Article Title: Pay attention to. NETRemoting security in the net framework. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Architecture
Figure 1 shows the basic. NET Remoting architecture when a remote object is resident in ASP. NET. If you are concerned about security, we recommend that you use the ASP. NET host to communicate with the HTTP channel, because it allows remote objects to use the basic security services provided by ASP. NET and IIS.
For more information, see "select a host process" at the end of this chapter ".
Figure 1.. NET Remoting Architecture
The client communicates with the agent object in the process. You can use a remote object proxy to set authentication creden。 (such as user names, passwords, and certificates ). The method call is passed through the receiving chain (you can implement your own custom receive to perform data encryption) and reach the transmission and receiving responsible for sending data through the network. On the server side, the call passes through the same pipeline and sends a call to the object.
Note the term "proxy" used in this chapter refers to the proxy object in the client process, through which the client communicates with the remote object. Do not confuse it with the term "Proxy Server.
Remoting receiving
When the client calls a method on a remote object,. NET Remoting uses the transmission channel, custom channel, and formatting channel to receive the method.
Transmission Channel receiving
The transmission channel receives method calls between the client and the server over the network .. NET provides the HttpChannel and TcpChannel classes, but it can fully expand the architecture and insert your own custom implementation methods.
• HttpChannel. This channel can be used when remote objects reside in ASP. NET. This channel uses the HTTP protocol to send messages between the client and the server.
• TcpChannel. When you host remote objects in Microsoft®Windows®This channel can be used in operating system services or other executable files. This channel uses a TCP socket to send messages between the client and the server.
• Custom channel. Custom transmission channels can use any basic transmission protocol to send messages between the client and the server. For example, a custom channel can use a named pipe or mail slot.
Comparison transmission channel receiving
The following table compares the two main transmission channels.
Custom receiving
You can use a custom channel to modify the messages sent between the client and the server at different locations in the channel receiving pipeline. Channel receiving that provides encryption and decryption functions is an example of custom channel receiving.
Formatting Program Receiving
The formatter receives method calls and serializes them into a stream that can be sent over the network .. NET provides two formatting programs for receiving:
• Binary formatting program. It uses the BinaryFormatter class to package method calls into a serialized binary stream and then pass the stream (using http post) to send data to the server. The binary formatter sets the content type in the HTTP request to "application/octet-stream ".
Compared with SOAP formatting, binary formatting provides higher performance.
• SOAP formatting program. It uses the SoapFormatter class to package method calls into SOAP messages. Set the content type to "text/xml" in the HTTP request and pass it to the server using http post.
Analyze requests residing in ASP. NET
The remote object endpoint address is specified by a URL Ending with A. rem or. soap extension file name (for example, http: // someserver/vDir/remoteobject. soap ). When IIS receives a request for a remote object (with the. rem or. soap extension), It maps it (in IIS) to ASP. net isapi extension (Aspnet_isapi.dll. ISAPI extension forwards the request to the application domain in the ASP. NET auxiliary process (Aspnet_wp.exe. Figure 2 shows the event sequence.
Figure 2. server-side Processing
Figure 2 shows the following event sequence:
1. Receive. soap or. rem requests over HTTP and map them to a specific virtual directory on the Web server.
2. IIS checks. soap/. rem ing and maps the file extension to ASP. net isapi extension Aspnet_isapi.dll.
3. The ISAPI extension sends the request to the application domain in the ASP. NET auxiliary process (Aspnet_wp.exe. If this is the first request sent on the application, a new application domain is created.
4. Call the HttpRemotingHandlerFactory handler and then read the remoting infrastructure from the Web. config file. It controls the server-side object configuration (for example, a single call or a single parameter) and authorization parameters (using the <authorization> element ).
