
}
That's pretty interesting. If you call SignOut() it redirects you to the Login page, but only if your CookieMode isn't set to UseCookies. This is because ASP.NET 2.0 added support for cookieless FormsAuthentication. They store the auth information in the URL, and they redirect you because they want to clear the authentication info. Makes sense.
What doesn't make sense is why HttpCookieMode doesn't default to UseCookies. It defaults to Cookieless. Which is lovely under ASP.NET 2.0, but not under 1.1. It stays that way and confuses the system.
So, if you see this kind of infinite redirect with FormsAuthentication while running ASP.NET 1.1 applications under ASP.NET 2.0, you can add cookieless="UseCookies" to your element in web.config:
Calling FormsAuthentication.SignOut() removes the FormsAuthentication cookies in ASP.NET 1.1. Sometimes folks call it from their Login page, like this:
if (!Page.IsPostBack)
{
FormsAuthentication.SignOut();
}
This says, "If this is a fresh load of this page, clear out the authentication cookies."
If this seems like a reasonable thing, that's because it is. However, if you run an ASP.NET 1.1 site under ASP.NET 2.0 without recompiling, as a number of dasBlog users do, you may get some odd behavior.
You'll visit the Login.aspx page and redirect to the Login.aspx page forever in a loop...it will make your URL look like this:
/Blog/login.aspx?ReturnUrl=%2fBlog%2flogin.aspx%3fReturnUrl%3d%252fBlog%252flogin.aspx%
253fReturnUrl%253d%25252fBlog%25252flogin.aspx%25253fReturnUrl%25253d%2525252fBlog%
525252flogin.aspx%2525253fReturnUrl%2525253d%252525252fBlog%252525252flogin.aspx%
52525253fReturnUrl%252525253d%25252525252fBlog%25252525252flogin.aspx%25252525253fReturnUrl%
5252525253d%2525252525252fBlog%2525252525252flogin.aspx%2525252525253fReturnUrl%2525252525253d%
52525252525252fBlog%252525252525252flogin.aspx%252525252525253fReturnUrl%252525252525253d%
5252525252525252fBlog%25252525252525252flogin.aspx%25252525252525253fReturnUrl%25252525252525253d%
525252525252525252fBlog%2525252525252525252flogin.aspx%2525252525252525253fReturnUrl%
525252525252525253d%252525252525252525252fBlog%252525252525252525252fLogin.aspx
Why? Because ASP.NET 2.0 add this code inside SignOut():
if (FormsAuthentication.CookieMode != HttpCookieMode.UseCookies)
{
Response.Redirect(FormsAuthentication.GetLoginPage(null), false);
}
That's pretty interesting. If you call SignOut() it redirects you to the Login page, but only if your CookieMode isn't set to UseCookies. This is because ASP.NET 2.0 added support for cookieless FormsAuthentication. They store the auth information in the URL, and they redirect you because they want to clear the authentication info. Makes sense.
What doesn't make sense is why HttpCookieMode doesn't default to UseCookies. It defaults to Cookieless. Which is lovely under ASP.NET 2.0, but not under 1.1. It stays that way and confuses the system.
So, if you see this kind of infinite redirect with FormsAuthentication while running ASP.NET 1.1 applications under ASP.NET 2.0, you can add cookieless="UseCookies" to your
Geekpedia ? Programming tutorial (printer friendly) Handling cookies in ASP .NET
Geekpedia ? Programming tutorial (printer friendly) Handling cookies in ASP .NET
Handling cookies in ASP .NET
by Andrei Pociu on Aug 03 2004 - 02:12
--------------------------------------------------------------------------------
Description:
How to create a cookie, how to get the value stored in a cookie, set the lifetime, path and domain for a cookie, edit a cookie, delete a cookie, remove subkeys from a cookie...
