Asp. NET application security scheme (i)

Source: Internet
Author: User
Tags anonymous config iis include connect wrapper ticket root directory
Asp.net| Security | Program Summary: This article asp.net the concept of application authentication, introduces various authentication modes and compares them, expounds the mechanism of choosing authentication mode, and gives a realization method based on form authentication mode.


Keywords: authentication authentication asp.net Web applications


1. The concept of authentication
Any successful application security policy is based on solid authentication and authorization, as well as secure communications that provide confidentiality and integrity of confidential data.
Authentication (authentication) is a process that identifies an application client, where the client may include an end user, service, process, or computer, and the authenticated client is called the principal (principal). Authentication can occur across multiple tiers of an application. The end-user is initially authenticated by the Web application, typically based on the user name and password, and then the end user's request is processed by the middle-tier application server and the database server, which is also authenticated to authenticate and process the requests.
Figure 1 lists the various security technologies and the main authentication methods provided by each technology.

2. Authentication Mode
As shown in Figure 1, on Windows 2000. NET Framework provides the following types of authentication:

Asp. NET authentication Mode
Enterprise Services Authentication
SQL Server Authentication
2.1 ASP. NET authentication Mode
Asp. NET authentication modes include Windows, forms (form), passport (passport), and none (No).

2.1.1 Windows authentication
When you use this authentication mode, ASP. NET relies on IIS to authenticate the user and create a Windows access token to represent the authenticated identity. IIS provides the following authentication mechanisms:

Basic Authentication
Digest Authentication
Integrated Windows Authentication
Certificate authentication
Anonymous authentication
2.1.2 Passport authentication
When you use this authentication mode, ASP. NET uses the Microsoft Passport centralized authentication service, ASP. NET provides a convenient wrapper (wrapper) for the features provided by the Microsoft Passport Software Development Kit (SDK). This SDK must be installed on the Web server.

2.1.3 Forms Authentication
This authentication method uses the client redirection feature to forward unauthenticated users to a specific login form, requiring the user to enter their credential information (typically a username and password). When these credential information is validated, the system generates an authentication ticket (ticket) and returns it to the client. An authentication ticket maintains the identity information of the user during a user's session and optionally the list of roles to which the user belongs.

2.1.4 None
Using this authentication mode means you do not want to authenticate the user or adopt a custom authentication protocol.

2.2 Enterprise Services Authentication
Enterprise Services authentication is done by using the underlying remote procedure call (Rpc,remote Procedure calls) transport structure that uses the operating system Security Service Provider Interface (sspi,security Service Provider Interface). You can use the Kerberose or NTLM authentication mechanism to authenticate clients of a Enterprise Services application.

2.3 SQL Server Authentication
SQL Server can be validated through the Windows authentication mechanism (Kerberose or NTLM), or through its built-in authentication scheme-sql authentication mechanism. There are usually two kinds of authentication schemes available.

2.3.1 SQL Server and Windows
Clients can connect to an instance of SQL Server through SQL Server authentication or Windows authentication mechanism. This approach is sometimes referred to as mixed-mode authentication.

2.3.2 Windows only
The client must connect to an instance of SQL Server by using the Windows authentication mechanism.

3. Select authentication Mechanism
Designing a distributed Application for authentication is a challenging task. In the early stages of application development, an appropriate authentication design can help reduce many security risks.
3.1 Comparison of various authentication mechanisms
Whether the user needs to have a Windows account in the server domain whether the delegate requires that the Windows 2000 client and server credentials be transmitted in clear text (requiring SSL) to support non-IE browsers
Basic authentication is whether it is
Whether Digest authentication is not
NTLM authentication is no no no
Kerberos authentication is whether or not
Certificate authentication is not a
Form authentication is not a
Passport authentication is not a

3.2 Factors to consider in selecting an authentication mechanism
Identifying the Windows authentication mechanism is appropriate only if the user of the application has a Windows account that can be authenticated through a trusted authority that can be accessed by the application Web server.
One of the key advantages of credential management Windows authentication is that it can use the operating system for credential management. When you use non-Windows authentication methods, such as forms authentication, you must carefully consider where and how to save the user credentials. The most common approach is to use a SQL Server database or to use a user object that is located in Active Directory.
Identifies whether the flow needs to implement a mock/delegate model and flows the original caller's security context across layers at the operating system level-for example, to support auditing or granular authorization for each user.
Do all users of browser type applications have IE browsers? Or do you need to support a user base with a mixed browser? When we choose authentication, we need to consider the above factors according to the characteristics of various ways.

Selection and decision process of 3.3 intranet system
See Figure 2.

3.4 SQL Server user authentication
For SQL Server clients to authenticate, Windows authentication is generally more secure than SQL Server Authentication because of the following factors:
The former is responsible for managing the user's credential information, and the user's credentials are not transmitted over the network.
You can avoid embedding user names and passwords in the connection string.
You can improve logon security by password expiration time, minimum password length, and account lockout requested after multiple invalid logons. This can see the threat of fewer dictionary attacks.
However, Windows authentication is not allowed in some specific application scenarios, such as:
The database client and database server are separated by a firewall, which results in the inability to use Windows authentication.
Applications need to connect to one or more databases using multiple identities.
The database you connected to is not SQL Server.
There is no secure way to run code in ASP.net as a particular Windows user.
In these scenarios, you will have to use SQL authentication, or the native authentication mechanism of the database.

