Asp. NET application security Scheme (i)-Authentication __.net

Source: Internet
Author: User
Tags anonymous wrapper ticket

Absrtact: This paper asp.net the concept of application authentication, introduces various authentication modes and compares them, expounds the mechanism of choosing authentication mode, and gives a realization method based on form authentication mode.


Keywords: authentication authentication asp.net Web applications
1. The concept of authenticationAny successful application security policy is based on solid authentication and authorization, as well as secure communications that provide confidentiality and integrity of confidential data.
Authentication (authentication) is a process that identifies an application client, where the client may include an end user, service, process, or computer, and the authenticated client is called the principal (principal). Authentication can occur across multiple tiers of an application. The end-user is initially authenticated by the Web application, typically based on the user name and password, and then the end user's request is processed by the middle-tier application server and the database server, which is also authenticated to authenticate and process the requests.
Figure 1 lists the various security technologies and the main authentication methods provided by each technology.
2. Authentication ModeAs shown in Figure 1, on Windows 2000. NET Framework provides the following types of authentication:
Asp. NET authentication Mode Enterprise Services authentication SQL Server Authentication2.1 ASP. NET authentication ModeAsp. NET authentication modes include Windows, forms (form), passport (passport), and none (No).
2.1.1 Windows authenticationWhen you use this authentication mode, ASP. NET relies on IIS to authenticate the user and create a Windows access token to represent the authenticated identity. IIS provides the following authentication mechanisms:
Basic Authentication Digest Authentication Integrated Windows Authentication certificate identity Authentication Anonymous Authentication2.1.2 Passport authenticationWhen you use this authentication mode, ASP. NET uses the Microsoft Passport centralized authentication service, ASP. NET provides a convenient wrapper (wrapper) for the features provided by the Microsoft Passport Software Development Kit (SDK). This SDK must be installed on the Web server.
2.1.3 Forms AuthenticationThis authentication method uses the client redirection feature to forward unauthenticated users to a specific login form, requiring the user to enter their credential information (typically a username and password). When these credential information is validated, the system generates an authentication ticket (ticket) and returns it to the client. An authentication ticket maintains the identity information of the user during a user's session and optionally the list of roles to which the user belongs.
2.1.4 NoneUsing this authentication mode means you do not want to authenticate the user or adopt a custom authentication protocol.
2.2 Enterprise Services authenticationEnterprise Services authentication is done by using the underlying remote procedure call (Rpc,remote Procedure calls) transport structure that uses the operating system Security Service Provider Interface (sspi,security Service Provider Interface). You can use the Kerberose or NTLM authentication mechanism to authenticate clients of a Enterprise Services application.
2.3 SQL Server AuthenticationSQL Server can be validated through the Windows authentication mechanism (Kerberose or NTLM), or through its built-in authentication scheme-sql authentication mechanism. There are usually two kinds of authentication schemes available.
2.3.1 SQL Server and WindowsClients can connect to an instance of SQL Server through SQL Server authentication or Windows authentication mechanism. This approach is sometimes referred to as mixed-mode authentication.
2.3.2 Windows onlyThe client must connect to an instance of SQL Server by using the Windows authentication mechanism.
3. Select authentication MechanismDesigning a distributed Application for authentication is a challenging task. In the early stages of application development, an appropriate authentication design can help reduce many security risks.3.1 Comparison of various authentication mechanismsWhether users need to have Windows accounts in the server domain support whether the delegate requires that Windows 2000 client and server credentials be transmitted in clear text (requiring SSL) whether Basic authentication for non-IE browsers is supported is whether or not a Digest authentication is a NTLM identity Verify that no Kerberos authentication is whether or not the certificate does not authenticate whether it is a form authentication or not whether it is a Passport authentication or not3.2 Factors to consider in selecting an authentication mechanismIdentificationThe Windows authentication mechanism is appropriate only if the user of the application has a Windows account that can be validated through a trusted authority that can be accessed by the application Web server.
Credential ManagementA key advantage of Windows authentication is that it can use the operating system for credential management. When you use non-Windows authentication methods, such as forms authentication, you must carefully consider where and how to save the user credentials. The most common approach is to use a SQL Server database or to use a user object that is located in Active Directory.
Identity FlowWhether a mock/delegate model needs to be implemented, and the original caller's security context is flowing across tiers at the operating system level-for example, to support auditing or granular authorization for each user.
Browser TypeWhether all users of the application have IE browsers. or whether you need to support a user base with a mixed browser. When we choose authentication, we need to consider the above factors according to the characteristics of various ways.
selection and decision process of 3.3 intranet systemSee Figure 2.
3.4 SQL Server user authenticationFor SQL Server clients to authenticate, Windows authentication is generally more secure than SQL Server authentication for the following reasons: The former is responsible for managing the user's credential information and the user's credentials are not transmitted over the network. You can avoid embedding user names and passwords in the connection string. You can improve logon security by password expiration time, minimum password length, and account lockout requested after multiple invalid logons.     This can see the threat of fewer dictionary attacks. However, Windows authentication is not allowed in certain application scenarios, for example, database clients and database servers are separated by a single firewall, resulting in the inability to use Windows authentication. Applications need to connect to one or more databases using multiple identities. The database you connected to is not SQL Server.     There is no secure way to run code in ASP.net as a particular Windows user. In these scenarios, you will have to use SQL authentication, or the native authentication mechanism of the database.
4. ASP. NET authentication Implementation 4.1 Program CharacteristicsIn this section, only an implementation of authentication for an interactive Web application under an intranet is provided, and this scenario assumes the following characteristics: Only authenticated clients can access the application. The database trusts that the application authenticates the user-that is, the application invokes the database on behalf of the user. The Web application connects to the database by using the ASP.net process account. The user's credential information is validated against the SQL Server database.     Use the Forms authentication mode. In a Web application, the user's credential information is based on the SQL Server database, Forms authentication mode is used, and user personalization design is easy to implement. Using the mode of the application on behalf of the user to the database, the trusted subsystem model can be used to make better use of the database connection pool, and the user can not access the backend database directly, and the ACL management of the back end can be reduced.
4.2 Security Configuration steps 4.2.1 IIS configuration stepsEnable anonymous access to the Web service's virtual root directory.
The primary approach is to use the IIS MMC snap-in, right-click the application's virtual directory, and then click Properties---Directory security--〉 Anonymous access and security control--〉 edit.
4.2.2 ASP. NET configuration steps1. Reset the password for the ASPNET account (for running asp.net) to a more secure password.
This allows a local account (with the same username and password) to be replicated on the database server. In order to connect to a database using Windows authentication, it is necessary to enable the ASPNET account to respond to network authentication requirements from the database.
The specific method is to edit the Machine.config file located in the%windr%/microsoft.net/framework/v1.1.4322/config directory to <processModel> element, the default value is <!-username= "Machine" password= "AutoGenerate"--> to <!-username= "machine" password= " NewPassword "-->.
2. Configure ASP.net to use form authentication.
Edit the Web.config file located under the virtual root of the Web service and set the <authentication> element to:
<authentication mode= "Forms" >
<forms name= "Myappformauth" loginurl= "Login.aspx" protection= "All" timeout= "path="/">
</forms>
</authentication>
4.2.3 Configure SQL Server1. Create a Windows account that matches the ASP.net process account on the SQL Server database.
The username and password must match the ASP.net application account.
2. Configure SQL Server so that it uses Windows authentication.
3. Create a SQL Server login for the custom asp.net application account, granting access to SQL Server.
4. Create a new database user and map the login name to the database user.
5. Create a new user-defined database role and add the database user to the role.
6. Determine database permissions for the database role.
4.3 program code 4.3.1 Authentication Event sequenceWhen an unauthenticated user attempts to place a protected file or a resource is denied, the sequence of events that is triggered is shown in Figure 3.
4.3.2 Code Implementation steps1. Build a Web login form and verify user-supplied credential information
Verify credential information based on the SQL Server database.
2. Get a list of roles from a database
3. Create form authentication ticket
Saves the acquired role information in the ticket. The sample code is as follows:
private void Btnlogin_click (object sender, System.EventArgs e)
{
Verify based on SQL Server database (implemented slightly).
BOOL isauthenticated = isauthenticated (txtUsername.Text, txtPassword.Text);
if (isauthenticated = = True)
{
Get the user's role
String roles = GetRoles (txtUsername.Text, txtPassword.Text);