--------------------------------------------------------------------------------
Content: Here's a tutorial that shows you how to use cookies in ASP .NET. I'm not going to explain the role of cookies in web applications or cover any other theoretical aspect of cookies. There are many (similar) ways to handle cookies in ASP .NET. I'm only going to show you one of the ways, my way. Oh, and we're going to use C#, although the code can be adapted to Visual Basic .NET easily.
How to create a cookie.
Here's a new cookie named cakes.
HttpCookie myCookie = new HttpCookie("cakes");
We created the cookie but there are no keys with values in it, so for now it's useless. So let's add some:
myCookie.Values.Add("muffin", "chocolate");
myCookie.Values.Add("babka", "cinnamon");
We also need to add the cookie to the cookie collection (consider it a cookie jar :) ):
Response.Cookies.Add(myCookie);
How to get the value stored in a cookie.
Here's how to get the keys and values stored in a cookie:
Response.Write(myCookie.Value.ToString());
The output to using this with the previous created cookie is this: "muffin=chocolate&babka=cinnamon".
However, most of the time you'll want to get the value stored at a specific key. If we want to find the value stored at our babka key, we use this:
Response.Write(myCookie["babka"].ToString());
Set the lifetime for a cookie.
You can easily set the time when a cookie expires. We'll set the Expires property of myCookie to the current time + 12 hours:
myCookie.Expires = DateTime.Now.AddHours(12);
This cookie will expire in twelve hours starting now. You could as well make it expire after a week:
myCookie.Expires = DateTime.Now.AddDays(7);
Also note that if you don't set a cookie's expiration date & time a transient cookie will be created - a cookie which only exists in the current browser instance. So if you want the cookie to be stored as a file you need to set this property.
Setting the cookie's path.
Sometimes you'll want to set a path for a cookie so that it will be available only for that path in your website (ex.: www.geekpedia.com/forums). You can set a cookie's path with the Path property:
myCookie.Path = "/forums";
Setting the domain for a cookie.
Perhaps instead of using http://www.geekpedia.com/forums path style to your forums, you would use a subdomain like http://forums.geekpedia.com. The Domain property should do it:
myCookie.Domain = "forums.geekpedia.com";
How to edit a cookie.
You don't actually edit a cookie, you simply overwrite it by creating a new cookie with the same key(s).
How to destroy / delete a cookie.
There's no method called Delete which deletes the cookie you want. What you can do if you have to get rid of a cookie is to set its expiration date to a date that has already passed, for example a day earlier. This way the browser will destroy it.
myCookie.Expires = DateTime.Now.AddDays(-1);
How to remove a subkey from a cookie.
This is one of the problems I encountered with cookies. Fortunately I found an answer on MSDN. You can use the Remove method:
myCookie.Values.Remove("babka");
However, you don't usually remove a subkey immediatly after creating it, so first we need to retrieve the cookie, remove the subkey and then add it back to the Cookies collection:
// Get the cookie from the collection (jar)
myCookie = Request.Cookies["cakes"];
// Remove the key 'babka'
myCookie.Values.Remove("babka");
// Add the cookie back to the collection (jar)
Response.Cookies.Add(myCookie);
// See what's in the cookie now
Response.Write(myCookie.Values.ToString());
Of course I suppose you used the code we created earlier (the one with the chocolate muffin and the cinnamon babka), therefore if you test the code now you'll see the result is 'muffin=chocolate' - we got rid of the babka!
Handling cookies in ASP .NET
by Andrei Pociu on Aug 03 2004 - 02:12
--------------------------------------------------------------------------------
Description:
How to create a cookie, how to get the value stored in a cookie, set the lifetime, path and domain for a cookie, edit a cookie, delete a cookie, remove subkeys from a cookie...
--------------------------------------------------------------------------------
Content: Here's a tutorial that shows you how to use cookies in ASP .NET. I'm not going to explain the role of cookies in web applications or cover any other theoretical aspect of cookies. There are many (similar) ways to handle cookies in ASP .NET. I'm only going to show you one of the ways, my way. Oh, and we're going to use C#, although the code can be adapted to Visual Basic .NET easily.