4. ASP. NET authentication Implementation
4.1 Program Characteristics
In this section, only an implementation of authentication for an interactive Web application under an intranet is provided, and this scenario assumes the following characteristics:
Only authenticated clients can access the application.
The database trusts that the application authenticates the user-that is, the application invokes the database on behalf of the user.
The Web application connects to the database by using the ASP.net process account.
The user's credential information is validated against the SQL Server database.
Use the Forms authentication mode.
In a Web application, the user's credential information is based on the SQL Server database, Forms authentication mode is used, and user personalization design is easy to implement. Using the mode of the application on behalf of the user to the database, the trusted subsystem model can be used to make better use of the database connection pool, and the user can not access the backend database directly, and the ACL management of the back end can be reduced.

4.2 Security Configuration steps
4.2.1 IIS configuration steps
Enable anonymous access to the Web service's virtual root directory.
The primary approach is to use the IIS MMC snap-in, right-click the application's virtual directory, and then click Properties---Directory security--〉 Anonymous access and security control--〉 edit.

4.2.2 ASP. NET configuration steps
1. Reset the password for the ASPNET account (for running asp.net) to a more secure password.
This allows a local account (with the same username and password) to be replicated on the database server. In order to connect to a database using Windows authentication, it is necessary to enable the ASPNET account to respond to network authentication requirements from the database.
The specific method is to edit the Machine.config file located in the%windr%\microsoft.net\framework\v1.1.4322\config directory to <processModel> element, the default value is <!-username= "Machine" password= "AutoGenerate"--> to <!-username= "machine" password= " NewPassword "-->.
2. Configure ASP.net to use form authentication.
Edit the Web.config file located under the virtual root of the Web service and set the <authentication> element to:
<authentication mode= "Forms" >
<forms name= "Myappformauth" loginurl= "Login.aspx" protection= "All" timeout= "path="/">
</forms>
</authentication>

4.2.3 Configure SQL Server
1. Create a Windows account that matches the ASP.net process account on the SQL Server database.
The username and password must match the ASP.net application account.
2. Configure SQL Server so that it uses Windows authentication.
3. Create a SQL Server login for the custom asp.net application account, granting access to SQL Server.
4. Create a new database user and map the login name to the database user.
5. Create a new user-defined database role and add the database user to the role.
6. Determine database permissions for the database role.

4.3 Program code
4.3.1 Authentication Event Sequence
When an unauthenticated user attempts to place a protected file or a resource is denied, the sequence of events that is triggered is shown in Figure 3.

4.3.2 Code Implementation steps
1. Build a Web login form and verify user-supplied credential information
Verify credential information based on the SQL Server database.
2. Get a list of roles from a database
3. Create form authentication ticket
Saves the acquired role information in the ticket. The sample code is as follows:
private void Btnlogin_click (object sender, System.EventArgs e)
{
Verify based on SQL Server database (implemented slightly).
BOOL isauthenticated = isauthenticated (txtUsername.Text, txtPassword.Text);
if (isauthenticated = = True)
{
Get the user's role
String roles = GetRoles (txtUsername.Text, txtPassword.Text);

To create an authentication ticket
FormsAuthenticationTicket AuthTicket = new
FormsAuthenticationTicket (1,//version
txtUsername.Text,//user name
DateTime.Now,//Creation
DateTime.Now.AddMinutes,//Expiration
False,//persistent
roles); User data

String encryptedticket = Formsauthentication.encrypt (AuthTicket);
Creating cookies
HttpCookie Authcookie =
New HttpCookie (Formsauthentication.formscookiename,
Encryptedticket);

RESPONSE.COOKIES.ADD (Authcookie);

Redirects the user to the original request page.
Response.Redirect (Formsauthentication.getredirecturl (
txtUsername.Text,
false));
}
}

4. Create a IPrincipal object to create a IPrincipal object in the Application_AuthenticateRequest event, typically using the GenericPrincipal class.
5. Place the IPrincipal object in the current HTTP context

protected void Application_AuthenticateRequest (Object sender, EventArgs e)
{
Mention form authentication cookie
string cookiename = Formsauthentication.formscookiename;
HttpCookie Authcookie = Context.request.cookies[cookiename];

if (null = = Authcookie)
{
Return
}

FormsAuthenticationTicket AuthTicket = null;
Try
{
AuthTicket = Formsauthentication.decrypt (Authcookie.value);
}
catch (Exception ex)
{
Return
}

if (null = = AuthTicket)
{
Return
}

Extract role
string[] roles = authTicket.UserData.Split (new char[]{' | '});

Create Identity Object
FormsIdentity id = new FormsIdentity (AuthTicket);

GenericPrincipal principal = new GenericPrincipal (ID, roles);
Context.User = Principal;
}

The specific code reader can complement it.

5. PostScript
The content related to authorization and secure communication will be discussed separately.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.