To create an authentication ticket
FormsAuthenticationTicket AuthTicket = new
FormsAuthenticationTicket (1,//version
txtUsername.Text,//user name
DateTime.Now,//Creation
DateTime.Now.AddMinutes,//Expiration
False,//persistent
roles); User data

String encryptedticket = Formsauthentication.encrypt (AuthTicket);
Creating cookies
HttpCookie Authcookie =
New HttpCookie (Formsauthentication.formscookiename,
Encryptedticket);

RESPONSE.COOKIES.ADD (Authcookie);

Redirects the user to the original request page.
Response.Redirect (Formsauthentication.getredirecturl (
txtUsername.Text,
false));
}
} 4. Create a IPrincipal object to create a IPrincipal object in the Application_AuthenticateRequest event, typically using the GenericPrincipal class.
5. Place the IPrincipal object in the current HTTP context

protected void Application_AuthenticateRequest (Object sender, EventArgs e)
{
Mention form authentication cookie
string cookiename = Formsauthentication.formscookiename;
HttpCookie Authcookie = Context.request.cookies[cookiename];

if (null = = Authcookie)
{
Return
}

FormsAuthenticationTicket AuthTicket = null;
Try
{
AuthTicket = Formsauthentication.decrypt (Authcookie.value);
}
catch (Exception ex)
{
Return
}

if (null = = AuthTicket)
{
Return
}

Extract role
string[] roles = authTicket.UserData.Split (new char[]{' | '});

Create Identity Object
FormsIdentity id = new FormsIdentity (AuthTicket);

GenericPrincipal principal = new GenericPrincipal (ID, roles);
Context.User = Principal;
The reader of the specific code can complete it by itself.
5. PostScript and the contents of the authorization and security communication will be discussed separately.


trackback:http://tb.blog.csdn.net/trackback.aspx?postid=29141

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.