How to create a cookie.
Here's a new cookie named cakes.
HttpCookie myCookie = new HttpCookie("cakes");
We created the cookie but there are no keys with values in it, so for now it's useless. So let's add some:
myCookie.Values.Add("muffin", "chocolate");
myCookie.Values.Add("babka", "cinnamon");
We also need to add the cookie to the cookie collection (consider it a cookie jar :) ):
Response.Cookies.Add(myCookie);
How to get the value stored in a cookie.
Here's how to get the keys and values stored in a cookie:
Response.Write(myCookie.Value.ToString());
The output to using this with the previous created cookie is this: "muffin=chocolate&babka=cinnamon".
However, most of the time you'll want to get the value stored at a specific key. If we want to find the value stored at our babka key, we use this:
Response.Write(myCookie["babka"].ToString());
Set the lifetime for a cookie.
You can easily set the time when a cookie expires. We'll set the Expires property of myCookie to the current time + 12 hours:
myCookie.Expires = DateTime.Now.AddHours(12);
This cookie will expire in twelve hours starting now. You could as well make it expire after a week:
myCookie.Expires = DateTime.Now.AddDays(7);
Also note that if you don't set a cookie's expiration date & time a transient cookie will be created - a cookie which only exists in the current browser instance. So if you want the cookie to be stored as a file you need to set this property.
Setting the cookie's path.
Sometimes you'll want to set a path for a cookie so that it will be available only for that path in your website (ex.: www.geekpedia.com/forums). You can set a cookie's path with the Path property:
myCookie.Path = "/forums";
Setting the domain for a cookie.
Perhaps instead of using http://www.geekpedia.com/forums path style to your forums, you would use a subdomain like http://forums.geekpedia.com. The Domain property should do it:
myCookie.Domain = "forums.geekpedia.com";
How to edit a cookie.
You don't actually edit a cookie, you simply overwrite it by creating a new cookie with the same key(s).
How to destroy / delete a cookie.
There's no method called Delete which deletes the cookie you want. What you can do if you have to get rid of a cookie is to set its expiration date to a date that has already passed, for example a day earlier. This way the browser will destroy it.
myCookie.Expires = DateTime.Now.AddDays(-1);
How to remove a subkey from a cookie.
This is one of the problems I encountered with cookies. Fortunately I found an answer on MSDN. You can use the Remove method:
myCookie.Values.Remove("babka");
However, you don't usually remove a subkey immediatly after creating it, so first we need to retrieve the cookie, remove the subkey and then add it back to the Cookies collection:
// Get the cookie from the collection (jar)
myCookie = Request.Cookies["cakes"];
// Remove the key 'babka'
myCookie.Values.Remove("babka");
// Add the cookie back to the collection (jar)
Response.Cookies.Add(myCookie);
// See what's in the cookie now
Response.Write(myCookie.Values.ToString());
Of course I suppose you used the code we created earlier (the one with the chocolate muffin and the cinnamon babka), therefore if you test the code now you'll see the result is 'muffin=chocolate' - we got rid of the babka!
Thursday, March 09, 2006
what the matter of a mountain is not its height, what the matter of the country is not its size
李肇星今天给美女翻译上“英文课”(组图) - 文学城 www.wenxuecity.com
“山不在高,有仙则名”,国不在大,热爱和平、主持公道就好。”女翻译员将此句译为“a mountain no matter how high it is , if it is blessed with touch of divine, it would be well-known. A country no matter how big it is , if it can uphold peace and justice in the world, it would be a good country ”。李肇星可能是觉得翻译得不够传神与贴切,立即对 “山不在高,有仙则名”作出简单且深刻的阐述。他补充说,“what the matter of a mountain is not its height, what the matter of the country is not its size.”李肇星的精彩翻译,台下的外国记者也听出“耳油”来。
“山不在高,有仙则名”,国不在大,热爱和平、主持公道就好。”女翻译员将此句译为“a mountain no matter how high it is , if it is blessed with touch of divine, it would be well-known. A country no matter how big it is , if it can uphold peace and justice in the world, it would be a good country ”。李肇星可能是觉得翻译得不够传神与贴切,立即对 “山不在高,有仙则名”作出简单且深刻的阐述。他补充说,“what the matter of a mountain is not its height, what the matter of the country is not its size.”李肇星的精彩翻译,台下的外国记者也听出“耳油”来。
Wednesday, March 08, 2006
How to create a boot diskette
How to create a boot diskette: "How to create a bootable diskette
WHAT IS A BOOT DISK
A boot disk will allow you to boot off of a diskette instead of your hard drive. This diskette can be used to fix issues which may arise during the lifetime of your computer as well as can be used to help load MS-DOS games or games you may not be able to run from Windows or MS-DOS because of high memory requirements.
