Asp. NET application security Scheme (ii)-Authorization

Asp.net| Security | Procedure Summary: This article asp.net the concept of application authorization, introduced various authorization modes and compared them, expounded the mechanism of choosing authorization mode.


Keywords: licensing authorization asp.net Web applications


1.1. The concept of empowerment
Any successful application security policy is based on solid authentication and authorization, as well as secure communications that provide confidentiality and integrity of confidential data.
The authorization (authorization) process is responsible for controlling which resources are accessible to authenticated clients and what can be done. Accessible resources include files, databases, etc., as well as system-level resources such as the registry, configuration data, and so on.
Many web programs do not directly authorize customers to access the underlying resources, but rather use methods (method) to authorize the actions that the client can perform. The main reason for this is to take into account the scalability and manageability of the application system. Figure 1 lists the various security technologies and the main licensing methods offered by each technology.

2.2. Licensing method
As shown in Figure 1, on Windows 2000. NET Framework provides the following licensing methods:

Asp. NET Authorization
Enterprise Services Licensing
SQL Server Licensing
2.1 ASP. NET Authorization
2.1.1 URL authorization
This is an authorization mechanism configured through the settings of the computer and the application configuration file. URL authorization allows users to restrict access to specific files and folders located in the application URI namespace.

2.1.2 File Authorization
You can use this method to restrict access to a specified file on a Web server. Access permissions are determined by the file-related Windows ACLs.

2.1.3 Principal permission Request
The principal permission request (Principal Permission Demand) can be declared or programmed as an additional precise access control mechanism. This approach allows you to restrict access to classes, methods, or individual code by identifying the group membership based on the identity of the individual user.

2.1.4. NET role
. NET role is used to divide users with the same permissions in the application into one group. This approach can be used in conjunction with a ticket-based authentication scheme, such as forms authentication, to configure access to resources and operations declaratively or programmatically.

2.2 Enterprise Services Licensing
In Enterprise Services applications, the membership of the Enterprise Services role controls client access to the functionality contained in the server component. These roles and. NET roles, and can contain Windows group accounts or user accounts. Role membership is defined in the COM + catalog and is managed through the Component Services (Component Service) tool.

2.3 SQL Server Licensing
SQL Server supports precise authorization, which can be applied to a separate database object. Permissions can be either based on role membership or granted to separate Windows user or group accounts.

3. Select an authorization policy
Asp. NET applications have two basic rights policies: role-based authorization and resource-based authorization.
3.1 role-based Authorization
Access to operations provides security protection through the role membership of the caller. Roles can divide an application's user base into groups of users with the same security permissions. The user is mapped to a role, and if a user is authorized to perform the requested action, the application can access the resource with a fixed identity. These identities are trusted by their respective resource managers, such as databases and file systems.

3.23.2 Resource Based
Separate resources use Windows ACLs to provide security protection. The application simulates (impersonate) the caller before accessing the resource, which enables the operating system to perform standard access checks. All access to resources is a security context that uses the original caller. This analog approach can not be used effectively in the middle-tier connection pool of the application, thus affecting the scalability of the application.

4. The role of the licensing model
In most scalability-critical. NET Web applications, the use of role-based authorization is the best choice. The common patterns are as follows:

Validating users in a front-end Web application
Mapping a user to a role
Authorize access to actions (not directly to resources) based on role membership
Use a fixed service identity to access the necessary back-end resources.
A typical concrete implementation step is as follows:
Get credential information
Verifying credential information
To add a user to a role
Create a IPrincipal object
Place the IPrincipal object in the current HTTP context
Authorization based on user identification/role membership
Implementation of the code see ASP. NET application security Scheme (i)-authentication.