5. The Remoting infrastructure searches for and instantiates an Assembly containing a remote object.
6. The Remoting infrastructure reads the HTTP header and data stream, and then calls this method on a remote object.
Note: In this process, ASP. NET calls the normal sequence of event handlers. You can selectively implement one or more event handlers in Global. asax, such as BeginRequest, AuthenticationRequest, and AuthorizeRequest. When a request arrives at the remote object method, the IPrincipal object representing the authenticated User is stored in HttpContext. User (and Thread. CurrentPrincipal) and can be used for authorization. For example, use user permission requirements and programming role checks.
ASP. NET and HTTP Channels
Remoting does not have its own security model. Authentication and authorization between the client (proxy) and the server (Remote Object) are performed through the channel and host process. You can combine the following hosts and channels:
• Custom executable files and TCP channels. This combination does not provide any built-in security functions.
• ASP. NET and HTTP channels. This combination provides identity authentication and authorization through basic ASP. NET and IIS security features.
Objects resident in ASP. NET can use the basic security functions of ASP. NET and IIS. They include:
• Authentication function. Configure Windows Authentication in Web. config:
The settings in IIS control the HTTP authentication type used.
Common HTTP headers are used to authenticate requests. You can configure the remote object proxy to provide creden。 for the client, or use the default creden.
Form or Passport authentication is not allowed because the channel does not provide a method to allow clients to access Cookies, which is a requirement of the Two authentication mechanisms. In addition, the form and Passport authentication need to be redirected to the login page requiring client interaction. Remote Server objects can be used in non-interactive scenarios.
• Authorization function. Use the standard ASP. NET authorization method to authorize the client.
Configurable authorization options include:
• URL Authorization.
• File authorization (it requires specific configuration. For more information, see "Use File authorization" later in this chapter ").
Programming authorization options include:
• User permission requirements (descriptive and imperative ).
• Use IPrincipal. IsInRole for clear role checks.
• Secure Communication. SSL (and/or IPSec) should be used to protect the security of data transmission between the client and the server.
. NET Remoting gateway guard
Authorization points (or gateway guard) used by remote objects resident in ASP. NET include:
• IIS. If anonymous authentication is disabled, IIS only allows requests from specific users, that is, it can verify the identity of these users in its own domain or trusted domain. IIS also provides the IP address and DNS filtering functions.
• ASP. NET
• UrlAuthorizationModule. You can configure the <authorization> element in Application Web. config to control which users and user groups can access the application. Authorization is based on the IPrincipal object stored in HttpContext. User.
• FileAuthorizationModule. FileAuthorizationModule can be used for remote components, but specific configuration is required. For more information, see "Use File authorization" later in this chapter ".
Note that file authorization is not required.
The FileAuthorizationModule class only performs access checks on the requested file or URI (for example,. rem and. soap), and does not perform access checks on files accessed by code in remote objects.
• User permission requirements and clear role checks. In addition to the gateway guard that can be configured using IIS and ASP. NET, you can also use user permission requirements (in descriptive or imperative mode) as an additional subdivision access control mechanism. By using the user permission check, you can control access to classes, methods, or individual code blocks based on the user identity and group member identity (defined by the IPrincipal object appended to the current thread.
Note: The user permission check used to request the role Member identity is different from that used to call IPrincipal. IsInRole to test the role Member identity. If the caller is not a member of the specified role, the former will encounter an exception error, while the latter will only return a Boolean value to confirm the role Member identity.
With Windows authentication, ASP. NET can automatically connect a WindowsPrincipal object representing the authenticated User to the current Web Request (using HttpContext. User ).
Authentication
When Remoting and ASP. NET Web application clients are used in combination, authentication is performed on Web applications and remote object hosts. The authentication options available for remote object hosts depend on the host type.
Resident in ASP. NET
When the object resides in ASP. NET, you can use the HTTP channel to pass the method call between the client proxy and the server. The HTTP channel uses the HTTP protocol to authenticate the remote object proxy of the server.
The following lists a set of authentication options that can be used when an object is resident in ASP. NET:
• IIS authentication options. Anonymous, basic, summary, Windows integration, and certificate.
• ASP. NET authentication options. Windows authentication or none (for custom authentication implementation ).