After you have created a boot diskette, it is highly recommended that you write-protect the diskette to prevent possible computer virus infection.
CREATING A MS-DOS BOOT DISK
Note: These steps are for users who have MS-DOS installed on the computer.
To create a MS-DOS diskette, begin by getting to the DOS directory by typing:
cd\dos
Once at the C:\DOS directory, skip to copying files.
INDEX
Category:
Software
Companies:
Microsoft
Related Pages:
Autoexec.bat / Config.sys
Floppy Drive
MS-DOS
Windows 95
Windows 98
Windows NT
Windows 2000
RESOLVED
Were you able to locate the answer to your questions?
Yes
No
CREATING A WINDOWS 3.X BOOT DISK
Note: These steps are for users who have Windows 3.x installed on the computer.
To create a Windows 3.x diskette, from Windows Program manager, click File and then choose the option to Exit Windows, which will get you to a prompt; at the prompt, type:
cd\dos
Once at the C:\DOS directory, skip to copying files.
CREATING A WINDOWS 95 BOOT DISK
Note: These steps are for users who have Windows 95 installed on the computer.
In Windows 95, Microsoft has created a new method of creating a bootable recovery diskette. Unfortunately, however, this diskette does not support CD-ROM support and is missing a few recommended files. To do this, click Start / Settings / Control Panel / double-click the Add Remove programs icon / click the Startup Disk and create disk.
Alternatively, to create a Windows 95 boot diskette manually from Windows, click Start / Shutdown and choose the option to restart the computer in a MS-DOS prompt. At the prompt, type:
cd\windows\command
Once at the C:\DOS directory, skip to copying files.
CREATING A WINDOWS 98/ME BOOT DISK
Note: These steps are for users who have Windows 98 or Windows ME installed on the computer.
An excellent feature of Windows 98/ME is its boot diskette. Using Windows to create you a Windows 98 boot diskette will give you all the needed files as well as CD-ROM support. To create a Windows 98 boot diskette, click Start / Settings / Control Panel / double-click the Add Remove programs icon / click the Startup Disk and create disk.
Alternatively, to create a Windows 98 boot diskette manually from Windows, click Start / Shutdown and choose the option to restart the computer in a MS-DOS prompt. At the prompt, type:
cd\windows\command
Once at the C:\DOS directory, skip to copying files.
COPYING ADDITIONAL FILES
NOTE: When making a boot disk, if you are running "Stacker" or some kind of a DoubleSpace or drive swapper program, this could not work
Once you are in DOS and at the correct directory as instructed in the above sections by operating system, you are ready to create your bootable diskette. Insert a diskette which does not contain any information (it will be erased).
At the prompt, if you have MS-DOS 6.2 / Windows 3.x / Windows 95 / Windows 98, type:
FORMAT A:/S
If you have MS-DOS 5.0 type using double density 5.25" diskettes type:
FORMAT A: /360 /S
If you have MS- DOS 3.11 through 4.0 using double density 5.25" diskettes, type:
FORMAT A: /4 /S
Once the diskette has been formatted and the system has been transferred, you should be returned to your original directory. In this directory, type:
copy format*.* a: [PRESS ENTER]
copy fdisk*.* a: [PRESS ENTER]
copy mscdex*.* a: [PRESS ENTER]
copy sys*.* a: [PRESS ENTER]
copy edit*.* a: [PRESS ENTER]
copy qbasic*.* a: [PRESS ENTER] (Win 95/98 users skip this line)
copy debug*.* a: [PRESS ENTER]
copy himem*.* a: [PRESS ENTER]
copy emm386*.* a: [PRESS ENTER]
If you are planning to use this diskette as a diskette to load games or you feel that you need mouse support, you will need to copy the mouse driver onto the boot diskette. The MS-DOS mouse driver is generally mouse.com / mouse.sys. Locate this file and copy it to your bootable diskette.
For CD-ROM support, visit our CD-ROM drivers page for information on loading your CD-ROM driver.
Once you have copied the above files, create an autoexec.bat and a config.sys. Get to the floppy drive by typing A:, once at the floppy drive, type:
copy con autoexec.bat [PRESS ENTER]
@echo off [PRESS ENTER]
LH A:\MSCDEX.EXE /D:CDROM [PRESS ENTER] (this line is used for your CD-ROM drive).
LH A:\MOUSE.* [PRESS ENTER] (skip line if you did not copy mouse file, the * is either sys / com).
Press and hold CTRL + Z - this should return ^Z. Once this is displayed, press enter to copy the file.
copy con config.sys [PRESS ENTER]
device=a:\himem.sys
dos=high,umb
device=a:\emm386.exe noems
files=30
buffers=20
devicehigh=a:\oakcdrom.sys /d:CDROM (this line is used for your CD-ROM drive).
Press and hold CTRL + Z - this should return ^Z. Once this is displayed, press enter to copy the file.
Congratulations, after completing the above steps you should now have a bootable floppy diskette.
CREATING A WINDOWS NT BOOT DISK
To create a boot diskette you must have access to the i386 directory located on your Windows NT CD or possibly your Hard disk drive.
Format the floppy diskette you wish to make a bootable Windows NT boot disk using the Windows NT machine.
Copy boot.ini, ntdetect.com and ntldr to the floppy diskette just formatted.
If you are using any SCSI devices which you need access to, you will also need to load these drivers onto the diskette
CREATING A WINDOWS 2000 BOOT DISK
To create a Windows 2000 Professional bootable diskette you will need four 1.44MB diskettes and the Windows 2000 Professional CD.
Click Start / Run / browse to the CD-ROM drive.
Open the "BOOTDISK" folder and double-click makeboot.exe and click ok to launch the program to create the diskette.
Users can also easily create an Emergency Repair Disk by clicking Start, Programs, Accessories, System Tools, and opening Backup. From the Backup window, click the button for Emergency Repair Disk and follow each of the steps.
CREATING A WINDOWS XP BOOT DISK
Create MS-DOS bootable diskette
When formatting a floppy diskette, users have the option of creating a MS-DOS startup disk, follow the below steps to do this.
Place diskette in the computer.
Open My Computer, right click the A: drive and click Format.
In the Format window, check Create an MS-DOS startup disk.
Click Start
Create Windows XP Setup diskettes
Microsoft is beginning to phase out bootable floppy diskettes in favor of bootable CD discs and has not included a method of easily creating a bootable floppy diskette in Windows or from the CD. However, Microsoft has created web pages for users who still need to create bootable diskettes to install (not upgrade) Windows XP, below is a listing of each of these pages.
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Pro
Microsoft Windows XP Pro SP1
Additional help and information about troubleshooting bootable CDs not booting is found on document CH000217.
HOW TO USE A BOOT DISKETTE
Once the bootable diskette has been successfully created, following the below steps you will be able to boot from the diskette.
Place the diskette into write-protect mode (in case a virus is on the computer, this will not allow the virus to transfer itself onto the diskette).
Insert the diskette into the computer and reset or turn on the computer to begin the boot process.
As the computer is booting, answer the questions prompted (if any).
Once at the A:\> take the appropriate actions depending upon the situation of the computer.
If you are unfamiliar with MS-DOS we recommend you see our MS-DOS page.
WHAT IS A BOOT DISK
A boot disk will allow you to boot off of a diskette instead of your hard drive. This diskette can be used to fix issues which may arise during the lifetime of your computer as well as can be used to help load MS-DOS games or games you may not be able to run from Windows or MS-DOS because of high memory requirements.
After you have created a boot diskette, it is highly recommended that you write-protect the diskette to prevent possible computer virus infection.
CREATING A MS-DOS BOOT DISK
Note: These steps are for users who have MS-DOS installed on the computer.
To create a MS-DOS diskette, begin by getting to the DOS directory by typing:
cd\dos
Once at the C:\DOS directory, skip to copying files.
INDEX
Category:
Software
Companies:
Microsoft
Related Pages:
Autoexec.bat / Config.sys
Floppy Drive
MS-DOS
Windows 95
Windows 98
Windows NT
Windows 2000
RESOLVED
Were you able to locate the answer to your questions?
Yes
No
CREATING A WINDOWS 3.X BOOT DISK
Note: These steps are for users who have Windows 3.x installed on the computer.
To create a Windows 3.x diskette, from Windows Program manager, click File and then choose the option to Exit Windows, which will get you to a prompt; at the prompt, type:
cd\dos
Once at the C:\DOS directory, skip to copying files.
CREATING A WINDOWS 95 BOOT DISK
Note: These steps are for users who have Windows 95 installed on the computer.
In Windows 95, Microsoft has created a new method of creating a bootable recovery diskette. Unfortunately, however, this diskette does not support CD-ROM support and is missing a few recommended files. To do this, click Start / Settings / Control Panel / double-click the Add Remove programs icon / click the Startup Disk and create disk.
Alternatively, to create a Windows 95 boot diskette manually from Windows, click Start / Shutdown and choose the option to restart the computer in a MS-DOS prompt. At the prompt, type:
cd\windows\command
Once at the C:\DOS directory, skip to copying files.
CREATING A WINDOWS 98/ME BOOT DISK
Note: These steps are for users who have Windows 98 or Windows ME installed on the computer.
An excellent feature of Windows 98/ME is its boot diskette. Using Windows to create you a Windows 98 boot diskette will give you all the needed files as well as CD-ROM support. To create a Windows 98 boot diskette, click Start / Settings / Control Panel / double-click the Add Remove programs icon / click the Startup Disk and create disk.
Alternatively, to create a Windows 98 boot diskette manually from Windows, click Start / Shutdown and choose the option to restart the computer in a MS-DOS prompt. At the prompt, type:
cd\windows\command
Once at the C:\DOS directory, skip to copying files.
COPYING ADDITIONAL FILES
NOTE: When making a boot disk, if you are running "Stacker" or some kind of a DoubleSpace or drive swapper program, this could not work
Once you are in DOS and at the correct directory as instructed in the above sections by operating system, you are ready to create your bootable diskette. Insert a diskette which does not contain any information (it will be erased).
At the prompt, if you have MS-DOS 6.2 / Windows 3.x / Windows 95 / Windows 98, type:
FORMAT A:/S
If you have MS-DOS 5.0 type using double density 5.25" diskettes type:
FORMAT A: /360 /S
If you have MS- DOS 3.11 through 4.0 using double density 5.25" diskettes, type:
FORMAT A: /4 /S
Once the diskette has been formatted and the system has been transferred, you should be returned to your original directory. In this directory, type:
copy format*.* a: [PRESS ENTER]
copy fdisk*.* a: [PRESS ENTER]
copy mscdex*.* a: [PRESS ENTER]
copy sys*.* a: [PRESS ENTER]
copy edit*.* a: [PRESS ENTER]
copy qbasic*.* a: [PRESS ENTER] (Win 95/98 users skip this line)
copy debug*.* a: [PRESS ENTER]
copy himem*.* a: [PRESS ENTER]
copy emm386*.* a: [PRESS ENTER]
If you are planning to use this diskette as a diskette to load games or you feel that you need mouse support, you will need to copy the mouse driver onto the boot diskette. The MS-DOS mouse driver is generally mouse.com / mouse.sys. Locate this file and copy it to your bootable diskette.
For CD-ROM support, visit our CD-ROM drivers page for information on loading your CD-ROM driver.
Once you have copied the above files, create an autoexec.bat and a config.sys. Get to the floppy drive by typing A:, once at the floppy drive, type:
copy con autoexec.bat [PRESS ENTER]
@echo off [PRESS ENTER]
LH A:\MSCDEX.EXE /D:CDROM [PRESS ENTER] (this line is used for your CD-ROM drive).
LH A:\MOUSE.* [PRESS ENTER] (skip line if you did not copy mouse file, the * is either sys / com).
Press and hold CTRL + Z - this should return ^Z. Once this is displayed, press enter to copy the file.
copy con config.sys [PRESS ENTER]
device=a:\himem.sys
dos=high,umb
device=a:\emm386.exe noems
files=30
buffers=20
devicehigh=a:\oakcdrom.sys /d:CDROM (this line is used for your CD-ROM drive).
Press and hold CTRL + Z - this should return ^Z. Once this is displayed, press enter to copy the file.
Congratulations, after completing the above steps you should now have a bootable floppy diskette.
CREATING A WINDOWS NT BOOT DISK
To create a boot diskette you must have access to the i386 directory located on your Windows NT CD or possibly your Hard disk drive.
Format the floppy diskette you wish to make a bootable Windows NT boot disk using the Windows NT machine.
Copy boot.ini, ntdetect.com and ntldr to the floppy diskette just formatted.
If you are using any SCSI devices which you need access to, you will also need to load these drivers onto the diskette
CREATING A WINDOWS 2000 BOOT DISK
To create a Windows 2000 Professional bootable diskette you will need four 1.44MB diskettes and the Windows 2000 Professional CD.
Click Start / Run / browse to the CD-ROM drive.
Open the "BOOTDISK" folder and double-click makeboot.exe and click ok to launch the program to create the diskette.
Users can also easily create an Emergency Repair Disk by clicking Start, Programs, Accessories, System Tools, and opening Backup. From the Backup window, click the button for Emergency Repair Disk and follow each of the steps.
CREATING A WINDOWS XP BOOT DISK
Create MS-DOS bootable diskette
When formatting a floppy diskette, users have the option of creating a MS-DOS startup disk, follow the below steps to do this.
Place diskette in the computer.
Open My Computer, right click the A: drive and click Format.
In the Format window, check Create an MS-DOS startup disk.
Click Start
Create Windows XP Setup diskettes
Microsoft is beginning to phase out bootable floppy diskettes in favor of bootable CD discs and has not included a method of easily creating a bootable floppy diskette in Windows or from the CD. However, Microsoft has created web pages for users who still need to create bootable diskettes to install (not upgrade) Windows XP, below is a listing of each of these pages.
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Pro
Microsoft Windows XP Pro SP1
Additional help and information about troubleshooting bootable CDs not booting is found on document CH000217.
HOW TO USE A BOOT DISKETTE
Once the bootable diskette has been successfully created, following the below steps you will be able to boot from the diskette.
Place the diskette into write-protect mode (in case a virus is on the computer, this will not allow the virus to transfer itself onto the diskette).
Insert the diskette into the computer and reset or turn on the computer to begin the boot process.
As the computer is booting, answer the questions prompted (if any).
Once at the A:\> take the appropriate actions depending upon the situation of the computer.
If you are unfamiliar with MS-DOS we recommend you see our MS-DOS page.
Thursday, March 02, 2006
Subscribe to:
Comments (Atom)
